Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

tlug: SMTP and junk email [was: How are they doing this? ]



--------------------------------------------------------
tlug note from "Stephen J. Turnbull" <turnbull@example.com>
--------------------------------------------------------
***** Why is it so easy to spoof addresses in mail?  The main reason
is that the SMTP doesn't care what's in the message at all.  Not the
headers, nor the body.

A simple SMTP session ("protocol replies" are generated by the remote
host, and you should eliminate the # comments and any surrounding
whitespace):

bash% telnet 127.0.0.1 25         # 25 is the SMTP TCP port
HELO your.own.domain              # some hosts gethostbyaddress, not all
... some protocol reply ...
MAIL FROM: any.old.address@example.com  # this may have been
                                             # forwarded, eg from UUCP,
                                             # so nobody checks 
... another protocol reply ...
RCPT TO: real-addr@example.com             # this does not have to
                                             # be any.host.where!!!
                                             # it does have to exist,
                                             #   or nobody will care :-)
... one more protocol reply ...
DATA
any lines you want here, including more fake headers if you want
or you can put real headers if you want!

What a novel idea!
.                     # just like Unix mail(1)
                      # a dot by itself ends message
... message accepted protocol reply ...
QUIT
bash%

Try it yourself on 127.0.0.1!  For more info, check out RFC 821.
(ftp://ftp.lab.kdd.co.jp/RFC/rfc821.txt or something like that).

***** Filtering junk mail using procmail

I keep old junk mail around mostly because I've been too lazy to
delete it.  And it's useful for research.  And it might have gotten
auto-shit-canned by procmail but be a real person.

Anyway, the most important thing to do is to trash any mail with an
"X-UIDL" header.  In my "archive" 298 of 500 junk messages had that
header:

bash-2.00$ scan +abuse | wc
    500    4984   40400
bash-2.00$ fgrep UIDL ~/Mail/abuse/* | wc
    298     595   20680

It is apparently added by some kind of bulk-mail software; I've never
seen it in a real message.  The following lines from my .procmailrc is
the filter:

:0:
* X-UIDL|friend@example.com|cyberpromo|relay\.iemmc\.org|rensaw\.com
  |sallynet\.com|vol\.it|mkt-(usa|america)\.com|RESELL\.COM|THEHITMAN\.COM
  |powertips\.com|24hrplaymates\.com|qlink2info\.com|vaprnet\.com
  |cyberbytes\.com|for name removal|adultpatrol\.com|skyinet\.net
  |corpsite\.com|mlmail\.com|cyberbundle\.net
$HOME/Mail/abuse/newmail

(Lines folded and space added for readability.)
Except for vol.it, all of the domains mentioned seem to exist only for 
the purpose of bulk mail.  Quite of few of them are aliases for
Cyberpromo.  vol.it ended up on the shit-list when I saw it for 5
separate bulk mailings in one week.

At present, on average 3 of 42 messages make it through this filter
per week.

The procmail list usually has lots of discussion on this, but it also
gets spammed all the time so I don't read it any more.

Any other suggestions would be welcome....

Steve

-- 
                            Stephen J. Turnbull
Institute of Policy and Planning Sciences                    Yaseppochi-Gumi
University of Tsukuba                      http://turnbull.sk.tsukuba.ac.jp/
Tel: +81 (298) 53-5091;  Fax: 55-3849              turnbull@example.com
-----------------------------------------------------------------
a word from the sponsor will appear below
-----------------------------------------------------------------
The TLUG mailing list is proudly sponsored by TWICS - Japan's First
Public-Access Internet System.  Now offering 20,000 yen/year flat
rate Internet access with no time charges.  Full line of corporate
Internet and intranet products are available.   info@example.com
Tel: 03-3351-5977   Fax: 03-3353-6096


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links