procmail
[Top] [All Lists]

Re: anybody see this spam?

1997-05-07 17:08:00
At 12:42 PM 5/7/97 -0400, Robert Nicholson wrote:
This is the first intelligent SPAM that's broken through my defenses.
Mailer because I have a rule to catch all rules from a MAILER_DAEMON

Comments on the From: header?

Return-Path: <Mailer-Daemon>
Received: from iceland.it.earthlink.net (iceland-c.it.earthlink.net) by 
dgs.dgsys.com (5.0/SMI-SVR4)
       id AA21041; Wed, 7 May 1997 09:58:20 -0400
From: Mailer-Daemon
Received: from mail.earthlink.net (Cust90.Max1.Raleigh.NC.MS.UU.NET 
[153.34.251.90])
       by iceland.it.earthlink.net (8.8.5/8.8.5) with SMTP id HAA15017;
       Tue, 6 May 1997 07:30:56 -0700 (PDT)
Received: from mailhost.errols.com (187.5.88.44) by errols.com
(8.8.5/8.6.5) 
with SMTP id GAA01420 for <you(_at_)aol(_dot_)com>; Tue, 06 May 1997 10:20:07 
-0600
(EST)
Date: Tue, 06 May 97 10:20:07 EST
To: you(_at_)AOL(_dot_)COM
Subject: Free Orlando Vacations !!!
Message-Id: <756843199975(_dot_)JJA64789(_at_)smtp(_dot_)errols(_dot_)com>
X-Uidl: 9876543fgt9821376nb0988mm632xx321
Comments: Authenticated sender is <email(_at_)errols(_dot_)com>
content-length: 1291

Another has already commented (correctly) on the From: header's location.
That can happen with legitimate mail, though rarely.

This was sent by the "Stealth Mailer" which I don't think is used for
anything but spam.  It started appearing in early March as near as I
could find out from others' spam "collections".

Here's a pattern to catch this mailer (for now, at least):
    * ^Received:.*\(8\.8\.5/8\.6\.5\).*SMTP id GAA.*for <.*-0600 \(EST\)
This is its "fingerprint" which I've posted on the SPAM-L list.  (I typed
it here by hand, so please excuse any typos.)  I don't think it's very
likely to catch any legitimate mail; note that EST is -0500.  I'd put
this check *before* any check for MAILER_DAEMON, even.  (Of course,
check only the headers; if you checked the body, you'd have bounced
your own post!)

Don't try to autoreply to these things; they are configured to forge
everything replyable.  You'll probably find phone numbers and/or P.O.Boxes
and/or web pages inside the message body, but procmail won't help there.

In case you care, the spam was injected at:
        Cust90.Max1.Raleigh.NC.MS.UU.NET [153.34.251.90],
which earthlink verified, by a sender claiming to be "mail.earthlink.net".
(When is UUNET going to get with it?)

Cheers,
Stan

<Prev in Thread] Current Thread [Next in Thread>