Feedback: August 2003, Published: September 2003
Not much spam this month. Nevertheless I have decided to place all the spam that has ever been sent to this domain into a spam register. As it turned out this was not a very large sample. So I will be adding the messages from the sendmail reject log (which also appears on the mailhub console).Brian has kindly offered to donate large quantities of spam from some of his domains. Together this will be added to a list. And shortly this will be used to generate recommended block lists. These will be in sendmail access_db format. However if someone wants them specified in other formats, just drop me a line.
Feedback:
Hints for this month:
- bat2pl -- turn a .bat perl script into .pl
- named check hints: A records for [domain] class 1 do not match hint records
Spam Diaries:
various chatter re spam
Date: Sun, 03 Aug 2003 01:25:27 +1000 From: Dan Byrnes Ed: The following gives a historical perspective to spam. One that would only occur to a historian Dear Gerry, So I'm just back from a party and feeling mellow, check email and wonder how you are going with your damage control down there. In principle, you are probably right re spammers have a right to exist/operate, certainly under US constitution, on grounds of free speech/right to info etc, despite the fact they are so "impolite" as you so euphemistically put it. In Oz, I wonder what the constitutional rules are/might be - I doubt they could cope at all. Well, should the Net on your lil ole PC be as tidy when you see it as you expected the CBD to be on every Tuesday morning at 8am, no one asked, and so no one knows. They don't want to know about headers and bodies. "They just want to sit down at their computer, click on something and not see any spam." Very true. As for Draconian legal measures about anything at all by way of an offence, really, the dear old Aussies do go on with their history books about the dear old Brits and their ever-tightening legal code of the C18th, and from 20 years of reading such jive, I conclude that Draconian legal measures against any sort of offence, even rape/murder, or maybe, especially rape/murder, don't work to reduce the crime rate for one very simple reason - the people who commit such offences, do not at the time of the offence, have on their mind the Draconian measures against the offence, they have on their mind the wish/urge to commit the offence. I do wonder why in the following 200 and more years of legal comment in Britain and Oz, the law makers haven't yet woken up to this empirically-obvious facet of human nature. In C18th terms, today's spammers most closely resemble the S/E English smugglers of the 1720s and so on. Guys whose activities were against the law of the day, but if the average person could get hold of some of the goods they carried, terrif and no questions asked, black market continued, olay! Problem for govt these days is there is no actual model for dealing with spammers, this is all a bit too new for "govt types". Hence what you remarked re Harradine, he sees porn on the net and thinks, "Dreadful", but he don't guess that this time around the delivery system is ALL NEW. Cyberspace for govt is still a "new concept". Personally I have a Draconian attitude to spammers - put the bastards in jail and deprive 'em of computer funzies, etc. Here I am of course less forgiving of spammers than you, and also quite unrealistic; it's all fantasy land anyway. Spammers today are just like smugglers of old, who if they believe they can sail well and also outwit, outmanouvre or outguess the authorities and their lackeys, they can continue to make a profit and have fun as well. It's a game, and the old English smugglers apart from noticing changes in English legislation, and their own profits, died out anyway, by about 1740 except on various islands nearby England. Of course, English smuggling does not really die out; a century later, up to the 1840s, the British/Scots were smuggling heaps of guess what into China - opium! Spammers are smugglers. The main motivation of the smuggler is the profit margin available from the buyer of the smuggled goods. Evasion of the law (usually, the laws of two or more countries), or the rules of polite society are entirely secondary - mere entertainment value. I think today's spammers have just reinvented all this - and our lawmakers as they call themselves are so deficient in history they don't realise it. I often find Oz an odd place, it began as a dump-depot for convicts, and our current population fails to discern the interesting lessons to be derived from: (a) the law [and changes to it], and even worse (b) human nature in relation to the law. Something is quite wrong with a country which fails to interpret the lessons of its own origins. But I've digressed again. Damn! Cheers, Dan.
bat2pl -- turn a .bat perl script into .pl
Date: Thu, 7 Aug 2003 09:50:00 +1000 From: Gerry Patterson Ok, it's trivial. Just use Gvim ... However it you have about twenty of them to do, the following might be useful: # ----------------------------------------------------------------- #!/usr/bin/perl # bat2pl - strip code at start/end of .bat file created with pl2bat $tgt = $ARGV[0]; unless (open(INPF,$tgt)){ $tgt .= '.bat'; open (INPF,"$tgt") || die "Usage $0 File[.bat]\n"; } $tgt =~ s/\.bat$//i; open (OUTF,">$tgt.pl") || die "Cannot open output: $tgt.pl\n"; while (<INPF>) { $line++ if (/^#!.*perl/ && ($line + 0) == 0); next unless $line; next if ($line++ == 2); last if (/^__END__/); print OUTF $prnline if ($line > 2); $prnline = $_; } # -----------------------------------------------------------------
named check hints: A records for [domain] class 1 do not match hint records
Date: Tue, 19 Aug 2003 16:12:29 +1000 From: Administration user A message like the following appears on the primary DNS console: named[135]: check_hints: A records for J.ROOT-SERVERS.NET class 1 do not match hint records This is caused by the named.root being out of date. This record changes so slowly that problems can go unnoticed. The most up to date record can be obtained by FTP from ftp.internic.net Restart named when it has been downloaded.
SPAM: 221.146.1/24 mail abuse
From bceo_44@erols.com Sun Aug 3 20:53:08 2003 Return-Path: <bceo_44@erols.com> Received: from patrick ([221.146.1.68]) by pgts04.xxxx.com.au (8.11.6/8.11.6) with SMTP id h73Ar6Z16627 for <webmaster@xxxx.com.au>; Sun, 3 Aug 2003 20:53:07 +1000 (EST) (envelope-from bceo_44@erols.com) Message-Id: <200308031053.h73Ar6Z16627@pgts04.xxxx.com.au> From: bceo_44@erols.com To: webmaster@xxxx.com.au Subject: quick q Sender: bceo_44@erols.com Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Date: Sun, 3 Aug 2003 19:47:13 +0900 X-Mailer: Microsoft Outlook, Build 10.0.2627 Status: RO Content-Length: 1052 Lines: 31 <html> <head> </head> <body bgcolor="#003333" text="yellow" link="#CCCCCC" vlink="#CCCCCC" alink="#CCCCCC" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0"> <table width="100%" border="0" align="center" cellpadding="0" cellspacing="1"> <tr> <td align="center"><font size="2" color="white"><b>DON'T LOSE ANY MORE MONEY ON YOUR EXISTING HOME LOAN!<br><br>whats up. I thought you might be interested in this.<br><BR>Only the BANKS k<loppr55y>now about this gggreat offer, now you can too!<BR><br></td> </tr> <tr><td align="center"><a href="http://r.aol.com/cgi/redir-complex?url=http://winningsolution@buynow3sx.com/viewso65/index.asp?RefID=198478"><font color="yellow" size="3"><b><u>With the money y<pppaaassrew>ou save, put it towards a new car!</a><br><br></td></tr> </table> </body> </html> Ed: whois returns following from krnic: IP Address : 221.146.0.0-221.146.15.255 Network Name : KORNET-XDSL-HAENGDANG-REDBACK2-1328 Connect ISP Name : KORNET Connect Date : 20030605 Registration Date : 20030613
SPAM: 4.61.158/24 mail abuse
From aa004092@hogpa.ho.att.com Fri Aug 8 04:55:09 2003 Return-Path: <aa004092@hogpa.ho.att.com> Received: from LoNigro (lsanca1-ar41-4-61-158-106.lsanca1.dsl-verizon.net [4.61.158.106]) by pgts04.xxxx.com.au (8.11.6/8.11.6) with SMTP id h77It7Z50668 for <webmaster@xxxx.com.au>; Fri, 8 Aug 2003 04:55:07 +1000 (EST) (envelope-from aa004092@hogpa.ho.att.com) Message-Id: <200308071855.h77It7Z50668@pgts04.xxxx.com.au> From: aa004092@hogpa.ho.att.com To: webmaster@xxxx.com.au Subject: help defend your PC against new viruses Sender: aa004092@hogpa.ho.att.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Date: Fri, 7 Feb 2003 10:49:33 -0800 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-Length: 512 Lines: 23 DONT BECOME ANOTHER STATISTIC - INSTALL VIRUS PROTECTION NOW most viruses are received via email Norton Antivirus will keep you safe from all virus systems, and scans all emails automatically! btw, you look great today. For the BEST Anti-virus package, Click here NOW. http://fpp39@softwaresavings2you.biz/default.asp?id=3000 ps. dont want any more of this shit? http://f1pp39@softwaresavings2you.biz/remove/remove.html Ed: Purchase virus-protection from a spammer? Only if you are truly desperate!
SPAM: 66.17.148.192/27 mail abuse (or is it just ham?)
From baddr-8589981011-3334300-458880193-1S@mx.plaxo.com Sat Aug 9 00:52:31 2003 Return-Path: <baddr-8589981011-3334300-458880193-1S@mx.plaxo.com> Received: from mx.plaxo.com ([66.17.148.196]) by pgts04.xxxx.com.au (8.11.6/8.11.6) with SMTP id h78EqTZ56624 for <gerry@xxxx.com.au>; Sat, 9 Aug 2003 00:52:29 +1000 (EST) (envelope-from baddr-8589981011-3334300-458880193-1S@mx.plaxo.com) Received: (qmail 17478 invoked from network); 8 Aug 2003 14:46:54 -0000 Received: from unknown (10.1.0.2) by mx3.plaxo.com with QMQP; 8 Aug 2003 14:46:54 -0000 Received: (from 68.158.169.102 by Plaxo); 8 Aug 2003 14:22:03 -0000 Message-ID: <1060354014.19913.230826.sendUpdate@mx.plaxo.com> Date: 8 Aug 2003 14:46:54 -0000 From: "Joel B. Rothman" <jrothman@xxxxxx.com> To: "Gerry Patterson" <gerry@xxxx.com.au> Reply-to: "Plaxo Contact Update for Joel B. Rothman" <addrupdate-8589981011-3334300-458880193-1SH@mx.plaxo.com> Precedence: bulk Subject: Your contact info MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------C0302C3E1ADE2168BC4F49CB" Content-Length: 3387 Lines: 98 This is a multi-part message in MIME format. --------------C0302C3E1ADE2168BC4F49CB Content-Type: multipart/alternative; boundary="----=_NextPart_001_0028_01C2C189.94CF9E70" ------=_NextPart_001_0028_01C2C189.94CF9E70 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Gerry, In my never ending struggle to stay current, I am updating my address book. Please take a moment to update me with your latest contact info. Click the following link to correct or confirm your information: https://www.plaxo.com/edit_contact_info?r=8589981011-3334300-458880193&t=web Name: Gerry Patterson Job Title: Company: Work E-mail: gerry@xxxx.com.au Work Phone: Work Fax: Work Address Line 1: Work Address Line 2: Work City, State, Zip: Mobile Phone: Home E-mail: Home Phone: Home Fax: Home Address Line 1: Home Address Line 2: Home City, State, Zip: My current contact information: P.S. I've included my Plaxo card below so that you have my current information. I've also attached a copy as a vCard. +----------------- | Joel B. Rothman | jrothman@xxxxxx.com | Vice President, Legal and Government Affairs | Ed: The address has been removed -- for now. +------------------------------------- ____________________________________________________________ This message was sent to you by jrothman@xxxxxx.com via Plaxo. To have Plaxo automatically handle these messages in the future, go to: http://www.plaxo.com/autoreply Plaxo's Privacy Policy: http://www.plaxo.com/support/privacy Ed: There was also a MIME encoded HTML attachment, which has not been included. At first, I thought that this rather audacious attempt at data prospecting could be part of an attempt to create electronic profiles of victims for fraudulent purposes. However, the headers appear to be genuine but funky. And it appears that twelve months ago, Joel Rothman did indeed contact me. It was UCE but not bulk UCE, and he only sent the one message. So that is all perfectly legit as far as I am concerned. By my own criteria it did not qualify as spam. I was about to overlook this as a clumsy attempt to update an address book. Then some investigation of plaxo.com revealed that hostnames in this domain are just a little too complex to be fair dinkum. There is an interesting comment at http://www.pcmag.com/article2/0,4149,905467,00.asp This explains how the plaxo thing spreads. Suffice to say, "It's a Microsoft Thing". Which of course makes me a little suspicious. Joel introduced himself as a US-based developer of Linux Security Systems. The question does arise about his continuing use of the world's most insecure MUA (Microsoft Outlook). Last and by no means least, plaxo.com get an honorable mention in SpamCop. They have been registered by Network Solutions, Inc., who lately seem to be one of the spammers' registrars of choice. According to whois the registrant details are as follows: Parker, Sean (UUTNYYADTD) 1975 Landings Drive Mountian View, CA 94043 US Domain Name: PLAXO.COM All of these details and the Adminstration and other contacts seemed above board. So you can make up your own mind as to whether it qualifies as spam. Sean Parker was once a co-founder of Napster. How the mighty have fallen. It seems he now sails his vessle very close to the edge ... of the black hole of spam. Let's hope he doesn't fall in ...