[nSLUG] Re: Got Spam?

Jamie Fifield fifield at ghost.nslug.ns.ca
Mon May 20 02:44:33 ADT 2002

On Fri, May 17, 2002 at 09:23:00AM -0300, Mike Spencer wrote:
> > What I've been doing is taking the spam I receive and, with a couple
> > simple shell scripts, take out the IPs of all the hosts from the
> > mail headers.  The scripts run a few checks, and submit them for
> > testing with ORDB (ordb.org).
> I've been working on a perl script to do something similar with a check
> against relays.osirusoft.com.
They seem pretty comprehensive.  What I like of ORDB is the speed.
IPs I submit can be blacklisted within 5 minutes, and you can get out
of the BL just as fast when the relay has been fixed.

> > If anyone is interested in the coding side of things, just reply and
> > we can look into the details.
> Because I get mail via POP3, extensive parsing would be self defeating
> at my present spam level of 1-3 a day.  And my hacking has been pretty
> desultory (what with gardens, building under construction etc.) so I
> have separate pieces that fetch headers from the POP3 server, extract
> dotted quads, check IPs against the black list etc. but haven't pasted
> them together yet.
> One item that I'm muttering over is that in many instances, the
> Received: headers are often forged, excepting the last one, so doing
> more extensive checking against the first mentioned IP may be more
> productive than checking all of them against one db.  I'm thinking of
> checking against a local list of netblocks belonging to .kr, .cn, .tw
> and maybe a few others and rejecting all mssgs injected from those net
> blocks.  Obviously not good if you (or your users) have correspondents
> in those countries.  Moreover, the "last Received: is the injection
> point" rule may not apply if your mail gets to your inbox through a
> series (>1) of local machines, so what would work for me on POP3 might
> not work at LargeSchool or BigCorp.
> Another is that IANA reserved addresses often appear in headers for
> one reason or another.  Local checking against a list of IANA
> netblocks could save a pointless online db lookup.

You and I are trying to do two different things.  I have procmail
recipies that do most of what you're thinking if you are interested.
# Here is a recipe to blacklist Argentina, China, Hong Kong, Korea,
# Russia and Taiwan domains.  Also blocks Class A's 202 and 203.
* ^Received: from.*\/(\.ar | \.cn | \.hk | \.kr | \.ru | \.tw |\

One thing I'd really like to develop is procmail recipies for
detecting various spam tools, I've got a couple already:
* ^Comments:.*Authenticated sender
* !^X-Mailer: Pegasus Mail

* ()\/X-Mailer:.*DiffondiCool

* ^X-UIDL:

Spam blocking is almost like a game... :)

Jamie Fifield
<fifield at chebucto.ns.ca>

More information about the nSLUG mailing list