So if you had received the mail sent here yesterday claiming to be from
Alain Durand would you block Sun or IBM? I am sure Alain did not send a
random executable file to a non-existent account. It appears someone figured
out he had responded to me on this list in the past, and plenty of times
daily there are messages with the same content sent to half a dozen account
names as a cc set. Correlating Durand to Hain is completely in line with
typical spammer behavior. The fact this message got here is not a Sun
problem (but someone at IBM might want to send me a note). The point is that
it really doesn't matter which proxy was used what shows up here looks like
a legitimate message from someone I have corresponded with in the past. The
only way to detect a fraud at the MUA would be to have a verifiable
signature from Alain (this was trapped at my MTA due to the exe file).
Tony
192.35.***.***:43014;4.65.25.155:25;Tue, 17 Feb 2004 15:12:51 -0800
tndh.net
S471B7
MAIL FROM:<[EMAIL PROTECTED]>
RCPT TO:<[EMAIL PROTECTED]>
<<MAIL-DATA>>
Received: from mtrumble (192.35.***.***:43014)
by tndh.net with [XMail 1.17 (Win32/Ix86) ESMTP Server]
id <S471B7> for <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]>;
Tue, 17 Feb 2004 15:12:51 -0800
Date: Tue, 17 Feb 2004 17:10:17 -0600
To: [EMAIL PROTECTED]
Subject: ID qfp... thanks
From: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------443488178303183"
----------443488178303183
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Yours ID fscyygroiei
--
Thank
----------443488178303183
Content-Type: application/x-msdownload; name="pcrceynyu.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cdv.exe"
> 192.35.***.***
Non-authoritative answer:
***.***.35.192.in-addr.arpa name = ***.***.ibm.com
*** - if someone from IBM wants to contact me off list I will provide the
missing name/number
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vernon
> Schryver
> Sent: Tuesday, February 17, 2004 8:03 PM
> To: [EMAIL PROTECTED]
> Subject: Re: How Not To Filter Spam
>
> > From: "william(at)elan.net"
>
> > > It is also a classic example of what is wrong with the MUA filtering
> >
> > You certain dont assume that there is nothing wrong with the filtering
> > system you use and others may try duplicate as well. Otherwise how would
> > you explain that you have Elan and completewhois.com listed as filtered
> > on your site. Do you honestly believe we ever sent you any SPAM? Or
> maybe
> > you're making certain assumptions about envelope from or normal "From:"
> > headers and complaining when others are making the similar assumptions?
>
> Mail from Elan and completewhois.com is unwelcome at rhyolite.com in
> patt because of a message that said:
>
> ] Elan.Net Internet
> ] T.1 T.3 Frame Relay
> ] If you need more information about us or are interested in network
> services
> ] (managed hosting, collocation, dedicated servers, t1, t3), please send
> email to [EMAIL PROTECTED]
> ]
> ] For More info
> ] http://www.elan.net
> ] [EMAIL PROTECTED]
>
> There are additional, independent, sufficient reasons for that listing
> that we do not need to explore. If you will read my web pages, you'll
> see that my list of unwelcome domains is not only about senders of
> unsolicited bulk email.
>
> An advantage of a vanity or other tiny domain is that it can use
> blacklists that would have intolerable false positive rates at other
> or larger outfits but that have 0.000% local false positive rates.
>
>
> Vernon Schryver [EMAIL PROTECTED]
