[NTLUG:Discuss] spam / email setup help

Alton R. Pouncey, II alton at trainers-r-us.com
Fri Nov 22 14:26:39 CST 2002 

On Fri, 2002-11-22 at 13:41, kbrannen at gte.net wrote:
> I need some help with email!  I have a 2-fold problem:
> 
> Problem 1:
> Someone who is infected with Klez has my email address in their address book; 
> and it's picked my address to spoof with.  (See the Symantec site for a 
> description of its capabilities.)  Anyway, this is becoming very annoying! 
> The biggest part of the annoyance is that I get a lot of mail with these headers:
> 
> From: Mail Administrator <Postmaster at verizon.net>
> Subject: Mail System Error - Returned Mail
> 
> and every file is over 100K in size, so with 10+ of these at a time, download 
> time is considerable.  In searching thru the headers, I can find nothing 
> useful, but I do see 204.50.7.195 fairly often on the spam returns.  However, 
> I can't find anything useful about it:
> ---
> $ dig 204.50.7.195
> 
> ; <<>> DiG 9.1.3 <<>> 204.50.7.195
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10880
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;204.50.7.195.                  IN      A
> 
> ;; AUTHORITY SECTION:
> .                       10757   IN      SOA     A.ROOT-SERVERS.NET. 
> NSTLD.VERISIGN-GRS.COM. 2002112200 1800 900 604800 86400
> 
> ;; Query time: 129 msec
> ;; SERVER: 192.168.1.1#53(192.168.1.1)
> ;; WHEN: Fri Nov 22 13:10:20 2002
> ;; MSG SIZE  rcvd: 105
> ---
> 
> I see nothing useful here, am I missing something?
> 

Use fwhois.  The syntax for the command is:

fwhois ip_address at whois.arin.net

OR

fwhois ip_address at whois.apnic.net

I use the whois server at arin.net and if that doesn't work, I use
apnic.  

Anyway, I can tell you that the IP address in question belongs to Sprint
Canada.  fwhois will give you some good information.  It's up to you to
decide what you want to do with it.

> Note: I use Linux for all my email, and Klez does not live there. :-)  Yes my 
> system is dual boot, but the Win98 side is not setup for email, does not have 
> Outlook or OutlookExpress installed, I have scanned if for Klez just in case 
> and came up empty, and all these email returns suggest that the email was sent 
> in the last 24 hours or so, and I have not rebooted into Win98 for several days.
> 
> Problem 2:
> Since I can't find out who has the real problem so I can notify them to clean 
> it up, I'm left with trying to block/filter all this.  I've read several 
> articles on email filtering and believe I can write a Perl script that can 
> detect most spam I receive, but I don't understand the email architecture well 
> enough to know where to put this script.
> 
> I use Netscape (Mozilla) Messenger, which currently reads and sends direct 
> from/to my ISP's POP3 account, with dial-on-demand ISDN.  Messenger has no 
> hooks for me to put scripts in, so I'm going to need to change how I do this; 
> and surely someone else has already done this. :-)
> 
> So can someone clue me into the program/settings needed to do:
> 
> ISP -> program to get mail to my machine (the filtering script goes in here
>         and either moves the spam to a trash mailbox or in the right
>         circumstances just tells the ISP to delete the email and don't
>         bother downloading it) (and this program needs to be runnable on
>         demand)
>      -> can Messenger read from a local mbox?
> 
> Then Messenger sends normally straight to the ISP.
> 
> Thanks for any help in understanding all this,
> Kevin
> 

Can't help you here.  I don't know how to setup a filter to parse the
stream as it comes down from an ISP.  Can't you setup a filter in
Messenger to just delete the email based on some criteria in the email?

> 
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
> 
-- 
Alton R. Pouncey, II
SCSA, SCNA, CCNA, CIW Professional
Director of Information Services
http://www.trainers-r-us.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://ntlug.org/pipermail/discuss/attachments/20021122/61dd2a23/attachment.bin

More information about the Discuss mailing list