e-mail spam on the kclug mailing list

Randy Rathbun randy at middlewest.com
Thu Mar 30 14:56:53 CST 2000 

This still won't stop spam. The only way it is going to stop is for the
list to be a "only registered people can send" thing.

I strongly suggest that everyone go over to spamcop.net and run some spam
through it. It is very educational just to watch the message get processed.
Also check out the FAQs and stuff that are there. It is really very easy to
get lost in the headers of an e-mail message and pick up stuff that was put
there by the spammer to throw folks off the track. Spamcop figures all of
it out and finds the good and bad lines.

As an example, here is a chunk of spam I just processed:

Middlewest48-2.qni.com
 (EMWAC SMTPRS 0.83) with SMTP id <B0000059893 at Middlewest48-2.qni.com>;
 Wed, 29 Mar 2000 22:41:57 -0600
Message-ID: <B0000059893 at Middlewest48-2.qni.com>
Subject: Hey Babe...Did You Forget?
To: <alian at mindspring.com>
X-Accept-Language: en
X-Mailer: Internet Mail Service [21.3.1848.63] (Solaris; Sparc12)
X-Other-References: 0E4A57499
X-References: 0AC1A4BDB, 032896F51
From: <seedlinggs at yahoo.com>
X-In-Response-To: 044333307
MessageID: <gtdxgpkfjaadsze.290320002048 at aol.com>
References: 0F7BB1F2A
Content-Type: text/html

(I have munged things up here - Randy)

SUPRISE!!!!SUPRISE!!!!SUPRISE!!!!
I've been looking for you!  Did you ge
my message earlier?  Where have you been?
Well...Come on in I have something for you...
A HREF="http://198.78.142.6/ny/cooloer/index.html" CLICK HERE

Here is Spamcop chunking things out:

Parsing header:

Middlewest48-2.qni.com (EMWAC SMTPRS 0.83) with SMTP id
<B0000059893 at Middlewest48-2.qni.com>; Wed, 29 Mar 2000 22:41:57 -0600
Possible spammer: 209.203.247.83
"nslookup 83.247.203.209.dul.maps.vix.com." (checking ip) [show] not found
"nslookup aol.com" (checking ip) [show] ip = 205.188.146.23
"nslookup aol.com" (checking ip) aol.com = 205.188.146.23
aol.com = 205.188.146.23
Taking name from IP...
"nslookup 209.203.247.83" (getting name) [show] 209.203.247.83 =
noc1ntcf0001.lightrealm.com
"nslookup noc1ntcf0001.lightrealm.com" (checking ip) [show] ip =
209.203.247.83
"nslookup 83.247.203.209.rbl.maps.vix.com." (checking ip) [show] not found
"nslookup 83.247.203.209.relays.orbs.org." (checking ip) [show] not found
209.203.247.83 has already been sent to ORBS
Received line accepted

Tracking ip 209.203.247.83:
"nslookup 209.203.247.83" (getting name) 209.203.247.83 =
noc1ntcf0001.lightrealm.com
"whois noc1ntcf0001.lightrealm.com at whois.abuse.net" (checking abuse.net
database) [show] abuse.net recommends: abuse at lightrealm.com

Statistics:
ISP (abuse at lightrealm.com) score:2219
Right now, this email would be detained by SpamCop Filters

Found link:http://198.78.142.6/ny/cooloer/index.html

Tracking ip 198.78.142.6:
"nslookup 198.78.142.6" (getting name) [show] 198.78.142.6 =
www.freestation.com
"whois www.freestation.com at whois.abuse.net" (checking abuse.net database)
[show] abuse.net recommends: abuse at freestation.com,
postmaster at freestation.com

Finished (0 seconds).

  Report Spam to: 
  Issue being reported           Where report will be sent 
  Other email address     
  Source of email                  abuse at lightrealm.com   
  Spam Recycling Center       src at admin.spamcop.net   
  http://198.78.142.6/ny/cooloer/index.html - Web host
postmaster at freestation.com, abuse at freestation.com 

Unfortunately, because of the lowlifes, one can not run an open mail list.
No way no how. 

Randy "Just give me FIVE minutes alone with Canter and Siegel" Rathbun

*********** REPLY SEPARATOR  ***********

On 3/29/00 at 10:32 PM Altona Duston wrote:

>Mike,
>
>I looked at both of the spams we got in the last couple of days
>and kclug at kclug.org is not in either the To: or Cc: mail headers.
>Can we block posts to the list that don't have kclug at kclug.org
>in the To: or Cc: headers?
>
>Hal Duston
>
>mike neuliep wrote:
>
>> Hal, we had originally set the list up so you could e-mail to it without
being
>> a member.  If spam is becoming a problem, I can probably make it check
first
>> to make sure you're on the list.  If you're not on the list, I can
forward it
>> to a moderator.  Comments?
>>
>>         Mike Neuliep
>>         mike at illiana.net

More information about the Kclug mailing list