The IP cannot feasibly be faked. IP spoofing is easy on single packets, but requires extremely well-controlled situations to work at all for TCP sessions.A spam in my queue begins: P I 11-11-2002 16:47:32 0000 thefreevirtual.org glen R E 11-11-2002 16:47:36 0000 bzlaw.com glen R E 11-11-2002 16:48:06 0000 bzlaw.com jeff R E 11-11-2002 16:48:36 0000 bzlaw.com katie R E 11-11-2002 16:49:06 0000 bzlaw.com oscar R E 11-11-2002 16:51:06 0000 bzlaw.com pierre R E 11-11-2002 16:53:06 0000 bzlaw.com rainbowReceived: from [213.167.166.26] (HELO thefreevirtual.org) by SMTP.az.net (Stalker SMTP Server 1.8b9d11) with SMTP id S.0000110944; Mon, 11 Nov 2002 09:47:34 -0700 Can I accept 213.167.166.26 as the real IP address of the offending MTA or is it like the HELO argument (thefreevirtual.org) which can be any durned thing the spammer pleases?
Nope.Trying to lookup the MX for thefreevirtual.org comes up empty which is why, I suppose, SIMS tries to connect to 61.129.78.34 -- the IP of thefreevirtual.org, which is probably not the real host name anyway. 00:17:33 3 SMTP-208(thefreevirtual.org) Failed to connect to [61.129.78.34:25]. reason=60 I went through the spam in the queue and noted that not more than three items were from any one IP address but all are obviously part of the same dictionary attack on one domain. 64.86.229.68 195.228.147.142 200.207.18.32 200.252.68.208 202.65.158.4 210.72.254.146 213.19.179.5 213.167.166.26 213.170.87.163 213.176.50.69 213.190.37.170 213.204.80.166 213.221.129.112 213.229.50.165 All gave the same "thefreevirtual.org" HELO argument. Given the wide variety of addresses, is it likely that the IP is faked too?
It is more likely that all of those are unsecured proxies of some sort. 213.167.166.26 seems to be listed in a few of the DNSBL's that include open proxies, and some claim that it is an open proxy.
SOCKS and HTTP proxies without access control have become fairly common, and spammers have learned how to use them. Most mail attacks of all varieties are done through them these days, because they are by nature complete disguises for the spammers.
Making it harder for US-based targets to deal with those open proxies in any way but blocking them. If you can get the message to the buffoons who left their machines open like that, you not only have to explain the problem in short words, but in short words in some other language than English.Then again, those IPs that resolve are all non-US but scattered throughout br, de, it, at, etc.
It might be easier to use one of the relevant DNSBL's, but be careful: some of the lists out there have pretty loose criteria for adding addresses.Now, I would think that a spammer with resources spread this widely would be caught by my RBL but that doesn't seem to be happening so I'm adding each IP manually in the hope that the IPs are not faked and that eventually it will do some good. Am I wasting my time.
--
Bill Cole
[EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
