[nSLUG] Re: Got Spam?

Jamie Fifield fifield at ghost.nslug.ns.ca
Mon May 20 02:44:33 ADT 2002


On Fri, May 17, 2002 at 09:23:00AM -0300, Mike Spencer wrote:
> 
> > What I've been doing is taking the spam I receive and, with a couple
> > simple shell scripts, take out the IPs of all the hosts from the
> > mail headers.  The scripts run a few checks, and submit them for
> > testing with ORDB (ordb.org).
> 
> I've been working on a perl script to do something similar with a check
> against relays.osirusoft.com.
 
They seem pretty comprehensive.  What I like of ORDB is the speed.
IPs I submit can be blacklisted within 5 minutes, and you can get out
of the BL just as fast when the relay has been fixed.

> > If anyone is interested in the coding side of things, just reply and
> > we can look into the details.
> 
> Because I get mail via POP3, extensive parsing would be self defeating
> at my present spam level of 1-3 a day.  And my hacking has been pretty
> desultory (what with gardens, building under construction etc.) so I
> have separate pieces that fetch headers from the POP3 server, extract
> dotted quads, check IPs against the black list etc. but haven't pasted
> them together yet.
> 
> One item that I'm muttering over is that in many instances, the
> Received: headers are often forged, excepting the last one, so doing
> more extensive checking against the first mentioned IP may be more
> productive than checking all of them against one db.  I'm thinking of
> checking against a local list of netblocks belonging to .kr, .cn, .tw
> and maybe a few others and rejecting all mssgs injected from those net
> blocks.  Obviously not good if you (or your users) have correspondents
> in those countries.  Moreover, the "last Received: is the injection
> point" rule may not apply if your mail gets to your inbox through a
> series (>1) of local machines, so what would work for me on POP3 might
> not work at LargeSchool or BigCorp.
>
> Another is that IANA reserved addresses often appear in headers for
> one reason or another.  Local checking against a list of IANA
> netblocks could save a pointless online db lookup.

You and I are trying to do two different things.  I have procmail
recipies that do most of what you're thinking if you are interested.
 
# Here is a recipe to blacklist Argentina, China, Hong Kong, Korea,
# Russia and Taiwan domains.  Also blocks Class A's 202 and 203.
:0fh
* ^Received: from.*\/(\.ar | \.cn | \.hk | \.kr | \.ru | \.tw |\
20[23]\.[0-9]+\.[0-9]+\.[0-9])
$SPAM



One thing I'd really like to develop is procmail recipies for
detecting various spam tools, I've got a couple already:
:0:
* ^Comments:.*Authenticated sender
* !^X-Mailer: Pegasus Mail
$SPAM

:0:
* ()\/X-Mailer:.*DiffondiCool
$SPAM

:0:
* ^X-UIDL:
$SPAM



Spam blocking is almost like a game... :)

-- 
Jamie Fifield
<fifield at chebucto.ns.ca>



More information about the nSLUG mailing list