[nSLUG] Re: Got Spam?

Mike Spencer mspencer at tallships.ca
Fri May 17 09:23:00 ADT 2002

> What I've been doing is taking the spam I receive and, with a couple
> simple shell scripts, take out the IPs of all the hosts from the
> mail headers.  The scripts run a few checks, and submit them for
> testing with ORDB (ordb.org).

I've been working on a perl script to do something similar with a check
against relays.osirusoft.com.

> If anyone is interested in the coding side of things, just reply and
> we can look into the details.

Because I get mail via POP3, extensive parsing would be self defeating
at my present spam level of 1-3 a day.  And my hacking has been pretty
desultory (what with gardens, building under construction etc.) so I
have separate pieces that fetch headers from the POP3 server, extract
dotted quads, check IPs against the black list etc. but haven't pasted
them together yet.

One item that I'm muttering over is that in many instances, the
Received: headers are often forged, excepting the last one, so doing
more extensive checking against the first mentioned IP may be more
productive than checking all of them against one db.  I'm thinking of
checking against a local list of netblocks belonging to .kr, .cn, .tw
and maybe a few others and rejecting all mssgs injected from those net
blocks.  Obviously not good if you (or your users) have correspondents
in those countries.  Moreover, the "last Received: is the injection
point" rule may not apply if your mail gets to your inbox through a
series (>1) of local machines, so what would work for me on POP3 might
not work at LargeSchool or BigCorp.

Another is that IANA reserved addresses often appear in headers for
one reason or another.  Local checking against a list of IANA
netblocks could save a pointless online db lookup.

One more point of possible interest: I'm only a novice perl hacker so
I may ignorant or may be making an obvious thinko.  I thought that
perl regular expressions were supposed to be "greedy", but a perl
regexp to match dotted quad IP addresses seems not to work on the
greedy principle within (this_thing|that_thing|other_thing|last_thing)
constructs and the order of *_things matters.

> If you want to help out by submitting your spam, bounce the message
> (with full headers!!!) to spammenot at nslug.ns.ca.

I can't bounce a message from POP3.  I could send you 73 fairly
recently archived turdlets, totaling about 300k, by forwarding, as an
Emacs RMAIL file or something.  Is that of interest?

- Mike

Michael Spencer                  Nova Scotia, Canada 

More information about the nSLUG mailing list