procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: spam sw pattern.

1997-06-04 21:04:00
from [Michael Cooley] [Permanent Link] 
On Mon, 2 Jun 1997, Peter Evans wrote:



      over the past couple of days, I've noticed a new flavour
      of spam program. you cant match on id/site because it
      spews its crap everywhere.


        Another thing I've noticed about this guys spams (I've received at
least 4 of them) is that he uses invalid IP addresses. I have been able to
extract all addresses in a header but not having much success in
determining if they are valid. I've had some hit and miss success with
this (I'm sure I'm making any number of terrible mistakes here) ...
 
:0:
* ? sed -n '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/s//*&*/pg' \
        | awk -F* '{print $2"\n"$4}' | nslookup | grep Name
BAD-IP

        Even if it does work, it appears to be successful only in cases
where the very last IP number is bad.

        The idea, btw, in inserting the splats is to make it easier to awk
out the IP address.

        Has anyone done along along these lines? I'm sure the above would
be excessively slow if instituted server-wide.

-Michael


      about the only consistent thing about is is the id is
      always an 8 digit number.

      here is one example. 


      P

      the only way to nab this one seems to be to use procmail 
      as a final delivery agent with a rule to match this.
      
      but I am nevous of doing this on a mail server that is
      an overloaded p90 with 10000+ accounts and an average
      of 5mails/sec incoming ... *.*!


---------------------------------------------------------------

From 47931438(_at_)juno(_dot_)com  Sun Jun  1 09:51:21 1997

Received: from bud.peinet.pe.ca (root(_at_)bud(_dot_)peinet(_dot_)pe(_dot_)ca 
[198.167.1.1])
        by gol1.gol.com (8.8.5/8.8.5) with ESMTP id JAA21564;
        Sun, 1 Jun 1997 09:51:19 +0900 (JST)
From: 47931438(_at_)juno(_dot_)com
Received: from bud.peinet.pe.ca (ip207.new-haven.ct.pub-ip.psi.net 
[38.11.102.207]) by bud.pein
et.pe.ca (8.8.5/8.6.14) with SMTP id VAA09193; Sat, 31 May 1997 21:42:38 
-0300 (ADT)
Received: from mailhost.totuff.net(alt2.forevermails.net(254.750.86.9))  by 
forevermails.net (8
.8.5/8.6.5) with SMTP id GAA06259 for <freind(_at_)public(_dot_)com>; Sat, 31 
May 1997 20:06:26 -0600 (EST
)
Date: Sat, 31 May 97 20:06:26 EST
To: freind(_at_)public(_dot_)com
Subject: >> 27 MILLION EMAIL ADDRESSES...PLUS BONUSES!
Message-ID: <17479243565668(_dot_)JDL9087(_at_)forevermails(_dot_)net>
X-UIDL: 6478789540b74jdi9a321loi771l8f8k 
Comments: Authenticated sender is <mikep(_at_)totuff(_dot_)net>
Status: OR


---------------------------------------------------------------





--------------------------------------------------------------------------
 Michael Cooley     michael(_at_)bogey(_dot_)emcee(_dot_)com    
http://emcee.com/~michael/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: The recipe didn't do what they said it would do...., Philip Guenther
Next by Date:  * ^TO_, [Top Secret]
Previous by Thread:  Re: spam sw pattern., William J. Evans; mail protected by spamgard{tm}
Next by Thread:  Let me know..., Shoeless in San Jose
Indexes:  [Date] [Thread] [Top] [All Lists]