Looking up email addresses (was: Identifying spamhosts)

To: debian-user@lists.debian.org
Subject: Looking up email addresses (was: Identifying spamhosts)
From: moseley@hank.org
Date: Mon, 4 Aug 2003 07:02:41 -0700
Message-id: <[🔎] 20030804140241.GC520@hank.org>
In-reply-to: <[🔎] Pine.LNX.3.96.1030804035213.5993B-100000@Maggie.Linux-Consulting.com>
References: <[🔎] 20030804100300.GQ14726@ganymede> <[🔎] Pine.LNX.3.96.1030804035213.5993B-100000@Maggie.Linux-Consulting.com>

My domain names are being flooded with bounces these days.  After 
talking with others it seems to be their largest source of bad mail, 
too.

I think what's happening is a virus is attached to email that turns a
machine into a mail proxy.  Then mail is sent out from that machine, but
with a from address as a stolen domain name (<random name>@hank.org). 
Some of that spam goes to bad addresses and then bounces back to, eh,
me. 

A few weeks ago I sat down for a couple of hours and whet through the 
bounces and (ignoring biggies like AOL) entered the RFC822 attached 
messages into Spamcop to get a email address (based on the Received: 
headers in the original message).

I then sent mail to about 20 of these people explaining that their 
machine was being used as a proxy to send spam.

I was amazed that I got back somewhere between 10 and 15 messages from
real people saying thanks and the machine was fixed.  I assumed my
messages would be ignored, but most mail/sys admins seem interested to
know they have a broken machine.

I asked Spamcop author if any of their code was available to do the
lookups locally (when the bounces arrive at my machine), but, no, that's
only available via their interface.

I'd like to see an open source tool like Spamcop for looking up an email
address to contact the admin in charge of the netblock where the spam
came from based on a list of Received headers.

In many cases I'm able to track down addresses manually, but I have not
attempted to automate it yet because of time (and skill/experience in 
determining the correct addresses).  I also believe spamcop has a 
database of email address which would be needed for such a system -- I 
assume you can't always rely on the host record to give the best or 
complete contact information.

Hard to know if mail admins would appreciate getting automated mail of 
this type, though.  This is probably "virus->send spam->go on to next 
host".  So by the time the admin gets the notification and tracks down 
the problem it may be too late to make a difference.  Probably more 
effective to get people to stop using systems that are so easily 
compromised...

-- 
Bill Moseley
moseley@hank.org

Reply to:

References:
- Re: Identifying spamhosts
  - From: "Karsten M. Self" <kmself@ix.netcom.com>
- Re: Identifying spamhosts
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>

Prev by Date: Easy/Fast way to view a package's debian/changelog
Next by Date: debian potato to woody transition
Previous by thread: Re: Identifying spamhosts
Next by thread: Re: Identifying spamhosts
Index(es):
- Date
- Thread