[Coco] yahoo groups
gene.heskett at verizon.net
Sat Apr 21 10:30:35 EDT 2007
On Saturday 21 April 2007, Manney wrote:
>Gene Heskett wrote:
>> On Friday 20 April 2007, John E. Malmberg wrote:
>>> Roger Merchberger wrote:
>>>> Rumor has it that Gene Heskett may have mentioned these words:
>>>>> ... if the X-Originating-IP: header can be believed.
>>>> Yes, but can it? Anything X* in the headers is optional, and it depends
>>>> on if *your* server is inserting that header, or if it's coming from the
>>>> other end of the SMTP conversation - if it's from the other end, it can
>>>> (and probably is) spoofed to try to look legit.
>>>> What do your Received: headers say? Also, what are you running for an
>> fetchmail sucks from 3 accounts, and hands it off to procmail who applies
>> a few rules and feeds most of it through spamd, then looks at what spamd
>> thought of it and disposes of it accordingly. The X-Originating-IP: is,
>> if its there at all, the lowest in the header which I'd assume would be
>> valid because all the intervening relays all add their fingerprints above
>> the previous on in the chain. Or at least that's the theory.
>Gene, are you using Spam Assassin? I can't remember, but in an old post,
>I thought you said you were using it.
>The good thing about my host is that it runs all email through Spam
>Assassin before it gets to me if I ask it to. Takes the burden of a
>slow, CPU hogging PERL script off of my hands. :)
Yup, the same here. But after the trip through spamassassin, the mail is
still available for procmail to further inspect. And if the Spam-Level:
header line contains more than 10 stars, it goes straight to /dev/null from
procmail, which takes care of about 85% of it right there. The kmail sorts
the remaining spam, over 5 stars, into folders that tell me whose server I
sucked it from, and the leftovers are then filtered into the correct folder.
Out of several hundred a day, 2 might make it into a regular folder. The
rest I feed to spamassassin 3-4 times a week as bayes training.
But, as I said in a previous post, it seems the huge majority of the spam, 75%
or more is directed to me via some yahoo group I've never even heard of,
often by BCc:, and comes with a header that's the last line of the header
with any trace of an IP address in it, called X-Originating-IP: which
contains an address that resolves via whois, back to a small list of about 6
machines, all owned by yahoo.
That section of the header, often below the Subject: line, and is in this
Date: Sat, 21 Apr 2007 08:38:19 +0100
From: Manney <mannslists at invigorated.org>
Subject: Re: [Coco] yahoo groups
In-reply-to: <200704202021.40968.gene.heskett at verizon.net>
Sender: coco-bounces at maltedmedia.com
To: CoCoList for Color Computer Enthusiasts <coco at maltedmedia.com>
Errors-to: coco-bounces at maltedmedia.com
Reply-to: CoCoList for Color Computer Enthusiasts <coco at maltedmedia.com>
Message-id: <4629BF6B.9050306 at invigorated.org>
X-BeenThere: coco at maltedmedia.com
Delivered-to: coco at five.pairlist.net
Delivered-to: bathory-maltedmedia:com-coco at maltedmedia.com
X-Original-To: coco at lists5.maltedmedia.com
X-Modwest-MailScanner: Found to be clean
X-MailScanner-From: mannslists at invigorated.org
References: <200704191626.49317.gene.heskett at verizon.net>
<126.96.36.199.2.20070419173423.052a10f8 at mail.30below.com>
<f0biei$1lu$1 at sea.gmane.org> <200704202021.40968.gene.heskett at verizon.net>
List-Post: <mailto:coco at maltedmedia.com>
<mailto:coco-request at maltedmedia.com?subject=subscribe>
<mailto:coco-request at maltedmedia.com?subject=unsubscribe>
List-Help: <mailto:coco-request at maltedmedia.com?subject=help>
List-Id: CoCoList for Color Computer Enthusiasts <coco.maltedmedia.com>
User-Agent: Thunderbird 188.8.131.52 (X11/20070403)
Start of body
And there's 20 lines of header above that section that I didn't paste and that
basicly trace its path from pair.com to me through the vz server farm.
Now, that X-Originating-IP: 184.108.40.206
[root at coyote ~]# whois 220.127.116.11
OrgName: pair Networks
Address: 2403 Sidney St
Address: Suite 510
NetRange: 18.104.22.168 - 22.214.171.124
NetType: Direct Allocation
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RTechName: Martin, Kevin J.
RTechEmail: sigma at pair.com
OrgAbuseName: Abuse Handling
OrgAbuseEmail: abuse at pair.com
OrgTechName: Martin, Kevin J.
OrgTechEmail: sigma at pair.com
# ARIN WHOIS database, last updated 2007-04-20 19:10
Which in this case is pair.com which I believe is the parent address of the
maltedmedia alias. Are you both co-hosted at pair.com?
But that describes how I go about tracing where a mail came from, and I'm
equally sure that in the case of spam, much of that is a flat out lie. But
what else have we to go on?
>Coco mailing list
>Coco at maltedmedia.com
Cheers Manny, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Those who don't know, talk. Those who don't talk, know.
More information about the Coco