the headers. But if you copy the headers and paste them into a spamcop
reporting window, spamcop will trace the origin. Their parsing engine is pretty
good about stripping out (and ignoring) false information that some spammers
will add to the header to obfuscate the actual origin. Since computers
communicate via IP numbers, there will always be at lest one valid source IP
number in the headers. Tracking this IP number will return the source of that
step in the mail travels. You read the headers from the top down and the
tracking parsing scripts perform chain tests starting at the top to determine
how far down the list it can go before encountering a spoofed header line. It
will usually stop there and then recommend reporting to the abuse desk of the
last verified IP number in the header chain. At that point it also
automatically submits the IP number to the open relay testing organizations.
The FROM and TO email addresses are more often than not also spoofed by the
spammer, and most spam parsing scripts will ignore them to prevent reporting to
innocent bystanders.
What may not be really obvious is that many ISPs (even Korea) work to shut down
the open relays as they are found, however the increasing number of worms and
infections that are bandied about on the net seems to create two more for every
one found. It is an ongoing battle.
It is incredible that so many "always on" broadband users are connected to the
internet with outdated or no anti-virus solution or firewall to block these
intrusions or neglect to update their software with critical updates and
patches. These are constantly being victimized by the spammers.
======================================
Stop spam on your domain, Anti-spam solutions
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
======================================
Aspire to Inspire before you Retire or Expire!
----- Original Message -----
From: "dana tierney" <[EMAIL PROTECTED]>
To: "CF-Community" <[EMAIL PROTECTED]>
Sent: Sunday, January 25, 2004 8:19 AM
Subject: Re:libero.it
: yeah, I worked in isps long enough to know what an open relay is... but how
can you tell one in the headers? Just by the fact that the mail claims to come
from one server but in fact comes from another? I can see that this creates a
presumption, but is there a reason you are saying this beyond the
misrepresentation + the listing? Might as well learn to read these while I have
y'all's attention :)
:
: Dana
:
: >The origin IP number of 211.108.90.4 is what is called an open relay, and
: >appears on a number of blacklists.
: >
: >go to http://www.dnsstuff.com and enter that IP number in the top center
block
: >and it will return a list.
: >
: >For the uninitiated, an open relay is a mail server that is either carelessly
: >set up or is compromised by a worm infection. The effect is that it does not
: >report where it received the email message in the headers, making it appear
that
: >it originated the message. Spammers constantly scan the entire internet
space
: >to locate these open relays, and when they are found they pump the spam
through
: >them, thus effectively concealing the real source of the mail. as spam runs
are
: >detected and reported to web sites such as spamcop.net, they are immediately
: >tested and if indeed are relaying mail they are automatically added to a
number
: >of blacklists. Mail providers that use blacklists then refuse mail from that
IP
: >number from then on.
: >
: >About the most you can do is to set up a free reporting account at spamcop
and
: >paste in the complete spam, including header information and report them as
you
: >receive them. spamcop does the tracing and ISP reporting for you, and will,
in
: >most cases, obfuscate your email address to protect your identity.
: >
: >Some of the open relay block lists report that there are over 250K open
relays
: >worldwide being used to pump out spam. The spammers use one until it is
blocked
: >then move to another.
: >
: >Since it does appear on a number of blacklists, including a couple that I
use,
: >spam from that IP number would be rejected at my email server boundary and my
: >users would never see it.
: >
: >======================================
: >Stop spam on your domain, Anti-spam solutions
: >http://www.clickdoug.com/mailfilter.cfm
: >For hosting solutions http://www.clickdoug.com
: >======================================
: >Aspire to Inspire before you Retire or Expire!
: >
: >
: >----- Original Message -----
: >From: "dana tierney" <[EMAIL PROTECTED]>
: >To: "CF-Community" <[EMAIL PROTECTED]>
: >Sent: Sunday, January 25, 2004 6:29 AM
: >Subject: libero.it
: >
: >
: >: Anyone had any experience with this domain or know anything about italian
laws
: >on spam? Jochem? This seems to be where the prunebelly-spoofing spam is
coming
: >from.
: >:
: >: Maybe you can give me a second opinion. Here's the headers, reading these
was
: >never my best thing. The prunebelly address that received it forwards to a
: >comcast address, is where comcast comes into it.
: >:
: >: Received: from miranda.zianet.com ([216.234.192.169])
: >: by sccrmxc13.comcast.net (sccrmxc13) with SMTP
: >: id <20040118190533s1300ed4e7e>; Sun, 18 Jan 2004 19:05:33 +0000
: >: X-Originating-IP: [216.234.192.169]
: >: Received: (qmail 65059 invoked by uid 1009); 18 Jan 2004 19:05:31 -0000
: >: Delivered-To: (taking this out for my user's privacy - dana)
: >: Received: (qmail 65026 invoked by uid 0); 18 Jan 2004 19:05:31 -0000
: >: Received: from unknown (HELO libero.it) (211.108.90.4)
: >: by zianet.com with SMTP; 18 Jan 2004 19:05:31 -0000
: >: To: (a different prunebelly address, not the one that received it)
: >: From: "alton" <[EMAIL PROTECTED]>
: >: Date: Sun, 18 Jan 2004 12:04:43 GMT
: >: Message-Id: <[EMAIL PROTECTED]>
: >: Sender: [EMAIL PROTECTED]
: >:
: >: I am not including the subject line as it is pretty vile, something about
what
: >little girls will do for cigarettes. Which was the other thing I was
wondering.
: >Since this isn't just spam, but is also an advertisement for child
: >pornography... aren't some laws getting broken here?
: >:
: >: Somebody tell me how to get the guy mailing this stuff out :) I'll spend
the
: >time doing it <g>
: >:
: >: Dana
: >:
:
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
