On Friday, December 21, 2001, at 03:43 AM, Sean wrote:
> It depends on whether the spammer is removing people who > bounced as dead > addresses. In my experience doing network abuse investigation, the SINGLE most universal and ubiquitous problem, even among legitimate mailers is lack of proper bounce handling. If you think a spammer even CARES about bounces you're being naive in the extreme. The From and Reply-To addresses are nearly always forged, and if not are set to a throw-away account the spammer doesn't care about. Generating a bounce on spam to the from or reply-to is a BAD idea. Generally, the Received headers are more accurate. However, even these can be forged, and occasionally quite effectively depending on the receiving MTA. For Perl modules, I'd suggest starting with Mail::Header Now spam comes in two sorts Open Relay spam, and Direct-to-MX spam. The vast bulk of spam is of the open-relay type. This is easily blocked by using one of the many DNS-based open-relay lists. My personal favorite is the Relay Stop List (RSL). It's conservative in approach (which reduces collateral damage), lists ONLY open relays (unlike some other lists which attempt to be everything to everyone), and best of all has the kewlest monitoring and tracking system I've ever seen. (It's also slightly wacky) lookups are simply a query for the TXT record. From the command line it's: dig <reverse.dotted.quad>.relays.visi.com txt Net::DNS::RR::TXT might be worth looking into, although this is REAL slow. If you have some experience with sockets either Socket.pm or IO::Socket might be useful. --B
