[CLUE-Talk] Spam question

Dave Hahn dhahn at techangle.com
Sun Apr 14 19:53:56 MDT 2002 

(Long, but hopefully worthwhile.)

You are most likely right in believing that it has nothing to do with
yahoo.com.

As to whether or not your ISP is to blame, it depends.  There are a few
problems an ISP faces when deciding how far to go to block spam.

1) You can require that the sending server's domain name actually resolves.
I expect yahoo.com resolves.
--- This is a normal action for an ISP to take.  In that case of this
message, yahoo.com resolves, it may not match, but it resolves.

2) You can require that the sending server's hostname and domain name
reverse resolve correctly.
--- Most ISPs do not do this.  It's mostly for customer service reasons.  If
your ISP required this, the following could cause and e-mail to bounce:
----- a) The DNS admin of the remote site hasn't set up reverse DNS
properly.  It's tough as a small ISP to convince your customers that they
can't receive e-mail from earthlink.net because their DNS admin is a fool.
(Just an example, I'm sure earthlink is fine.)
----- b) The sending SMTP server could be sitting behind a corporate
firewall.  The server may provide the name mail.bigcompany.com, but the IP
address it appears to be coming from is firewall.bigcompany.com.  E-mail
then bounces.
----- c) A server could have multiple names and the remote DNS system, by
default, just gives out the first.  Mail go boing-boing.

The level of spam fighting an ISP chooses to do can be restricted by quite a
few things.  Other things that can backfire:
1) Blocking e-mail from a server that has sent spam. -- It's very easy to
end up blocking @aol.com.  Personally, I don't mind it, but the customers
have a tendency to complain.
2) Blocking e-mail from servers listed in one of the open-relay / Spam
server lists.  Same as above.  That's why these guys get sued/threatened
quite a bit.  An entire ISP and it's customers can be punished.  Now, don't
get me wrong, I think people with open relays should be forced to watch
hours of the Teletubbies as punishment, but, it's the customers that get
punished when they can't send e-mail.
3) Block e-mail from a 'known' spamming address.  "From" addresses can be
falsified.  If an ISP automagically blocks e-mail from an address from which
spam is reported, updates at cnn.com could be blocked in that fashion.
4) Use Vipal's Razor or a similar technology to compare the 'fingerprints'
of a spam message.  Couple of problems - 1) Spammers are starting to make
alterations to the subject lines and message content for *each* spam.  Then,
the fingerprint doesn't match and the garbage gets through.  2) Someone
accidentally/purposely checks in an e-mail message that isn't spam into the
Razor system.  Assume that someone hates this message (stop snickering, I
can hear you from here.)  and runs it through one of the systems and checks
it in as spam.  Anyone else receiving this message after that, that is on a
participating system, would not get the message. After all, it's been
categorized as spam.


Anyway you cut it, an ISP trying to block spam either has to spend time
being *very* detailed or they have to apply a broad rule set to all messages
received.  Either way, some crap will make it through.

As to the answer to the spam problem, I'm not sure.  The current law, in
Colorado anyway, really doesn't make it worth your time to pursue these
guys.  (You can get $10 from them in small claims court.  Assuming you can
prove who they *actually* are.)  There are some stories of people winning
quite a bit of money in court from repeat spammers.  But, for everyone that
gets hit with a judgment, 19 others are out there crafting the new 'Natural
Viagra replacement that gets you free satellite television, a dozen X10
cameras and dates with incredibly hot women that want to date men that
received our free penile enhancement during the valentine day season as a
result of punching the monkey and winning $50,987 dollars from Bill Gates by
forwarding an e-mail that was tracked by AOL and crafted by CNN.'  Of course
the $50K was pocket change because they've all been working from home 2
hours a week and making $10,000 a minute.

I know it's true - I read it in my e-mail.

-D

-----Original Message-----
From: clue-talk-admin at clue.denver.co.us
[mailto:clue-talk-admin at clue.denver.co.us]On Behalf Of Matt Gushee
Sent: Sunday, April 14, 2002 6:51 PM
To: clue-talk at clue.denver.co.us
Subject: [CLUE-Talk] Spam question


Hi, all--

I have a question about taking action against a spammer. Normally I
just file spam under "spammers," because it doesn't take too much time,
and I'd rather not spend my life in a battle of wits against such scum.
But every now and then if I get too many messages from the same people,
or their tactics are particularly obnoxious, I'll bump them up to
"egregious spammers," and if they continue I finally take some action.

So anyway, I've got one of the egregious ones now. There seems to be
a couple of related companies sending the mail; their web sites
(www.omxi.com,www.terminations.net) are both on the same subnet. Most
of the messages carry a Yahoo return address, and the originating host
sometimes pretends to be yahoo.com--e.g., from the headers:

  Received: from [65.100.139.218] (helo=yahoo.com)
          by mail2.hypermall.com with smtp (Exim 3.16 #2)

This is the earliest Received header. Hypermall.com is a domain name
owned by my ISP. 65.100.139.218 is not a Yahoo IP: traceroute shows
it to be www.omxi.com. So, my questions:

  Am I right in thinking that these messages really have nothing
    to do with Yahoo?

  Is my ISP at fault for accepting messages from a host that falsifies
    its domain name?

Appreciate your sage advice.

--
Matt Gushee
Englewood, Colorado, USA
mgushee at havenrock.com
http://www.havenrock.com/
_______________________________________________
CLUE-Talk mailing list
CLUE-Talk at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-talk

More information about the clue-talk mailing list