RE: How Not To Filter Spam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



So if you had received the mail sent here yesterday claiming to be from
Alain Durand would you block Sun or IBM? I am sure Alain did not send a
random executable file to a non-existent account. It appears someone figured
out he had responded to me on this list in the past, and plenty of times
daily there are messages with the same content sent to half a dozen account
names as a cc set. Correlating Durand to Hain is completely in line with
typical spammer behavior. The fact this message got here is not a Sun
problem (but someone at IBM might want to send me a note). The point is that
it really doesn't matter which proxy was used what shows up here looks like
a legitimate message from someone I have corresponded with in the past. The
only way to detect a fraud at the MUA would be to have a verifiable
signature from Alain (this was trapped at my MTA due to the exe file). 

Tony


192.35.***.***:43014;4.65.25.155:25;Tue, 17 Feb 2004 15:12:51 -0800
tndh.net
S471B7
MAIL FROM:<alain.durand@xxxxxxx>
RCPT TO:<hain@xxxxxxxx>
<<MAIL-DATA>>
Received: from mtrumble (192.35.***.***:43014)
	by tndh.net with [XMail 1.17 (Win32/Ix86) ESMTP Server]
	id <S471B7> for <hain@xxxxxxxx> from <alain.durand@xxxxxxx>;
	Tue, 17 Feb 2004 15:12:51 -0800
Date: Tue, 17 Feb 2004 17:10:17 -0600
To: hain@xxxxxxxx
Subject: ID qfp... thanks
From: alain.durand@xxxxxxx
Message-ID: <adkselafptndppsbnlb@xxxxxxx>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------443488178303183"

----------443488178303183
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Yours ID fscyygroiei
--
Thank 
----------443488178303183
Content-Type: application/x-msdownload; name="pcrceynyu.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cdv.exe"


> 192.35.***.***
Non-authoritative answer:
***.***.35.192.in-addr.arpa     name = ***.***.ibm.com

*** - if someone from IBM wants to contact me off list I will provide the
missing name/number



> -----Original Message-----
> From: owner-ietf@xxxxxxxx [mailto:owner-ietf@xxxxxxxx] On Behalf Of Vernon
> Schryver
> Sent: Tuesday, February 17, 2004 8:03 PM
> To: ietf@xxxxxxxx
> Subject: Re: How Not To Filter Spam
> 
> > From: "william(at)elan.net"
> 
> > > It is also a classic example of what is wrong with the MUA filtering
> >
> > You certain dont assume that there is nothing wrong with the filtering
> > system you use and others may try duplicate as well. Otherwise how would
> > you explain that you have Elan and completewhois.com listed as filtered
> > on your site. Do you honestly believe we ever sent you any SPAM? Or
> maybe
> > you're making certain assumptions about envelope from or normal "From:"
> > headers and complaining when others are making the similar assumptions?
> 
> Mail from Elan and completewhois.com is unwelcome at rhyolite.com in
> patt because of a message that said:
> 
> ] Elan.Net Internet
> ] T.1 T.3 Frame Relay
> ] If you need more information about us or are interested in network
> services
> ] (managed hosting, collocation, dedicated servers, t1, t3), please send
> email to info@xxxxxxxx
> ]
> ] For More info
> ] http://www.elan.net
> ] sales@xxxxxxxx
> 
> There are additional, independent, sufficient reasons for that listing
> that we do not need to explore.  If you will read my web pages, you'll
> see that my list of unwelcome domains is not only about senders of
> unsolicited bulk email.
> 
> An advantage of a vanity or other tiny domain is that it can use
> blacklists that would have intolerable false positive rates at other
> or larger outfits but that have 0.000% local false positive rates.
> 
> 
> Vernon Schryver    vjs@xxxxxxxxxxxx



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]