So if you had received the mail sent here yesterday claiming to be from
Alain Durand would you block Sun or IBM? I am sure Alain did not send a
random executable file to a non-existent account. It appears someone figured
out he had responded to me on this list in the past, and plenty of times
daily there are messages with the same content sent to half a dozen account
names as a cc set. Correlating Durand to Hain is completely in line with
typical spammer behavior. The fact this message got here is not a Sun
problem (but someone at IBM might want to send me a note). The point is that
it really doesn't matter which proxy was used what shows up here looks like
a legitimate message from someone I have corresponded with in the past. The
only way to detect a fraud at the MUA would be to have a verifiable
signature from Alain (this was trapped at my MTA due to the exe file).
Tony
192.35.***.***:43014;4.65.25.155:25;Tue, 17 Feb 2004 15:12:51 -0800
tndh.net
S471B7
MAIL FROM:<alain(_dot_)durand(_at_)sun(_dot_)com>
RCPT TO:<hain(_at_)tndh(_dot_)net>
<<MAIL-DATA>>
Received: from mtrumble (192.35.***.***:43014)
by tndh.net with [XMail 1.17 (Win32/Ix86) ESMTP Server]
id <S471B7> for <hain(_at_)tndh(_dot_)net> from
<alain(_dot_)durand(_at_)sun(_dot_)com>;
Tue, 17 Feb 2004 15:12:51 -0800
Date: Tue, 17 Feb 2004 17:10:17 -0600
To: hain(_at_)tndh(_dot_)net
Subject: ID qfp... thanks
From: alain(_dot_)durand(_at_)sun(_dot_)com
Message-ID: <adkselafptndppsbnlb(_at_)sun(_dot_)com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------443488178303183"
----------443488178303183
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Yours ID fscyygroiei
--
Thank
----------443488178303183
Content-Type: application/x-msdownload; name="pcrceynyu.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cdv.exe"
192.35.***.***
Non-authoritative answer:
***.***.35.192.in-addr.arpa name = ***.***.ibm.com
*** - if someone from IBM wants to contact me off list I will provide the
missing name/number
-----Original Message-----
From: owner-ietf(_at_)ietf(_dot_)org [mailto:owner-ietf(_at_)ietf(_dot_)org]
On Behalf Of Vernon
Schryver
Sent: Tuesday, February 17, 2004 8:03 PM
To: ietf(_at_)ietf(_dot_)org
Subject: Re: How Not To Filter Spam
From: "william(at)elan.net"
It is also a classic example of what is wrong with the MUA filtering
You certain dont assume that there is nothing wrong with the filtering
system you use and others may try duplicate as well. Otherwise how would
you explain that you have Elan and completewhois.com listed as filtered
on your site. Do you honestly believe we ever sent you any SPAM? Or
maybe
you're making certain assumptions about envelope from or normal "From:"
headers and complaining when others are making the similar assumptions?
Mail from Elan and completewhois.com is unwelcome at rhyolite.com in
patt because of a message that said:
] Elan.Net Internet
] T.1 T.3 Frame Relay
] If you need more information about us or are interested in network
services
] (managed hosting, collocation, dedicated servers, t1, t3), please send
email to info(_at_)elan(_dot_)net
]
] For More info
] http://www.elan.net
] sales(_at_)elan(_dot_)net
There are additional, independent, sufficient reasons for that listing
that we do not need to explore. If you will read my web pages, you'll
see that my list of unwelcome domains is not only about senders of
unsolicited bulk email.
An advantage of a vanity or other tiny domain is that it can use
blacklists that would have intolerable false positive rates at other
or larger outfits but that have 0.000% local false positive rates.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com