Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   Spam question (http://www.linux-archive.org/fedora-user/697947-spam-question.html)

Heinz Diehl 08-26-2012 08:47 PM

Spam question
 
On 26.08.2012, Aaron Konstam wrote:

> Is there someway from the mail header to deduce the origin of the
> messages?

Yes, the "Received:" headers. Please post the _full_ header of one of
these mails.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Reindl Harald 08-26-2012 08:49 PM

Spam question
 
Am 26.08.2012 22:47, schrieb Heinz Diehl:
> On 26.08.2012, Aaron Konstam wrote:
>
>> Is there someway from the mail header to deduce the origin of the
>> messages?
>
> Yes, the "Received:" headers. Please post the _full_ header of one of
> these mails.

they do indicate NOTHING

the only TRUSTABLE received-header is the one from YOUR server

all other machines before can write what they like in mail headers
no, this is not theory, this is how email works and things are

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Heinz Diehl 08-26-2012 09:37 PM

Spam question
 
On 26.08.2012, Reindl Harald wrote:

> all other machines before can write what they like in mail headers

You can claim to be who you want to while connecting to a mailserver,
but you can't fake the IP from which you are connecting. It is
logged by the mailserver while connecting between two square brackets.

The usual format used in Received: headers is

name (dns-name [ip-address])

"Name" is easy to forge. "Dns-name" is what a reverse lookup on
ip-adress delivers. "Ip-adress" reflects the IP of the machine which
connected to the mailserver which generated this Received: header.

> no, this is not theory, this is how email works and things are

Ok, so please show me the evidence of your statement.




--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Reindl Harald 08-26-2012 09:46 PM

Spam question
 
Am 26.08.2012 23:37, schrieb Heinz Diehl:
> On 26.08.2012, Reindl Harald wrote:
>
>> all other machines before can write what they like in mail headers
>
> You can claim to be who you want to while connecting to a mailserver

yes

> but you can't fake the IP from which you are connecting.

not to the one you are connecting

but you can not trust headers before your own MTA

> It is logged by the mailserver while connecting between two square brackets.

i know this

> The usual format used in Received: headers is
>
> name (dns-name [ip-address])

i know this

> "Name" is easy to forge. "Dns-name" is what a reverse lookup on
> ip-adress delivers. "Ip-adress" reflects the IP of the machine which
> connected to the mailserver which generated this Received: header.
>
>> no, this is not theory, this is how email works and things are
>
> Ok, so please show me the evidence of your statement

what did you not understand

your MTA get a connection and have the IP of the last machine involved
in mail tzransmission, bit all other received headers before YOOR
machine are nOT trustable because i can write whatever i want
and how many received-headers i want and submit the message
directly to your MTA

you have NO WAY to say if they are forged or not

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Aaron Konstam 08-27-2012 02:09 PM

Spam question
 
On Sun, 2012-08-26 at 22:47 +0200, Heinz Diehl wrote:
> On 26.08.2012, Aaron Konstam wrote:
>
> > Is there someway from the mail header to deduce the origin of the
> > messages?
>
> Yes, the "Received:" headers. Please post the _full_ header of one of
> these
FULL HEADER
X-apparently-to: akonstam@sbcglobal.net via 67.195.15.99; Sat, 25 Aug
2012 15:51:36 +0000
X-yahoofilteredbulk: 184.172.130.36
Received-spf: pass (domain of pos81n-nds-36.positionstrends.com
designates 184.172.130.36 as permitted sender)
X-ymailisg: d9fU0DcWLDtnonTz69mlLZZpv4J2TEVP4eCpTCdEOKOG7_jN
63wKkHAoGqLLsgYabJSAvbf0GhdkTgr7yNYIw9V73tbtULoyKr 1lC.8JRf8z
XGRAC75ybWhFZbbi_8pH_VvMpLRDNK5S9TsKA83wZNBLCyZain VUXZlpT5uG
4IehJy6cWl3gBFgNNktxwOpVUhJRZLZMRkbfm1z5EZtNCFe4Eq 7lFecwX40S
LAbnhSAZRV3o5ilk2bDtdC3lghCaTn6QwHJJCBufD73vLm4Fup P9piFT9QZU
cg9IQabMlLKhKj2Qb1S2m29FZ7JPBLF3Xi06dslDmjpnHUUwq3 ipdnlry6.Z
JcYX9FAtbnZwzIjH1Rqj7HJRnInFJNQ..8pgT2AwY.HXkNKtal rcv7xB38h6
lYbmIji3TE.LTtsvs9ZSn6QeGxrMyAWIg9L_GiOr4UarPWoUfL KA0BDFU2TH
fjiUyZzNDDkk8JpFfGeyfjPGbf0OYFbCWjECnUWHBaf.ms6Uek gEhBWYIctw
3wsosSTcNGbKtD4_iGDr6B_uYKEIEhZcAK5Mb_oHNaZyqA_Q9j dHVsAfeF71
o.PQ7mNFLae4_6VtUi4NT80bRpIjA.rkc_9Oln4N2AnhTkXNhy vD0WkmtMhD
ckR0i9JrP2V3fFy.YFwuP_Xuu5REqB0a6ffXKsYHdlA4HvJ32y 6E8m8uI8oS
JQAVok.hdbMPcN2HPRnX33dtMo.ARNC0wuZfCVmwkpYJc9BSXv yUL4B2jpdg
sB12NlZpDrui7Auepm_VgDC_OeSLNuL4.SMx1VcJ4B0gmuwmJ6 KbrV31tnzK
ipfGwWO512HX3nmlGwdbU_JejvUu.KFQ_qlsvRiiMohplzM6SR ib2robog1z
sUpgUbqdPNZ9_TZRvDawLqhpdMAuRjCTbnBvBl0Iyoa1e4i1wP YGjEJ7iiiU
bfdH534hHZM1JUnI7xABUKbyAFdyCihXu_NX1FkLj9Pxjck9K. XQPKPM08Sk
ZL_5sacEs17mWpniMbaGP7hX3hnIx1cLaVkZ06dMhLkY5Z6Hed jtu0wHBlcu
hR.wudgFGotZEyQ7yPwKm.G.EsIofmHCJsYm3ljYGJLTVSUf9V xOLVCND4RO
vUjurf2W4KxmWfHFKqUSRh7_zh.2PiB9YVU7KVcW9UGjbus4GS 0tYjjl6hr4
4YaTFDthAiTiac9PcLFsJD79.QiG.RdGIoUm9e.PBsjrp_afcH gkJ2Sb6Jz_
rVgubTDgpzASj92mSdJqZiyaZK92EGu_2YM6LJzWcmueKKUMto Ib6Ql6OPIH .ORaRTc6iAD6tXRcnyjfQ2hDAcPxCAPzQdeW35ZrikWD2EaVys gAzXvPEFX. Ww2yxwArIpXjEP5jB7LdKrwQm4yXEmTDLWyVwvPr9ffOnm.IDi 5qQNIdqdWQ gvHsQnTeZayR41T_IAOb1wYE0kjrCLUDL9WDFXAWEfleVAWWXA Qc1v0cToRw LD7p6h0LdCOVwsyw8ksEGtlaZ7HqD5fCZQ--
X-originating-ip: [184.172.130.36]
Authentication-results: mta1050.sbc.mail.ne1.yahoo.com
from=pos81n-nds-36.positionstrends.com; domainkeys=pass (ok);
from=positionstrends.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO pos81n-nds-36.positionstrends.com)
(184.172.130.36) by mta1050.sbc.mail.ne1.yahoo.com with SMTP; Sat, 25
Aug 2012 15:51:30 +0000
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1;
d=positionstrends.com;
h=Message-ID:List-Help:List-Unsubscribe:Reply-To:From:To:Subject:Content-Type:Date; i=Smartphone@pos81n-nds-36.positionstrends.com; bh=mdbd7McvaNzoBR8s/nkmKNxr/Hw=; b=nJjJoCwY2kV0Ts0CmGcGXQUyReMerZm7CtJq3ymvPxGarzBy EUyFl7mTF1/SyHrqwXFJRS7Gke6W owye3N/AE3FvvE+s75dodIYvnWJMQq8zRwb0/CxKOuApxKvtVmoYpECKgHsJ4hRcm/J/jdzl4eU0 27p0vyjnnFRLgN6kcBo=
Domainkey-signature: a=rsa-sha1; c=nofws; q=dns; s=key1;
d=positionstrends.com; b=VHFtAiA0/X/phdObLNz4uyG/FzDP/1GGPd9wIGOq
+f7LDlKm948SIuglS5JsjTRZDjvqSrdHCPNX
c7izLj2DTKfSzhv3KF9vd6ymHeFoyC1UBYBhYsVzd9TVVuEwmx zRoR7vX4
+Li7cPVaL8ftwQkhSN jIuuraEQ7TV+oBqF9D0=;
Message-id: <7.26.48978.4032257916@pos81n-nds-36.positionstrends.com>
List-help: Help <http://www.positionstrends.com>
List-unsubscribe: Unsubscribe <http://www.positionstrends.com/u.php>
Reply-to: Smartphone <Smartphone@pos81n-nds-36.positionstrends.com>
From: Smartphone <Smartphone@pos81n-nds-36.positionstrends.com>
To: akonstam@sbcglobal.net
Subject: The latest information on buying a smartphone
X-Info:
YWtvbnN0YW1Ac2JjZ2xvYmFsLm5ldDsxODQuMTcyLjEzMC4zNj sxMTsxNzMyOzA7Njk3
Content-type: multipart/alternative;
boundary="1345905517.De44c27914.949"; charset="us-ascii"
Date: Sat, 25 Aug 2012 11:51:30 -0400 (08/25/2012 10:51:30 AM)
X-evolution-pop3-uid: AGMPw0MAALcdUDj0iAwFrzKOIJ8
X-evolution-source: 1345746672.1451.2@cyrus
Mime-version: 1.0



--
================================================== =====================
Doctors and lawyers must go to school for years and years, often with
little sleep and with great sacrifice to their first wives. -- Roy G.
Blount, Jr.
================================================== =====================
Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam@sbcglobal.net

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Heinz Diehl 08-27-2012 03:20 PM

Spam question
 
On 27.08.2012, Aaron Konstam wrote:

> Received: from 127.0.0.1 (EHLO pos81n-nds-36.positionstrends.com)
> (184.172.130.36) by mta1050.sbc.mail.ne1.yahoo.com with SMTP; Sat, 25
> Aug 2012 15:51:30 +0000

Somebody claiming to be "pos81n-nds-36.positionstrends.com" with the
IP adress 184.172.130.36 posted this mail to one of the Yahoo
mailservers.

[root@wildsau ~]# whois 184.172.130.36
[Querying whois.arin.net]
[Redirected to rwhois.theplanet.com:4321]
[Querying rwhois.theplanet.com]
[rwhois.theplanet.com]
%rwhois V-1.5:003fff:00 rwhois.softlayer.com (by Network Solutions,
Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-SOFTLAYER.184.172.128.0/18
network:Auth-Area:184.172.128.0/18
network:Network-Name:SOFTLAYER-184.172.128.0
network:IP-Network:184.172.130.32/29
network:IP-Network-Block:184.172.130.32-184.172.130.39
network:Organization;I:Brick Run Media
network:Street-Address:209 West 20th 3A
network:City:New York
network:State:NY
network:Postal-Code:10011
network:Country-Code:US
network:Tech-Contact;I:sysadmins@softlayer.com
network:Abuse-Contact;I:abuse@fulltimedo.com
network:Admin-Contact;I:IPADM258-ARIN
network:Created:20120125
network:Updated:20120125
network:Updated-By:ipadmin@softlayer.com

So the spammer is in the netblock of "softlayer.com", most probably a
customer of them. Write a complaint to "abuse@fulltimedo.com" with a
copy to "sysadmins@softlayer.com", including one of the spam emails
incl. the full header.




--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Ed Greshko 08-27-2012 03:30 PM

Spam question
 
On 08/27/2012 11:20 PM, Heinz Diehl wrote:
> So the spammer is in the netblock of "softlayer.com", most probably a
> customer of them. Write a complaint to "abuse@fulltimedo.com" with a
> copy to "sysadmins@softlayer.com", including one of the spam emails
> incl. the full header.

You may also want to note.....

[egreshko@meimei ~]$ host positionstrends.com
positionstrends.com has address 184.172.130.36
positionstrends.com mail is handled by 0 mail.positionstrends.com.

And since you've noted the whois....

network:Organization;I:Brick Run Media

it isn't surprising that "spam" is coming from that address.

Good luck in getting them to stop.... :-) :-)

--
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Heinz Diehl 08-27-2012 03:38 PM

Spam question
 
On 27.08.2012, Reindl Harald wrote:

> your MTA get a connection and have the IP of the last machine involved
> in mail tzransmission, bit all other received headers before YOOR
> machine are nOT trustable because i can write whatever i want
> and how many received-headers i want and submit the message
> directly to your MTA

You can't supress the Received header which is generated by the
receiving mailserver when you're delivering your mail. All your faked
headers will be beneath this one, because every MTA writes its
Received: on top of the existing one(s), so there is a fine line from the
sender to the receiver which can follows in both ways.

So unless you are connecting via an anonymizing service as e.g. the tor
network, it will be of little effect to add some fake Received
headers to hide your ass.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Tim 08-27-2012 04:54 PM

Spam question
 
On Mon, 2012-08-27 at 23:30 +0800, Ed Greshko wrote:
> Good luck in getting them to stop.... :-) :-)

Yes, reporting spam to someone in control of sending spam, isn't going
to work, you'll get even more of it.

I'm not saying /that/ person is, I'll let someone else make a definitive
accusation, but it's something that you have to check for before making
any spam reports. Been there, done that before.

These days, I rarely ever bother reporting spam. Chances are that
thousands of others have seen the spam, several will have reported it,
and various mail services' automatic spam detectors found it and dealt
with it (such as informing the various block lists that program various
different anti-spam systems).

Any ISP ought to be in a very good position to identify spam with a much
higher degree of certainty than any user. They'll be bombarded with it,
lots of identical messages (99% that they'll be spam), and to lots of
addresses that don't really exist on their network (dictionary attacks,
which will be a 100% certainty of being spam). Service providers may
well get thousands of spams a minute, don't think that they don't do
something to minimise it.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Heinz Diehl 08-27-2012 05:08 PM

Spam question
 
On 27.08.2012, Tim wrote:

> Yes, reporting spam to someone in control of sending spam, isn't going
> to work, you'll get even more of it.
[....]

I gave up reporting spam many years ago, and let crm114 sort out most
of it..

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


All times are GMT. The time now is 12:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.