July 20, 2006 - 3:43am
On comparing the emails, the
On comparing the emails, the body content is basically the same. One interesting email header was this
QUOTE
Message-ID: <{DIGIT}{DIGIT}{DIGIT}{DIGIT}{DIGIT}{DIGIT}{DIGIT}{DIGIT}{DIGIT}{DIGIT}{DIGIT}
DIGIT}{DIGIT}{DIGIT}.E19E69A5C3@BPVQ>
DIGIT}{DIGIT}{DIGIT}.E19E69A5C3@BPVQ>
which is not the usual form of the "Message-ID:" header of course. Also noticed one header that doesn't usually appear in emails ..
QUOTE
Thread-Index: D4orS7Qemb2qzI6P4BDZzC1Sk9OboO1Xgam1
July 20, 2006 - 5:35pm
If you're using Outlook or
If you're using Outlook or OUtlook Express, do the following:
Right click the title of the email in the inbox list.
Hit properties.
Go to the Details tab I believe it is, or its a button in some cases.
You'll see an info box with a bunch of gobbledygook in it. That information is where you can get some very interesting information. There you'll notice ip addresses(sometimes displayed with dashes instead of dots), those ip addresses are usually very hard to spoof, but their domain names sometimes don't match up. If that happens, you can bet you now have the ip address of the spammer. To make sure someone hasn't managed to spoof the ip as well, try doing an ip lookup at networksolutions.com or some place that lets you get info on ip addresses. You can then either create a rule to block this ip in your firewall, email client, or call up your mail server to have that ip blocked at the server. If you notice a number of emails all having the same first three sets but different final sets, such as 123.456.1.1 123.456.1.2 123.456.3, then you can block the entire range by having your mail server block out 123.456.1
July 20, 2006 - 9:21pm
songdove @ Jul 20 2006,
If you're using Outlook or OUtlook Express, do the following:
Thanks, but I deliberately don't use M$ email clients, because there are so many worms, trojans, etc, that are specifically written for M$ email clients, like Outlook,etc. I use Pegasus Mail.
Thanks for the other info, possibly Pegasus has a log, I know the anti-viris tool I use (AVG) keeps a fairly detailed log. In this situation, I can't understand how finding the (correct) IP, and then banning it, even in the email client, will stop the spam, because it all gets delivered to my ISP. At that 'stage', it is too late to close the door. I don't like spam filters, because they can cause legitimate emails to be deleted/lost, I even do have Spam Assasin which I could use, because before the emails hit my ISP, they go through a web server.
I have asked my host about the CPanel feature "Box Trapper", which is basically a white list. They stated in the past, that it had problems, but if it gets going again, that would be ideal really, because it is built into the email server.
There are another 2 this morning, the IP's have always been in different 'blocks', here is the Spamcop report for the 3 yesterday ............
QUOTE
=====================
Spam report id 1844106360 sent to: abuse-nonverbose@qwest.net
Spam report id 1844106368 sent to: spamcop@imaphost.com
=====================
Spam report id 1844222171 sent to: postmaster@insightcom.com
Spam report id 1844222172 sent to: nocabuse@insightcom.com
Spam report id 1844222173 sent to: spamcop@imaphost.com
=====================
Spam report id 1844223149 sent to: abuse@sbcglobal.net
Spam report id 1844223150 sent to: spamcop@imaphost.com
=====================
Here is an IP from one yesterday .....
QUOTE
Received: from [69.226.50.17] (helo=PORTOLA.u0youp.org)
The sub-domain or even the domain don't exist (why would I be surprised), the IP does resolve, but it could be spoofed, as the 'From:' and 'Return-path:' would also be spoofed.
Some news about what SpamCop are ding to cobat spam ....
QUOTE
Mailhost configuration
SpamCop is undergoing a major renovation to the underlying logic which it uses to determine spam sources. Soon, all SpamCop users will be required to use this new system, completing additional setup steps. Some "unique" users may not be able to report all the spam they have in the past.
Why? This is being done because of ongoing problems - spammers have finally begun doing what we have known they could do all along - create really convincing mail header forgeries. These forgeries make SpamCop think spam is being sent from innocent sites where it is actually not. Clearly, this must be stopped. Currently, only a few spam forgeries cause serious problems for SpamCop, but if this problem is not solved, it will become much worse. Even now, a few mis-identified innocent sites are a big problem. This system promises to eliminate the forgery problem forever, while also avoiding problems caused by other less-drastic attempts to mitigate the forgeries. However, it does require more involvement from SpamCop users.
When? For now, this new system is optional. You may chose to use it or not. However, users are encouraged to start using it immediately. Once we have some feedback from users, and have addressed the most serious problems, it will become mandatory for all users. In the future, we may make other changes which will make reporting spam easier. For example, if we can be sure there are no errors, we may be able to dispense with additional user confirmation when spam is submitted.
Thanks for your help,
J
July 21, 2006 - 1:57am
July 21, 2006 - 2:10am
July 23, 2006 - 11:32pm
MrHerald @ Jul 20 2006,
Fighting spam gets very tiring.
I prefer signing up to different places with different email addresses and then just abandoning the spammed ones.
I prefer signing up to different places with different email addresses and then just abandoning the spammed ones.
Yes, good idea. When Yahoo increased their email boxes to 1GB it was a bit annoying, as there is one Yahoo address I have (that spammers have gleaned from yahoo groups,etc) that I wish the box was only about 10 Mb, then if a spammer tries, it bounces back.
I have a domain name dedicated to this.
I (sort of) do that. Would you mind explaining the method, or if you don't want it public, can you PM me with the details.
At present, I never use my ISP email address, because I never want to have to go through the process of changing everything, if I change ISP's. All I do is to use a domain, and have the emails fowarded to different boxes at the ISP.
I have been geting some spam to an email address, that previously, had no spam at all. My suspicions are that the spam is somehow being sent from a forum I recently registered with, or someone on that forum has worked out a method to harvest email addresses, as other people on the forum have been getting spam also.
Is there any definitive method of using the email headers, and finding out the ISP, at least, where the spam was sourced from ?
I do use SpamCop, and they are able to 'interpret' the headers, and send an abuse report off. I guess that will have to do, if there is no other methods of going through the email headers, and finding out the relevant info.
"The church is never a place, but always a people;
never a fold but always a flock;
never a building but always a believing assembly.
The church is you who pray,
not where you pray."
-Anonymous