[CLUE-Tech] Mail Delivery (failure clue-tech@clue.denver.co.us)

Thu Jul 8 12:54:22 MDT 2004

On Thursday 08 July 2004 02:23 pm, Jed S. Baer wrote:

> > Was that in fact a virus?

> Well, my ISP identified it as NetSky.

Hmm.

> > Any thoughts about how I might trace where in fact these are coming
> > from? And what might be done about them?

> Well, from an end-user on a list point of view, I don't know. You can
> always examine the full headers, and check the earliest Received: entries.
> Then do a whois lookup to see whom to complain to. In this case:

> Received: from clue.denver.co.us (proxy-sabata-ejp.powernet.cz
> [193.109.183.94])
>         by clue.denver.co.us (8.9.3/8.9.3) with ESMTP id FAA14151
>         for <clue-tech at clue.denver.co.us>; Thu, 8 Jul 2004 05:28:50 -0600
>
> $ whois 193.109.183.94 at whois.ripe.net
> inetnum:      193.109.176.0 - 193.109.183.255
> netname:      POWERNET-CZ
> descr:        EN-DATA a.s.
> descr:        Czech republic
> country:      CZ
> [snip]
> no abuse address listed.

It figures.

> > Or better yet some way to automate dealing with them?  It'd be neat if
> > kmail saw something like this coming in and could just forward it to
> > abuse at wherever from the _real_ source address,  but I don't think my
> > simple attempts to deal with filtering just now are quite up to that
> > task just yet.

> I don't know about KMail. One could do various things using fetchpop and
> procmail, I suppose. Or formail if your MUA uses mbox format (or even if
> not? I don't know). Piping incoming e-mail through a Perl script to
> examine the envelope, etc. might be useful (which you could do using
> procmail). But I wouldn't want it totally automated. Yeah, it'd be great
> to have an MUA which provided a "process using command" capability for any
> message.

I was starting out with the idea that I was going to have to set up a whole 
bunch of different programs to get email going here,  once I started out on 
that task -- sendmail, procmail, fetchmail,  etc.  Then I discovered how easy 
it was to get kmail to do most of what I wanted,  and sort of just dropped 
that project.  I may end up picking it up again at some point as this LAN 
gets a little bigger and other users start to get involved in the picture.  
Just in the past few days I've started doing this from a workstation (the 
actual mail itself still lives on a server) using nfs,  but there are some 
glitches there to work out yet,  and some loose ends.

> FWIW, I've had a considerable lack of success reporting e-mail abuse.
> Regrettable, but true. Since this is a virus, maybe the ISP would be
> willing to do something about the user? Or, maybe already has.

It's interesting how so many ISPs seem to view keeping you from _downloading_ 
spam or viruses to be a "good thing" (I guess it is from a marketing point of 
view) but they don't seem to bother with any consideration whatever about 
people _upoading_ the damn things.  At least not that I've heard.  This is 
such an issue that my previous provider screwed up communications for me with 
both individual parties (one person could NOT reach me by email, good thing 
we had other channels) and with yahoo,  which at the time I was using for a 
single list.  As of today I've got 67 lists from there going,  and wouldn't 
want them screwed up,  though yahoo seems to be taking that into their own 
hands at this point.

Since an email-propagated virus would have multiple points of arrival from 
each point of departure,  this approach would seem to be a lot more efficient 
on the face of it.  I wonder if *any* ISP is trying something like this?