[Coco] yahoo groups

Gene Heskett gene.heskett at verizon.net
Sat Apr 21 10:30:35 EDT 2007

On Saturday 21 April 2007, Manney wrote:
>Gene Heskett wrote:
>> On Friday 20 April 2007, John E. Malmberg wrote:
>>> Roger Merchberger wrote:
>>>> Rumor has it that Gene Heskett may have mentioned these words:
>>>>> ... if the X-Originating-IP: header can be believed.
>>>> Yes, but can it? Anything X* in the headers is optional, and it depends
>>>> on if *your* server is inserting that header, or if it's coming from the
>>>> other end of the SMTP conversation - if it's from the other end, it can
>>>> (and probably is) spoofed to try to look legit.
>>>> What do your Received: headers say? Also, what are you running for an
>>>> MTA?
>> fetchmail sucks from 3 accounts, and hands it off to procmail who applies
>> a few rules and feeds most of it through spamd, then looks at what spamd
>> thought of it and disposes of it accordingly.  The X-Originating-IP: is,
>> if its there at all, the lowest in the header which I'd assume would be
>> valid because all the intervening relays all add their fingerprints above
>> the previous on in the chain.  Or at least that's the theory.
>Gene, are you using Spam Assassin? I can't remember, but in an old post,
>I thought you said you were using it.
>The good thing about my host is that it runs all email through Spam
>Assassin before it gets to me if I ask it to. Takes the burden of a
>slow, CPU hogging PERL script off of my hands. :)
Yup, the same here.  But after the trip through spamassassin, the mail is 
still available for procmail to further inspect.  And if the Spam-Level: 
header line contains more than 10 stars, it goes straight to /dev/null from 
procmail, which takes care of about 85% of it right there.  The kmail sorts 
the remaining spam, over 5 stars, into folders that tell me whose server I 
sucked it from, and the leftovers are then filtered into the correct folder.  
Out of several hundred a day, 2 might make it into a regular folder.  The 
rest I feed to spamassassin 3-4 times a week as bayes training.

But, as I said in a previous post, it seems the huge majority of the spam, 75% 
or more is directed to me via some yahoo group I've never even heard of, 
often by BCc:, and comes with a header that's the last line of the header 
with any trace of an IP address in it, called X-Originating-IP: which 
contains an address that resolves via whois, back to a small list of about 6 
machines, all owned by yahoo.

That section of the header, often below the Subject: line, and is in this 
Date: Sat, 21 Apr 2007 08:38:19 +0100
 From: Manney <mannslists at invigorated.org>
 Subject: Re: [Coco] yahoo groups
 In-reply-to: <200704202021.40968.gene.heskett at verizon.net>
 X-Originating-IP: []
 Sender: coco-bounces at maltedmedia.com
 To: CoCoList for Color Computer Enthusiasts <coco at maltedmedia.com>
 Errors-to: coco-bounces at maltedmedia.com
 Reply-to: CoCoList for Color Computer Enthusiasts <coco at maltedmedia.com>
 Message-id: <4629BF6B.9050306 at invigorated.org>
 MIME-version: 1.0
 Content-type: text/plain;
 Content-transfer-encoding: 7bit
 Precedence: list
 X-BeenThere: coco at maltedmedia.com
 Delivered-to: coco at five.pairlist.net
 Delivered-to: bathory-maltedmedia:com-coco at maltedmedia.com
 X-Original-To: coco at lists5.maltedmedia.com
 X-Modwest-MailScanner: Found to be clean
 X-MailScanner-From: mannslists at invigorated.org
 References: <200704191626.49317.gene.heskett at verizon.net>
 < at mail.30below.com>
 <f0biei$1lu$1 at sea.gmane.org>   <200704202021.40968.gene.heskett at verizon.net>
 X-Mailman-Version: 2.1.9
 List-Post: <mailto:coco at maltedmedia.com>
 List-Subscribe: <http://five.pairlist.net/mailman/listinfo/coco>,
 <mailto:coco-request at maltedmedia.com?subject=subscribe>
 List-Unsubscribe: <http://five.pairlist.net/mailman/listinfo/coco>,
 <mailto:coco-request at maltedmedia.com?subject=unsubscribe>
 List-Archive: <http://five.pairlist.net/pipermail/coco/>
 List-Help: <mailto:coco-request at maltedmedia.com?subject=help>
 List-Id: CoCoList for Color Computer Enthusiasts <coco.maltedmedia.com>
 User-Agent: Thunderbird (X11/20070403)
 X-procmail: user=gene
 Status: RO
 X-Status: UC

Start of body
And there's 20 lines of header above that section that I didn't paste and that 
basicly trace its path from pair.com to me through the vz server farm.

Now, that X-Originating-IP:
[root at coyote ~]# whois
[Querying whois.arin.net]

OrgName:    pair Networks
OrgID:      PAIR
Address:    2403 Sidney St
Address:    Suite 510
City:       Pittsburgh
StateProv:  PA
PostalCode: 15232
Country:    US

NetRange: -
NetName:    PAIRNET-BLK-3
NetHandle:  NET-216-92-0-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.PAIR.COM
NameServer: NS0.NS0.COM
RegDate:    1998-09-25
Updated:    2001-06-14

RTechHandle: KM383-ARIN
RTechName:   Martin, Kevin J.
RTechPhone:  +1-412-381-7247
RTechEmail:  sigma at pair.com

OrgAbuseHandle: ABUSE848-ARIN
OrgAbuseName:   Abuse Handling
OrgAbusePhone:  +1-412-381-7247
OrgAbuseEmail:  abuse at pair.com

OrgTechHandle: KM383-ARIN
OrgTechName:   Martin, Kevin J.
OrgTechPhone:  +1-412-381-7247
OrgTechEmail:  sigma at pair.com

# ARIN WHOIS database, last updated 2007-04-20 19:10

Which in this case is pair.com which I believe is the parent address of the 
maltedmedia alias.  Are you both co-hosted at pair.com?

But that describes how I go about tracing where a mail came from, and I'm 
equally sure that in the case of spam, much of that is a flat out lie.  But 
what else have we to go on?

>Coco mailing list
>Coco at maltedmedia.com

Cheers Manny, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Those who don't know, talk.  Those who don't talk, know.

More information about the Coco mailing list