[nSLUG] Re: Got Spam?
fifield at ghost.nslug.ns.ca
Mon May 20 02:44:33 ADT 2002
On Fri, May 17, 2002 at 09:23:00AM -0300, Mike Spencer wrote:
> > What I've been doing is taking the spam I receive and, with a couple
> > simple shell scripts, take out the IPs of all the hosts from the
> > mail headers. The scripts run a few checks, and submit them for
> > testing with ORDB (ordb.org).
> I've been working on a perl script to do something similar with a check
> against relays.osirusoft.com.
They seem pretty comprehensive. What I like of ORDB is the speed.
IPs I submit can be blacklisted within 5 minutes, and you can get out
of the BL just as fast when the relay has been fixed.
> > If anyone is interested in the coding side of things, just reply and
> > we can look into the details.
> Because I get mail via POP3, extensive parsing would be self defeating
> at my present spam level of 1-3 a day. And my hacking has been pretty
> desultory (what with gardens, building under construction etc.) so I
> have separate pieces that fetch headers from the POP3 server, extract
> dotted quads, check IPs against the black list etc. but haven't pasted
> them together yet.
> One item that I'm muttering over is that in many instances, the
> Received: headers are often forged, excepting the last one, so doing
> more extensive checking against the first mentioned IP may be more
> productive than checking all of them against one db. I'm thinking of
> checking against a local list of netblocks belonging to .kr, .cn, .tw
> and maybe a few others and rejecting all mssgs injected from those net
> blocks. Obviously not good if you (or your users) have correspondents
> in those countries. Moreover, the "last Received: is the injection
> point" rule may not apply if your mail gets to your inbox through a
> series (>1) of local machines, so what would work for me on POP3 might
> not work at LargeSchool or BigCorp.
> Another is that IANA reserved addresses often appear in headers for
> one reason or another. Local checking against a list of IANA
> netblocks could save a pointless online db lookup.
You and I are trying to do two different things. I have procmail
recipies that do most of what you're thinking if you are interested.
# Here is a recipe to blacklist Argentina, China, Hong Kong, Korea,
# Russia and Taiwan domains. Also blocks Class A's 202 and 203.
* ^Received: from.*\/(\.ar | \.cn | \.hk | \.kr | \.ru | \.tw |\
One thing I'd really like to develop is procmail recipies for
detecting various spam tools, I've got a couple already:
* ^Comments:.*Authenticated sender
* !^X-Mailer: Pegasus Mail
Spam blocking is almost like a game... :)
<fifield at chebucto.ns.ca>
More information about the nSLUG