[Coco] yahoo groups
Gene Heskett
gene.heskett at verizon.net
Sat Apr 21 10:30:35 EDT 2007
On Saturday 21 April 2007, Manney wrote:
>Gene Heskett wrote:
>> On Friday 20 April 2007, John E. Malmberg wrote:
>>> Roger Merchberger wrote:
>>>> Rumor has it that Gene Heskett may have mentioned these words:
>>>>> ... if the X-Originating-IP: header can be believed.
>>>>
>>>> Yes, but can it? Anything X* in the headers is optional, and it depends
>>>> on if *your* server is inserting that header, or if it's coming from the
>>>> other end of the SMTP conversation - if it's from the other end, it can
>>>> (and probably is) spoofed to try to look legit.
>>>>
>>>> What do your Received: headers say? Also, what are you running for an
>>>> MTA?
>>
>> fetchmail sucks from 3 accounts, and hands it off to procmail who applies
>> a few rules and feeds most of it through spamd, then looks at what spamd
>> thought of it and disposes of it accordingly. The X-Originating-IP: is,
>> if its there at all, the lowest in the header which I'd assume would be
>> valid because all the intervening relays all add their fingerprints above
>> the previous on in the chain. Or at least that's the theory.
>
>Gene, are you using Spam Assassin? I can't remember, but in an old post,
>I thought you said you were using it.
>
>The good thing about my host is that it runs all email through Spam
>Assassin before it gets to me if I ask it to. Takes the burden of a
>slow, CPU hogging PERL script off of my hands. :)
>
Yup, the same here. But after the trip through spamassassin, the mail is
still available for procmail to further inspect. And if the Spam-Level:
header line contains more than 10 stars, it goes straight to /dev/null from
procmail, which takes care of about 85% of it right there. The kmail sorts
the remaining spam, over 5 stars, into folders that tell me whose server I
sucked it from, and the leftovers are then filtered into the correct folder.
Out of several hundred a day, 2 might make it into a regular folder. The
rest I feed to spamassassin 3-4 times a week as bayes training.
But, as I said in a previous post, it seems the huge majority of the spam, 75%
or more is directed to me via some yahoo group I've never even heard of,
often by BCc:, and comes with a header that's the last line of the header
with any trace of an IP address in it, called X-Originating-IP: which
contains an address that resolves via whois, back to a small list of about 6
machines, all owned by yahoo.
That section of the header, often below the Subject: line, and is in this
case:
==========
Date: Sat, 21 Apr 2007 08:38:19 +0100
From: Manney <mannslists at invigorated.org>
Subject: Re: [Coco] yahoo groups
In-reply-to: <200704202021.40968.gene.heskett at verizon.net>
X-Originating-IP: [216.92.1.121]
Sender: coco-bounces at maltedmedia.com
To: CoCoList for Color Computer Enthusiasts <coco at maltedmedia.com>
Errors-to: coco-bounces at maltedmedia.com
Reply-to: CoCoList for Color Computer Enthusiasts <coco at maltedmedia.com>
Message-id: <4629BF6B.9050306 at invigorated.org>
MIME-version: 1.0
Content-type: text/plain;
charset=us-ascii;
Format=flowed
Content-transfer-encoding: 7bit
Precedence: list
X-BeenThere: coco at maltedmedia.com
Delivered-to: coco at five.pairlist.net
Delivered-to: bathory-maltedmedia:com-coco at maltedmedia.com
X-Original-To: coco at lists5.maltedmedia.com
X-Modwest-MailScanner: Found to be clean
X-MailScanner-From: mannslists at invigorated.org
References: <200704191626.49317.gene.heskett at verizon.net>
<5.1.0.14.2.20070419173423.052a10f8 at mail.30below.com>
<f0biei$1lu$1 at sea.gmane.org> <200704202021.40968.gene.heskett at verizon.net>
X-Mailman-Version: 2.1.9
List-Post: <mailto:coco at maltedmedia.com>
List-Subscribe: <http://five.pairlist.net/mailman/listinfo/coco>,
<mailto:coco-request at maltedmedia.com?subject=subscribe>
List-Unsubscribe: <http://five.pairlist.net/mailman/listinfo/coco>,
<mailto:coco-request at maltedmedia.com?subject=unsubscribe>
List-Archive: <http://five.pairlist.net/pipermail/coco/>
List-Help: <mailto:coco-request at maltedmedia.com?subject=help>
List-Id: CoCoList for Color Computer Enthusiasts <coco.maltedmedia.com>
User-Agent: Thunderbird 1.5.0.10 (X11/20070403)
X-procmail: user=gene
Status: RO
X-Status: UC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
Start of body
============
And there's 20 lines of header above that section that I didn't paste and that
basicly trace its path from pair.com to me through the vz server farm.
Now, that X-Originating-IP: 216.92.1.121
==========
[root at coyote ~]# whois 216.92.1.121
[Querying whois.arin.net]
[whois.arin.net]
OrgName: pair Networks
OrgID: PAIR
Address: 2403 Sidney St
Address: Suite 510
City: Pittsburgh
StateProv: PA
PostalCode: 15232
Country: US
NetRange: 216.92.0.0 - 216.92.255.255
CIDR: 216.92.0.0/16
NetName: PAIRNET-BLK-3
NetHandle: NET-216-92-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.PAIR.COM
NameServer: NS0.NS0.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-09-25
Updated: 2001-06-14
RTechHandle: KM383-ARIN
RTechName: Martin, Kevin J.
RTechPhone: +1-412-381-7247
RTechEmail: sigma at pair.com
OrgAbuseHandle: ABUSE848-ARIN
OrgAbuseName: Abuse Handling
OrgAbusePhone: +1-412-381-7247
OrgAbuseEmail: abuse at pair.com
OrgTechHandle: KM383-ARIN
OrgTechName: Martin, Kevin J.
OrgTechPhone: +1-412-381-7247
OrgTechEmail: sigma at pair.com
# ARIN WHOIS database, last updated 2007-04-20 19:10
===========
Which in this case is pair.com which I believe is the parent address of the
maltedmedia alias. Are you both co-hosted at pair.com?
But that describes how I go about tracing where a mail came from, and I'm
equally sure that in the case of spam, much of that is a flat out lie. But
what else have we to go on?
>-M.
>
>
>Coco mailing list
>Coco at maltedmedia.com
>http://five.pairlist.net/mailman/listinfo/coco
--
Cheers Manny, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Those who don't know, talk. Those who don't talk, know.
More information about the Coco
mailing list