spam-talk

several questions: bad-hosts, no unfriendly hosts, additional whois, ignoring forged headers

[Patrick B. <on...@pa...>]

hey,

i'm using your tool as an isp to report all the spam that my customers 
receive.

1
i figured out, that the .spam/bad file use used to list bad email 
addresses, that return with a negative. today, i wanted to expand the 
list by an address that caused a delivery failure, but the email address 
was already included there.
am i mistaken about the files usage?

2
for some emails i only receive the following answer from spam.pl:

## Parsing Header Information
No unfriendly hosts were found. This cannot have been a spam!

i don't quite understand this message. how can i deactivate it?

3
can i define additional whois servers for specific ip-ranges? many ip 
whois lookups seem to fail.

4
is it possible to tell spam.pl only to process the real, not the forged 
headers? almost all spam mail has forged headers now and i get many 
responses from abuse-desks telling me their address was spoofed and they 
can't do anything about it - and i guess its annoying, too.

thanks for the great tool:)

paddy2706

Re: several questions: bad-hosts, no unfriendly hosts, additional whois, ignoring forged headers

[Jon F. <jo...@ap...>]

>
> 1
> i figured out, that the .spam/bad file use used to list bad email
> addresses, that return with a negative. today, i wanted to expand the
> list by an address that caused a delivery failure, but the email address
> was already included there.
> am i mistaken about the files usage?


I hadn't fully implemented it yet.  I just wrote the code that should
implement this feature and checked it into cvs.  It is actually bad domains
right now, not bad emails (this should probably be changed).

2
> for some emails i only receive the following answer from spam.pl:
>
> ## Parsing Header Information
> No unfriendly hosts were found. This cannot have been a spam!
>
> i don't quite understand this message. how can i deactivate it?


It means that spam.pl found nothing to complain about.  Can you send me an
example of a spam message that triggers this (include the headers)?

3
> can i define additional whois servers for specific ip-ranges? many ip
> whois lookups seem to fail.


Yes, in lib/IPBlks.pm you will see a huge list of IP addresses, add your
ranges in there accordingly.  Check out tools/netmask.pl in CVS for a useful
tool that will spit out what exactly you should put into the IPBlks.pm file.

4
> is it possible to tell spam.pl only to process the real, not the forged
> headers? almost all spam mail has forged headers now and i get many
> responses from abuse-desks telling me their address was spoofed and they
> can't do anything about it - and i guess its annoying, too.


Right now it isn't.  I think I started working on this and got distracted
from this project.  It really should be implemented.

Jon

Re: several questions: bad-hosts, no unfriendly hosts, additional whois, ignoring forged headers

[Patrick B. <on...@pa...>]

Hey Jon,

thank you for your quick reply.
>
>     1
>     i figured out, that the .spam/bad file use used to list bad email
>     addresses, that return with a negative. today, i wanted to expand the
>     list by an address that caused a delivery failure, but the email
>     address
>     was already included there.
>     am i mistaken about the files usage?
>
>
> I hadn't fully implemented it yet.  I just wrote the code that should 
> implement this feature and checked it into cvs.  It is actually bad 
> domains right now, not bad emails (this should probably be changed).
1: yes, bad emails makes more sense, since often spam.pl sends 
complaints to postmaster@ and abuse@ and only one of the two exist.
>
>     2
>     for some emails i only receive the following answer from spam.pl:
>
>     ## Parsing Header Information
>     No unfriendly hosts were found. This cannot have been a spam!
>
>     i don't quite understand this message. how can i deactivate it?
>
>
> It means that spam.pl found nothing to complain about.  Can you send 
> me an example of a spam message that triggers this (include the headers)?
2: at the moment i can't this error message disappeared also in last 
nights run. the problem is, that i have it configured to delete the mail 
right after sending the complaint.
>
>     3
>     can i define additional whois servers for specific ip-ranges? many ip
>     whois lookups seem to fail.
>
>
> Yes, in lib/IPBlks.pm you will see a huge list of IP addresses, add 
> your ranges in there accordingly.  Check out tools/netmask.pl in CVS 
> for a useful tool that will spit out what exactly you should put into 
> the IPBlks.pm file.
3: thank you. I will extend it to my needs and send you the updated 
version.
>
>     4
>     is it possible to tell spam.pl only to process the real, not the
>     forged
>     headers? almost all spam mail has forged headers now and i get many
>     responses from abuse-desks telling me their address was spoofed
>     and they
>     can't do anything about it - and i guess its annoying, too.
>
>
> Right now it isn't.  I think I started working on this and got 
> distracted from this project.  It really should be implemented.
4: this is *really important* to me, since i get many complaints from 
providers that are annoyed by the many abuse mails i sent out to them, 
only because the forged header includes their ip/domain.

unfortunately im no good at perl otherwise i could maybe figure some 
things out myself. :(

be assured that I will donate you a little extra money, as soon as the 
software does what i want :)

regards,
patrick

Re: several questions: bad-hosts, no unfriendly hosts, additional whois, ignoring forged headers

[Patrick B. <on...@pa...>]

Hey,

And its me again.

I have just created two patches and uploaded them to the patches-section 
at spam.pl's project site at sourceforge.

I have also started expanding the list of third-level domains at the 
beginning of the script and I'm thinking about having an extra file like 
the IPBlks.pm for them since they make the script very long (so far I 
added about 50, but more are still to come up).

Also have I started thinking about a solution, how to tell spam.pl only 
to parse real Received headers. Here I have two approaches:
1) only parse the FIRST received line, quick and dirty, but probably 
problematic of email is received on an remote box and then sent to a 
local mta, or even if spam and virus check are a seperate mta (via proxy)
2) only parse received lines that include the real hostname of the 
mailserver

i don't know if the second solution is still the best, since even the 
real hostname could be spoofed (which has not happened to me so far)

great work, again! without the script provided writing a similar 
programme would have taken me several months.

regards,

patrick

Patrick Brueckner wrote:
> Hey Jon,
>
> thank you for your quick reply.
>>
>>     1
>>     i figured out, that the .spam/bad file use used to list bad email
>>     addresses, that return with a negative. today, i wanted to expand
>>     the
>>     list by an address that caused a delivery failure, but the email
>>     address
>>     was already included there.
>>     am i mistaken about the files usage?
>>
>>
>> I hadn't fully implemented it yet.  I just wrote the code that should 
>> implement this feature and checked it into cvs.  It is actually bad 
>> domains right now, not bad emails (this should probably be changed).
> 1: yes, bad emails makes more sense, since often spam.pl sends 
> complaints to postmaster@ and abuse@ and only one of the two exist.
>>
>>     2
>>     for some emails i only receive the following answer from spam.pl:
>>
>>     ## Parsing Header Information
>>     No unfriendly hosts were found. This cannot have been a spam!
>>
>>     i don't quite understand this message. how can i deactivate it?
>>
>>
>> It means that spam.pl found nothing to complain about.  Can you send 
>> me an example of a spam message that triggers this (include the 
>> headers)?
> 2: at the moment i can't this error message disappeared also in last 
> nights run. the problem is, that i have it configured to delete the 
> mail right after sending the complaint.
>>
>>     3
>>     can i define additional whois servers for specific ip-ranges? many ip
>>     whois lookups seem to fail.
>>
>>
>> Yes, in lib/IPBlks.pm you will see a huge list of IP addresses, add 
>> your ranges in there accordingly.  Check out tools/netmask.pl in CVS 
>> for a useful tool that will spit out what exactly you should put into 
>> the IPBlks.pm file.
> 3: thank you. I will extend it to my needs and send you the updated 
> version.
>>
>>     4
>>     is it possible to tell spam.pl only to process the real, not the
>>     forged
>>     headers? almost all spam mail has forged headers now and i get many
>>     responses from abuse-desks telling me their address was spoofed
>>     and they
>>     can't do anything about it - and i guess its annoying, too.
>>
>>
>> Right now it isn't.  I think I started working on this and got 
>> distracted from this project.  It really should be implemented.
> 4: this is *really important* to me, since i get many complaints from 
> providers that are annoyed by the many abuse mails i sent out to them, 
> only because the forged header includes their ip/domain.
>
> unfortunately im no good at perl otherwise i could maybe figure some 
> things out myself. :(
>
> be assured that I will donate you a little extra money, as soon as the 
> software does what i want :)
>
> regards,
> patrick
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ------------------------------------------------------------------------
>
> _______________________________________________
> Spam-talk mailing list
> Spa...@li...
> https://lists.sourceforge.net/lists/listinfo/spam-talk
>   

Re: several questions: bad-hosts, no unfriendly hosts, additional whois, ignoring forged headers

[Esa <es...@la...>]

Patrick Brueckner kirjoitti:
> Also have I started thinking about a solution, how to tell spam.pl 
> only to parse real Received headers. Here I have two approaches:
> 1) only parse the FIRST received line, quick and dirty, but probably 
> problematic of email is received on an remote box and then sent to a 
> local mta, or even if spam and virus check are a seperate mta (via proxy)
> 2) only parse received lines that include the real hostname of the 
> mailserver
Well, why not simulate a real person, which would look at the headers 
until it finds the last one he can trust?

My mail is coming via about 5 different servers. The last header I'm 
trusting is the one that is added by one of them. So, tell spam.pl which 
hosts (ip addresses) are the last ones to trust.

esa

Re: several questions: bad-hosts, no unfriendly hosts, additional whois, ignoring forged headers

[Jon F. <jo...@ap...>]

>
> My mail is coming via about 5 different servers. The last header I'm
> trusting is the one that is added by one of them. So, tell spam.pl which
> hosts (ip addresses) are the last ones to trust.
>

This is the best way I know of to implement the "only process real received
headers" solution.  In fact I even have that as a comment in spam.pl in the
"process_received_headers" function.  The incoming IP address can't be
forged then.  Often it is an open relay though, so people may still complain
to you that they didn't send the message.  However, in that case they really
are a true offender that can do something to stop the spam.

Sorry guys, it has been a long time since I looked at this code and looks
like I already implemented this solution :P.  It looks like if you set
'filterreceived = 1' then it will only process the true Received headers.

Jon

Re: several questions: bad-hosts, no unfriendly hosts, additional whois, ignoring forged headers

[Patrick B. <on...@pa...>]

cheers,

i cannot find this implemetation anywhere in the software. is it in the 
csv only or in 0.25? I was unable to find anything according to that, 
also trying it out didn't work.
an where do you define the ip-to-trust?

confused

patrick

Jon Feldhammer wrote:
>
>     My mail is coming via about 5 different servers. The last header I'm
>     trusting is the one that is added by one of them. So, tell spam.pl
>     which
>     hosts (ip addresses) are the last ones to trust.
>
>
> This is the best way I know of to implement the "only process real 
> received headers" solution.  In fact I even have that as a comment in 
> spam.pl in the "process_received_headers" function.  The incoming IP 
> address can't be forged then.  Often it is an open relay though, so 
> people may still complain to you that they didn't send the message.  
> However, in that case they really are a true offender that can do 
> something to stop the spam.
>
> Sorry guys, it has been a long time since I looked at this code and 
> looks like I already implemented this solution :P.  It looks like if 
> you set 'filterreceived = 1' then it will only process the true 
> Received headers.
>
> Jon

Re: several questions: bad-hosts, no unfriendly hosts, additional whois, ignoring forged headers

[Jon F. <jo...@ap...>]

It may only be in the cvs version, I can't remember what is in 0.25 :P

The friend list is used as the hosts/ips to trust.

On 2/5/07, Patrick Brueckner <on...@pa...> wrote:
>
>  cheers,
>
> i cannot find this implemetation anywhere in the software. is it in the
> csv only or in 0.25? I was unable to find anything according to that, also
> trying it out didn't work.
> an where do you define the ip-to-trust?
>
> confused
>
> patrick
>
> Jon Feldhammer wrote:
>
>  My mail is coming via about 5 different servers. The last header I'm
> > trusting is the one that is added by one of them. So, tell spam.pl which
> > hosts (ip addresses) are the last ones to trust.
> >
>
> This is the best way I know of to implement the "only process real
> received headers" solution.  In fact I even have that as a comment in
> spam.pl in the "process_received_headers" function.  The incoming IP
> address can't be forged then.  Often it is an open relay though, so people
> may still complain to you that they didn't send the message.  However, in
> that case they really are a true offender that can do something to stop the
> spam.
>
>  Sorry guys, it has been a long time since I looked at this code and looks
> like I already implemented this solution :P.  It looks like if you set
> 'filterreceived = 1' then it will only process the true Received headers.
>
> Jon
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Spam-talk mailing list
> Spa...@li...
> https://lists.sourceforge.net/lists/listinfo/spam-talk
>
>