Fwd: Re: [SLE] Spam..
Ooops - soory about the off-list reply, Jim. The default Reply To: thing got
me.
---------- Forwarded Message ----------
Subject: Re: [SLE] Spam..
Date: Wed, 12 Dec 2001 19:21:16 -0500
From: naurgrim
How can I track down this sh**head's ISP and complain about him spamming me?
"Zhang guo qing"
Hi Jim - Handy tools for tracking spammers are available at spamcop.net and samspade.org. Having said that, however, you are likely not going to get any results. I have tried many times to submit complaints about spam coming from .cn domains - nobody cares, there are many open relays, zero response. In cases like this - filters, procmail and /etc/mail/access.db are your friends. -------------------------------------------------------
* naurgrim (naurgrim@karn.org) [011212 16:23]:
Ooops - soory about the off-list reply, Jim. The default Reply To: thing got me.
It's sort relevant though. Because of the insane amount of spam that originates in Asia some companies are deciding to just block the entire 202.0.0.0 class allocated to Asia. Unfortuantely, the Internet is not so simple anymore and many non-Asian companies that use Asian-based ISPs have had IPs from this 202.0.0.0 network allocated to them. For example, suse.com is entirely on the 202 network and it's happened a couple of times that an ISP blocked the whole class A to cut down on spam and blocked us as well. -- -ckm
On Wednesday 12 December 2001 19:33, Christopher Mahmood wrote:
Unfortuantely, the Internet is not so simple anymore and many non-Asian companies that use Asian-based ISPs have had IPs from this 202.0.0.0 network allocated to them. For example, suse.com is entirely on the 202 network and it's happened a couple of times that an ISP blocked the whole class A to cut down on spam and blocked us as well.
Oooof - that's gotta hurt. <g> I've black-holed networks at my border routers before, but usually for stuff like FTP scanning and such, and only one class C at a time, as a rule. /etc/mail/access.db is one of my favorites, as it can be as broad or selective as I want, and I don't have to bug my router guy for it. It is, however, disheartening how few supposedly "responsible" parties just don't care and won't take action. I recently had one one idiot question "who I was and where I got that information" after I sent them a chunk of my mail logs that showed a machine in their network block hitting me with null connects on port 25, every two seconds for 24 hours straight. Setting up "550 service refused" on that single IP and CC'ing their upstream provider finally got them clued. ;>
Hi All.... On Thursday 13 December 2001 01:52, naurgrim wrote:
On Wednesday 12 December 2001 19:33, Christopher Mahmood wrote:
Unfortuantely, the Internet is not so simple anymore and many non-Asian companies that use Asian-based ISPs have had IPs from this 202.0.0.0 network allocated to them. For example, suse.com is entirely on the 202 network and it's happened a couple of times that an ISP blocked the whole class A to cut down on spam and blocked us as well.
Oooof - that's gotta hurt. <g>
I've black-holed networks at my border routers before, but usually for stuff like FTP scanning and such, and only one class C at a time, as a rule.
/etc/mail/access.db is one of my favorites, as it can be as broad or selective as I want, and I don't have to bug my router guy for it.
It is, however, disheartening how few supposedly "responsible" parties just don't care and won't take action. I recently had one one idiot question "who I was and where I got that information" after I sent them a chunk of my mail logs that showed a machine in their network block hitting me with null connects on port 25, every two seconds for 24 hours straight.
Setting up "550 service refused" on that single IP and CC'ing their upstream provider finally got them clued. ;>
My problem with this guy is that he just does not listens. He's a stamp collector (I'm a dealer) and I get from him 2 to 3 emails a day wanting to trade. I've wrote back nicely "no thanks", still got his emails. Then I pissed off and cussed at him. No go there either. So I was hopeing to find out his ISP's name and talk to them. How do I find the email for whoever is in change of the ISP? There's a command but I don't remember it. TIA... -- Jim Hatridge Linux User #88484 ------------------------------------------------------ BayerWulf Linux System # 129656 The Recycled Beowulf Project Looking for throw-away or obsolete computers and parts to recycle into a Linux super computer
On December 13, 2001 01:23 pm, Jim Hatridge wrote:
My problem with this guy is that he just does not listens. He's a stamp collector (I'm a dealer) and I get from him 2 to 3 emails a day wanting to trade. I've wrote back nicely "no thanks", still got his emails. Then I pissed off and cussed at him. No go there either. So I was hopeing to find out his ISP's name and talk to them.
How do I find the email for whoever is in change of the ISP? There's a command but I don't remember it.
whois OTOH I'd just use the DISCARD feature in your access file. Assuming you're using sendmail. Nick
* Jim Hatridge (James.Hatridge@epost.de) [011213 11:48]:
My problem with this guy is that he just does not listens. He's a stamp collector (I'm a dealer) and I get from him 2 to 3 emails a day wanting to trade. I've wrote back nicely "no thanks", still got his emails. Then I pissed off and cussed at him. No go there either. So I was hopeing to find out his ISP's name and talk to them.
Well, if the address is really online.sh.cn just host online.sh.cn online.sh.cn. has address 61.129.163.65 online.sh.cn. has address 202.96.209.35 ipchains -I input -s 61.129.163.65 -d 0/0 -p tcp -y -j DENY ipchains -I input -s 202.96.209.35 -d 0/0 -p tcp -y -j DENY Eventually, someone over there will get tired of the undeliverable mail and stop. Of course, he may just be using an open relay he found.
How do I find the email for whoever is in change of the ISP? There's a command but I don't remember it.
whois online.sh.cn but postmaster@domain or abuse@domain should work. -- -ckm
On Thursday 13 December 2001 13:23, Jim Hatridge wrote:
My problem with this guy is that he just does not listens. He's a stamp collector (I'm a dealer) and I get from him 2 to 3 emails a day wanting to trade. I've wrote back nicely "no thanks", still got his emails. Then I pissed off and cussed at him. No go there either. So I was hopeing to find out his ISP's name and talk to them.
How do I find the email for whoever is in change of the ISP? There's a command but I don't remember it.
Hello Jim - This sounds like a perfect job for spamcop.net, then. Sign up for a free account, run one of this guy's mails thru it, with full headers, of course, and make sure that you have "show technical details" selected - it'll give you a heap of information about where his traffic comes from, what relays it went thru, etc. Of course, it is possible to fake headers and such, spamcop is pretty good at parsing out such, but if he is just a casual and annoying idiot, you should be able to get a wiggle on who to complain to. If his last relay was in .cn, you may want to look at where it originated. Remember, the top Received: header is the last relay, the bottom-most Received: header (if it isn't faked) could give you an idea of what network the traffic came from. Again, however, your complaints may go unresolved. If so, filter, deny traffic, firewall, lather, rinse, repeat.
At 19:21 12/13/2001 -0500, naurgrim wrote:
On Thursday 13 December 2001 13:23, Jim Hatridge wrote:
My problem with this guy is that he just does not listens. He's a stamp collector (I'm a dealer) and I get from him 2 to 3 emails a day wanting to trade. I've wrote back nicely "no thanks", still got his emails. Then I pissed off and cussed at him. No go there either. So I was hopeing to find out his ISP's name and talk to them. /snip/
Why don't you just filter him out? That's easy and gets him off your back altogether. Now, if someone could tell me how to filter mail "from" asdfklu with subject inmbles; I would love to know how. Oh, it has to work in Lotus Notes. That's what we're using at work. These are all porno guys trying to sell their wares. I'm not in IT, so I can't do anything at the source, I'm just a poor dumb user (with no understanding of Lotus) trying to get rid of the junk. (I must have 30 "rules" by now to get rid of the spammers.)
On Thursday 13 December 2001 19:35, Doug McGarrett wrote:
Why don't you just filter him out? That's easy and gets him off your back altogether. Now, if someone could tell me how to filter mail "from" asdfklu with subject inmbles; I would love to know how. Oh, it has to work in Lotus Notes. That's what we're using at work. These are all porno guys trying to sell their wares. I'm not in IT, so I can't do anything at the source, I'm just a poor dumb user (with no understanding of Lotus) trying to get rid of the junk. (I must have 30 "rules" by now to get rid of the spammers.)
Sorry Doug - I don't know Notes. However, if it can filter on body text, how's about dumping everything that contains: to be removed to be permanently removed to get removed S.1618 S. 1618 That should get at least 60% of it. <g>
On Friday 14 December 2001 02:55, naurgrim wrote:
On Thursday 13 December 2001 19:35, Doug McGarrett wrote:
Why don't you just filter him out? That's easy and gets him off your back altogether. Now, if someone could tell me how to filter mail "from" asdfklu with subject inmbles; I would love to know how. Oh, it has to work in Lotus Notes. That's what we're using at work. These are all porno guys trying to sell their wares. I'm not in IT, so I can't do anything at the source, I'm just a poor dumb user (with no understanding of Lotus) trying to get rid of the junk. (I must have 30 "rules" by now to get rid of the spammers.)
Sorry Doug -
I don't know Notes.
However, if it can filter on body text, how's about dumping everything that contains:
to be removed to be permanently removed to get removed S.1618 S. 1618
That should get at least 60% of it. <g>
Has anyone else tried Spamassassin (http://spamassassin.taint.org/) ? It's a set of configurable Perl stuff that sifts through your incoming mail spool, runs a set of pattern-matching tests on it, and flags the spam (it adds X-Spam-Flag headers, modifies the subject and adds a spam warning in the body). I download mail straight from my ISP via POP, through a Kmail filter that pattern-matches the regexp . in the headers, pipes it through spamassassin ('spamassassin -p') - note, uncheck the 'if match hit, stop processing here!' bit!
From there, it goes to a second filter that looks for spamassassin-generated flags, and diverts such into a spam folder. Of course, you could equally well shred those mails unread; I'm still tuning mine, and don't want to shred accidental false positives.
You can edit spamassassin's tolerance for potential false positives, and exempt addresses from checking by editing /$HOME/.spamassassin.prefs. A properly-tuned spamassassin can apparently identify 99.9% of spam on sight. The only downside is that it does slow down mail reception a bit, due to checking Vipul's Razor (http://razor.sourceforge.net/) for each message; but you can turn that off, too. (It's very cool, I have to say; and thanks to my friend Colm for helping me work it out.) For me, spam *is* a thing of the past. Gideon.
I download mail straight from my ISP via POP, through a Kmail filter that pattern-matches the regexp . in the headers, pipes it through spamassassin ('spamassassin -p') - note, uncheck the 'if match hit, stop processing here!' bit!
I was looking at spamassassin just yesterday. I found myself in Perl module dependency hell - it seemed to require just about every Perl module under the sun. Half a dozen visits to CPAN later it was still complaining so I scrapped the idea. Also, I couldn't see how to make it integrate with Kmail. Can you give a bit more detail on how mail gets through spamassassin into Kmail?
* Derek Fountain;
I was looking at spamassassin just yesterday. I found myself in Perl module dependency hell - it seemed to require just about every Perl module under the sun. Half a dozen visits to CPAN later it was still complaining so I scrapped the idea.
Here is what do in my shell # perl -MCPAN -e shell once it is setup (pretty easy) type # get Mail::SpamAssasin which will get all the modules needed and then you can build and isnatll it. Alternatively as root yoy get issue # install Mail::SpamAssassin which will get, build and install the whole thing -- Togan Muftuoglu
On Friday 14 December 2001 14:19, Derek Fountain wrote:
I download mail straight from my ISP via POP, through a Kmail filter that pattern-matches the regexp . in the headers, pipes it through spamassassin ('spamassassin -p') - note, uncheck the 'if match hit, stop processing here!' bit!
I was looking at spamassassin just yesterday. I found myself in Perl module dependency hell - it seemed to require just about every Perl module under the sun. Half a dozen visits to CPAN later it was still complaining so I scrapped the idea.
Really? I followed the README word for word, and it did it all automagically. The one thing I would say is that it's a *good* idea to install the Mail::Audit module *first*. So; perl -MCPAN -e shell (answered 'no' to the 'do you want to muck around with the CPAN defaults' question; I'm no great shakes with Perl.) install Mail::Audit quit (ftp.perl.org was having a funny five minutes when I installed; I hit ctrl-c and it found another server (in Demon) and got Mail::Audit off there instead.) I also made a point of installing Net::DNS, just for the hell of it; identical procedure to the one above. You can then either download spamassassin as a tar.gz from http://spamassassin.taint.org/downloads.html or type; perl -MCPAN -e shell install Mail::SpamAssassin quit (if you do this, it autoinstalls) If you go the tarball way, then tar -zxvf it; perl Makefile.PL; make; make test; make install (which shoves it in /usr/lib/perl5/site_perl/5.6.1/ on my box.) Tried doing the tests in http://spamassassin.taint.org/dist/README and all worked fine from the off.
Also, I couldn't see how to make it integrate with Kmail. Can you give a bit more detail on how mail gets through spamassassin into Kmail?
From Kmail;
Select 'Configure filters' New filter In Filter Criteria, select "<any header> <matches regular expression> . " (yup, dot - it's not just a full stop in my mail) Then, under Filter Actions, choose "<pipe through> spamassassin -P" *Uncheck* the box marked "If this filter matches, stop processing here". Hit OK, and it should save it. If you keep that filter at the top, then the first thing Kmail does on retrieving mail from your ISP is run it through that filter; it invokes spamassassin on the incoming mail and then passes it through to your other filters to be dealt with as per normal. As I said, I have a second filter set up after the spamassassin one to divert flagged spam into a folder marked Hormel; it sends them there if the headers contain "X-Spam-Flag: YES" or "X-Spam-Status: Yes" or the subject contains "*****SPAM*****" (which are three of the things spamassassin shoves into spam mails to identify them). Since I'm running a cable modem, I don't mind the slight delay in mail arrival caused by checking Razor, but you can disable all remote checks in /$HOME/spamassassin.prefs, which speeds it up considerably. Hope that gives you enough information to go on! Gideon.
On Friday 14 December 2001 9:55 am, Gideon Hallett wrote:
On Friday 14 December 2001 14:19, Derek Fountain wrote:
I download mail straight from my ISP via POP, through a Kmail filter that pattern-matches the regexp . in the headers, pipes it through spamassassin ('spamassassin -p') - note, uncheck the 'if match hit, stop processing here!' bit!
I was looking at spamassassin just yesterday. I found myself in Perl module dependency hell - it seemed to require just about every Perl module under the sun. Half a dozen visits to CPAN later it was still complaining so I scrapped the idea.
Really?
I followed the README word for word, and it did it all automagically.
The one thing I would say is that it's a *good* idea to install the Mail::Audit module *first*. So;
perl -MCPAN -e shell
(answered 'no' to the 'do you want to muck around with the CPAN defaults' question; I'm no great shakes with Perl.)
install Mail::Audit quit
(ftp.perl.org was having a funny five minutes when I installed; I hit ctrl-c and it found another server (in Demon) and got Mail::Audit off there instead.)
I also made a point of installing Net::DNS, just for the hell of it; identical procedure to the one above.
You can then either download spamassassin as a tar.gz from http://spamassassin.taint.org/downloads.html or type;
perl -MCPAN -e shell install Mail::SpamAssassin quit
(if you do this, it autoinstalls)
If you go the tarball way, then tar -zxvf it; perl Makefile.PL; make; make test; make install
(which shoves it in /usr/lib/perl5/site_perl/5.6.1/ on my box.)
Tried doing the tests in http://spamassassin.taint.org/dist/README and all worked fine from the off.
Also, I couldn't see how to make it integrate with Kmail. Can you give a bit more detail on how mail gets through spamassassin into Kmail?
From Kmail;
Select 'Configure filters' New filter
In Filter Criteria, select "<any header> <matches regular expression> . "
(yup, dot - it's not just a full stop in my mail)
Then, under Filter Actions, choose "<pipe through> spamassassin -P"
*Uncheck* the box marked "If this filter matches, stop processing here".
Hit OK, and it should save it.
If you keep that filter at the top, then the first thing Kmail does on retrieving mail from your ISP is run it through that filter; it invokes spamassassin on the incoming mail and then passes it through to your other filters to be dealt with as per normal.
As I said, I have a second filter set up after the spamassassin one to divert flagged spam into a folder marked Hormel; it sends them there if the headers contain "X-Spam-Flag: YES" or "X-Spam-Status: Yes" or the subject contains "*****SPAM*****" (which are three of the things spamassassin shoves into spam mails to identify them).
Since I'm running a cable modem, I don't mind the slight delay in mail arrival caused by checking Razor, but you can disable all remote checks in /$HOME/spamassassin.prefs, which speeds it up considerably.
Hope that gives you enough information to go on!
Gideon.
I'm in dependency hell too..... Running SuSE 7.3 pro and as far as I can tell I have everything loaded. But CPAN is giving me the error: Running install for module Mail::Audit Running make for S/SI/SIMON/Mail-Audit-2.0.tar.gz CPAN: MD5 loaded ok Can't locate object method "new" via package "MD5" (perhaps you forgot to load "MD5"?) at /usr/lib/perl5/5.6.1/CPAN.pm line 4212. MD5 is loaded as shown above.... Just too many gimmicks to make this work. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 12/14/01 10:37 + +----------------------------------------------------------------------------+ "If knees were backwards, what would chairs look like?"
On Friday 14 December 2001 15:39, Bruce Marshall wrote:
On Friday 14 December 2001 9:55 am, Gideon Hallett wrote:
On Friday 14 December 2001 14:19, Derek Fountain wrote:
<snip>
I'm in dependency hell too..... Running SuSE 7.3 pro and as far as I can tell I have everything loaded. But CPAN is giving me the error:
7.3 pro here too...
Running install for module Mail::Audit Running make for S/SI/SIMON/Mail-Audit-2.0.tar.gz CPAN: MD5 loaded ok Can't locate object method "new" via package "MD5" (perhaps you forgot to load "MD5"?) at /usr/lib/perl5/5.6.1/CPAN.pm line 4212.
MD5 is loaded as shown above....
Strange. Have you tried getting Mail::Audit manually from http://www.cpan.org/authors/id/S/SI/SIMON/Mail-Audit-2.0.tar.gz and installing it by hand? (The only reference I can find to similar problems was installing modules in 5.6.1 via CPAN - http://archive.develooper.com/beginners-cgi%40perl.org/msg02735.html ) Here's what I get manually (after 'perl Makefile.PL');
ls . Audit Changes MANIFEST Makefile.PL popread test.pl .. Audit.pm FAQ Makefile README proc2ma
make cp Audit/List.pm blib/lib/Mail/Audit/List.pm cp Audit/KillDups.pm blib/lib/Mail/Audit/KillDups.pm cp Audit/MAPS.pm blib/lib/Mail/Audit/MAPS.pm cp Audit.pm blib/lib/Mail/Audit.pm cp Audit/Razor.pm blib/lib/Mail/Audit/Razor.pm cp Audit/PGP.pm blib/lib/Mail/Audit/PGP.pm Manifying blib/man3/Mail::Audit::List.3pm Manifying blib/man3/Mail::Audit::KillDups.3pm Manifying blib/man3/Mail::Audit::MAPS.3pm Manifying blib/man3/Mail::Audit.3pm Manifying blib/man3/Mail::Audit::Razor.3pm Manifying blib/man3/Mail::Audit::PGP.3pm
Just too many gimmicks to make this work.
I'm running 7.3 pro, and it works just fine.
Compare this genuine message;
To: SLE
participants (9)
-
Bruce Marshall
-
Christopher Mahmood
-
Derek Fountain
-
Doug McGarrett
-
Gideon Hallett
-
Jim Hatridge
-
naurgrim
-
Nick Zentena
-
Togan Muftuoglu