Why am I getting copies of all your mail?
Conrad Sabatier wrote:
Here's a novel and interesting idea I ran across recently. I haven't yet
gotten around to actually setting up a procmail recipe to test this method,
but it does sound extremely clever!
---------------------------------------------------------
In article <5v8p13$pmn(_at_)bonkers(_dot_)taronga(_dot_)com>,
Peter da Silva <peter(_at_)taronga(_dot_)com> wrote:
In article <5v7q82$359$1(_at_)dolphin(_dot_)neosoft(_dot_)com>,
Conrad Sabatier <conrads(_at_)neosoft(_dot_)com> wrote:
Sounds groovy. But I'm not sure I understand how this works. Are the
nameservers and the spam sites in the same numeric IP range?
No, what this means is:
1. spammer wants to run 'hornysluts.com'
2. spammer goes to their ISP. ISP says "we don't want your
business, and kicks them off".
3. repeat a couple of times
4. spammer wises up. Gets a site with a generic name like
"bjc-co.com" and then pays Sanford Wallace money to
provide name service for 'hornysluts.com'.
5. Spammer sends mail "from respond-now(_at_)hornysluts(_dot_)com".
6. Filter looks up "hornysluts.com", and says "aha, that's
one of Sanford Wallaces customers".
7. Filter rejects mail.
In article <5va7dt$c1t(_at_)bonkers(_dot_)taronga(_dot_)com>,
Peter da Silva <peter(_at_)taronga(_dot_)com> wrote:
In article <5v9puc$5q5$1(_at_)dolphin(_dot_)neosoft(_dot_)com>,
Conrad Sabatier <conrads(_at_)neosoft(_dot_)com> wrote:
Ah, OK. So we're talking about a whois type of thing. Gotcha (I think).
No. Nslookup. Whois is slow.
When you want to resolve a name, you call gethostbyname().
It does a request to a nameserver (like ns.neo.net) asking "what name
server owns this name". This is relayed or redirected up the chain to the
root nameservers, and tells gethostbyname the name of the nameserver that
owns that domain. Then you ask that nameserver the ip address for that
host.
Cool. So you're saying use something like this (of course the hostname
would be piped to a script in .procmailrc, but just for illustration
here):
conrads:/usr/home/conrads$ nslookup -type=NS hornysluts.com
Server: localhost.neosoft.com
Address: 127.0.0.1
Non-authoritative answer:
hornysluts.com nameserver = NS.INTR.NET
hornysluts.com nameserver = NS.IAGI.NET
Authoritative answers can be found from:
NS.INTR.NET internet address = 207.32.89.10
NS.IAGI.NET internet address = 207.32.101.100
Then you could just grep for known spam nameservers, right?
In article <5vceav$j1t$1(_at_)dolphin(_dot_)neosoft(_dot_)com>,
Conrad Sabatier <conrads(_at_)neosoft(_dot_)com> wrote:
Thanks! Looks like a promising idea. By the way, is there a list of
these nameservers anywhere?
Grab the canonical lists of cyberpromo and quantum communications address
blocks, and use the IP addresses of the nameservers to see if they're in
range. That should cover 99% of your spam.
-----------------------------------------------------------------
--
Conrad Sabatier | FreeBSD -- UNIX for your PC
http://www.neosoft.com/~conrads | Why settle for less than the best?
Spambots, use this: biteme(_at_)f-u(_dot_)org | http://www.freebsd.org