On Mon, Jan 29, 2007 at 02:58:53PM -0500, David F. Skoll wrote: > Philip Prindeville wrote: > > Simply saying, "One of your customers tried to spam me, > > but I rejected it... here are the logs" isn't enough. They > > insist that I give them a copy of the message > > I think that's perfectly reasonable. If you are initiating a > complaint against someone, it's up to you to preserve and present all > of the evidence.
Just another note to underline the importance of this. You have to look at this from the viewpoint of the abuse department. Especially, from the viewpoint of the employee who's explaining to the disgruntled subscriber who suddenly finds his internet gone and is told to extinguish viruses from their machine (or network) and secure his setup. (This is assuming the customers' machine is a zombie, which it usually is. You don't find many real spammers these days, certainly not among our subscribers) At that moment, you need all the evidence that can you can possibly get. Just getting a single line log messages saying "I rejected this spammer at IP #.#.#.#" isn't nearly good enough. It _might_ serve as a statistic on the overall case if it's properly timestamped, but nothing more than that. On that matter, listings on even usually very reliable DNS blacklists are not enough reason to disable a subscribers' internet connection. If you truely want to help reduce the amount of spam sent by spamming zombies, the best thing to do is setup a feedback loop with as many warm bodies at big ISP's abuse departments as you can find. You might have to send stuff like ARF (See http://arf.wordtothewise.com/ ). But do establish that contact with the abuse department first. If you have a positive attitude, cooperative ISPs will usually value your input, and you can ask for agreements like no passing of unmunged headers to end-users, for example (to protect your spamtraps, if any). > Our commercial software, for example, collects all the envelope > information, all of the headers, and the first 8kB of the message body > and generates a complaint mail. It also uses WHOIS to figure out who > the best person to complain to is. You then go in and edit the > generated mail and recipient list as required, and hit "send". > (Although we reject unwanted messages with a 5xx code, we do keep some > info about them in a database, partly for the purpose of sending > well-formed complaints.) That sounds useful, especially keeping the first chunk of the body. I might want to borrow that idea :) Oh, on the subject of abuse contact addresses: it might be better to use the abuse.net contacts database to determine the proper abuse contact, it usually has a better contact address (and more easily parsable) than WHOIS. If you have a domain, like, example.com, to contact in abuse cases (eg as learned from reverse DNS), just do a DNS query for "example.com.contacts.abuse.net": TXT records are contact addresses, A records list the number of contacts, and HINFO tells you if the contact is actually listed ("lookup") or if it just returns you the default record ("default"). If you get the default it's likely best to fall back to WHOIS info. -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang