Re: LIKELY SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday, March 20, 2003, Johannes Posel wrote... >> Right... but it's not DSL... and what happens with addresses that >> don't reverse? The spam filters would be useless. > MTA-issued error "451 Temporary lookup failure, try again later". I know,... I do that myself... I had assumed that this was client-side filtering, I'd missed your little MTA line on the original post ;) >> No... but you can insert extra header lines... and that was what I >> was talking about... What part does the filter pick up on, the >> first line to report a receive, or the last one. > The "filter" is at the TCP/IP level, before any kind of header or > body hits the line. The header or body is basically unrelated. This can be disregarded as I thought we were talking client side ;) > Blocking open relays is the birth of all those RBLs. Plus, BTW, an > MTA can do sender verification "callout", meaning before accepting a > RCPT, it opens a connection to the MX of the supplied MAIL > From: to see if this address exists and can accept mail. I do all that plus more, although my RBL checks have to be accepted, and mail tagged and bounced to me instead of staff... we have one or two customers that won't fix their services, or their providers won't. :) - -- Jonathan Angliss ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- iQA/AwUBPnpUMCuD6BT4/R9zEQIDjACgyoQfik72Md3EyyahxVDp0lq8024An268 jPD7gyv5XL8OhvnsEqM5ZTHh =jS5e -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday, March 20, 2003, Johannes Posel wrote... >> The RBL lists would block 192.168.0.0/24 instead of just the later >> half of the range. > I'd see this analogy, with 192.168.* being dial-up and 10.0.* beign > fixed-IP customers. Then you wouldn't have an issue with them blocking the dialup blocks. My example shows that an RBL could block the ISDN block as well as the dialup. >> That's an odd stance. Last time I checked (and as you stated), AOL >> bounce mail to their own SMTP servers. > No, I mean like this: A mail server gets an incoming connection from > an IP which belongs to AOL. It refuses this connection except if > this IP beongs to the listed AOL MXes. See what I mean? Yes I know... but last time I checked, AOL didn't allow outbound connections on port 25, and were bounced through their own SMTP servers. This'd result in a firewall rule that didn't do anything as the connections could never reach you as per AOL. But I could be wrong. >> an example) for example. It just changes your name when somebody does >> a lookup. If you're blocking by IP range (which is what RBLs do), >> names don't mean a thing. > Which RBL are we talking about? RBLs store IP addresses, not names. Your mail server looks up addresses based on IP address... if it is listed, then it gets blocked. The problem is, some RBLs blacklist whole segments without much research... as Marck found out. Talking of which *grins*... I think this thread could be moved to TBOT now before it gets flogged ;) - -- Jonathan Angliss ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- iQA/AwUBPnpS4yuD6BT4/R9zEQKnngCfVGaoDJGlwm+1dhrdsHsntSwgeSAAn3VK lppOBzhcghXqeliBANIn7piR =U/df -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
-BEGIN PGP SIGNED MESSAGE- Dear Jonathan, On 17:31 19.03.2003, you [Jonathan Angliss] wrote... > Right... but it's not DSL... and what happens with addresses that > don't reverse? The spam filters would be useless. MTA-issued error "451 Temporary lookup failure, try again later". > No... but you can insert extra header lines... and that was what I was > talking about... What part does the filter pick up on, the first line > to report a receive, or the last one. The "filter" is at the TCP/IP level, before any kind of header or body hits the line. The header or body is basically unrelated. > Ahh... I see... I thought you were talking about a client side filter. Server side. Client-side spam filtering is, mhhh how to tell dipomatically, well you already downloaded the junk so your "harm" has already been done. ;) > That is of course in-effective when the mail is being received from > another mail server. Which is normally the case in most situations as > spammers fire emails through open relays. Of course, if people knew Blocking open relays is the birth of all those RBLs. Plus, BTW, an MTA can do sender verification "callout", meaning before accepting a RCPT, it opens a connection to the MX of the supplied MAIL From: to see if this address exists and can accept mail. Cheers, Johannesmailto:[EMAIL PROTECTED] - -- I haven't lost my mind; I know exactly where I left it. -BEGIN PGP SIGNATURE- Version: PGP Cyber-Knights Templar build 6.5.8ckt09 Comment: Freiheit stirbt in kleinen Stuecken... Comment: KeyID: 0x73D62D41 Comment: Fingerprint: 69C0 50A1 C96A FF3F 3F09 6E91 F9B8 B727 iQEVAwUBPno/Zwt4MvNz1i1BAQF3bQf/UzXs737HHfnuLC1Kt4MoxOyOTnkWQUtJ smYAe9no2rnM/5rx0dnkhZFRAi9orbHv1AVMOUi2UmIiZ5YyuChD4qqWs4cs0r5C AvM+epLqvghxff5EYPBdcKrsoam9rh5xsgoKdku2Xm9rlSIAr6dZBEjeGPASz03n 5sNwxk2hB8DD0ahA/h9pBY+dXTIBGixnH6cDYmnHAPJlxqn266Hd2yx4kEiJ0Ugj GI46cVCgveY26PbtFcivsrcCwMCCY+jcMxEOe9ExTXK09+yesg0bI9Ok/cOBeLh1 dgTu2FtWrT3xcQXkxyE6ubefmI4WKDJ101n7lOHNYSyaaVDGYrDZxA== =T4Vr -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
-BEGIN PGP SIGNED MESSAGE- Dear Jonathan, On 17:42 19.03.2003, you [Jonathan Angliss] wrote... > The RBL lists would block 192.168.0.0/24 instead of just the later > half of the range. I'd see this analogy, with 192.168.* being dial-up and 10.0.* beign fixed-IP customers. > That's an odd stance. Last time I checked (and as you stated), AOL > bounce mail to their own SMTP servers. No, I mean like this: A mail server gets an incoming connection from an IP which belongs to AOL. It refuses this connection except if this IP beongs to the listed AOL MXes. See what I mean? > an example) for example. It just changes your name when somebody does > a lookup. If you're blocking by IP range (which is what RBLs do), > names don't mean a thing. Which RBL are we talking about? Cheers, Johannesmailto:[EMAIL PROTECTED] - -- "AFAIK ist ein Rechner dann relativ sicher wenn er ausgeschaltet ist." ~ Karsten Benkel in <[EMAIL PROTECTED]> -BEGIN PGP SIGNATURE- Version: PGP Cyber-Knights Templar build 6.5.8ckt09 Comment: Freiheit stirbt in kleinen Stuecken... Comment: KeyID: 0x73D62D41 Comment: Fingerprint: 69C0 50A1 C96A FF3F 3F09 6E91 F9B8 B727 iQEVAwUBPno+XQt4MvNz1i1BAQHDEQf9G73kwfuBgoc7iPdQpWsHpUjGGoZ9F53l 4BFVwmS0n3SVBmBhxuJ96N1XBEiwhVPmnnfj2qLAZk93XT5/5uyjXIJX+dZnkfQl nkSwFVVBprqchLl6tCLEbVVXB5J7WDkBc6cDeseiy4ZozSJrmot1bQPfc805HHP/ 7saBsRSKeATcR9R96eJBb/S6I3HnyHKR/wZXVDV159wytyynN/8s4yn0K7X5eZbu mv7yVzko5cR02RbbADfHN7u22HhJbKhajbvuYnW3klaaRGi78abproDNF/1qmQUU DuDXDOvkdmlgiQ2FPVFeiPnzAym+TisRm9MmIzV2lwdjq+jQa/g09g== =znmU -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday, March 19, 2003, Johannes Posel wrote... >> How the ISP sets the addresses up is up the them. Mine doesn't do >> it... but I have seen some that do. And you're wrong... the IP >> doesn't come from the dial-up pool... it's a different subnet... >> just some RBL systems block whole /24 class addresses, instead of >> investigating where the dial-up pools go from and to. > Again, your provider should contact them to get this fixed. Fix what? You really have me confused... there is nothing to fix when your ISP assigns one block to dial-up and another block to ISDN, but the RBL lists just block the whole range... for example: 192.168.0.1 - 192.168.0.62 for ISDN (subnet mask 255.255.255.192) 192.168.0.63 - 192.168.0.255 for dialup users The RBL lists would block 192.168.0.0/24 instead of just the later half of the range. > Please don't forget that Internet mail is a priviledge, not a right. I don't ;) > There are many sites blocking based on domain endings (*.tw, *.cn), Understandable really... I get plenty of spam originating from .cn/.tw addresses. > on so called "rogue networks" (all AOL IPs except their MXes) That's an odd stance. Last time I checked (and as you stated), AOL bounce mail to their own SMTP servers. > If you have a static IP, which is IMHO the only one suited to > provide "real" server services, then your provider should be able to > adjust the PTR DNS record so you don't fall into the dial-up pools. Adjusting the PTR DNS records doesn't stop you falling into the mentioned brackets above (yes I know I used private address ranges as an example) for example. It just changes your name when somebody does a lookup. If you're blocking by IP range (which is what RBLs do), names don't mean a thing. - -- Jonathan Angliss ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- iQA/AwUBPnid/CuD6BT4/R9zEQIgPgCghAND01GSKan4ppPOQKhmD31d2M8AoOJo scZaRlPo1cA7+hMJfc5ZTd78 =3XTF -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday, March 19, 2003, Johannes Posel wrote... >> And what is that supposed to achieve? And where does the checking occur. > Resolving the IP address from the host wanting to deliver the mail. > In your case this would be "66.228.134.123", which resolves fine[1] Right... but it's not DSL... and what happens with addresses that don't reverse? The spam filters would be useless. >> I think doing that kind of filtering is a little silly when it >> comes to spam. I get so much spam daily that has faked host details >> for the first 2 > You cannot fake your IP address. No... but you can insert extra header lines... and that was what I was talking about... What part does the filter pick up on, the first line to report a receive, or the last one. >> received lines that this kind of checking would be pointless. Also >> check > It's not about checking headers at all. The rejection takes place > even before the client send his EHLO greeting. Ahh... I see... I thought you were talking about a client side filter. That is of course in-effective when the mail is being received from another mail server. Which is normally the case in most situations as spammers fire emails through open relays. Of course, if people knew how to set things up properly, and allow relaying from authenticated hosts, or trusted addresses only, things would be a lot easier. - -- Jonathan Angliss ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- iQA/AwUBPnibYiuD6BT4/R9zEQLxZACgmdugiqjkgH23HeNjugldC/Z0e9cAoJxU XcRfxYMa8Av03QNlW5H9Skwn =e2fx -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
Dear Jonathan, On 17:24 16.03.2003, you [Jonathan Angliss] wrote... > How the ISP sets the addresses up is up the them. Mine doesn't do it... > but I have seen some that do. And you're wrong... the IP doesn't come from > the dial-up pool... it's a different subnet... just some RBL systems block > whole /24 class addresses, instead of investigating where the dial-up pools > go from and to. Again, your provider should contact them to get this fixed. Please don't forget that Internet mail is a priviledge, not a right. There are many sites blocking based on domain endings (*.tw, *.cn), on so called "rogue networks" (all AOL IPs except their MXes), others block their customers port 25 (AOL, Earthlink) or redirect it to their own SMTP server, no matter which one you wanted to connect to and so on. It's about fair play. If I choose to operate a mail server that does not need to take direct delivered eMails from declared dialin ports, no matter if this is modem, ISDN, DSL, short wave, CB or anything, then that's up to me, and perhaps my customers. I've seen many site, including ISPs with millions of customers(!) implementing these blockings. If you have a static IP, which is IMHO the only one suited to provide "real" server services, then your provider should be able to adjust the PTR DNS record so you don't fall into the dial-up pools. Cheers, Johannesmailto:[EMAIL PROTECTED] -- Nicht weil die Dinge schwierig sind wagen wir sie nicht, sondern weil wir sie nicht wagen sind sie schwierig Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
Dear Jonathan, On 17:29 16.03.2003, you [Jonathan Angliss] wrote... >> On 15:59 15.03.2003, you [Jonathan Angliss ([..])] wrote... > And what is that supposed to achieve? And where does the checking occur. Resolving the IP address from the host wanting to deliver the mail. In your case this would be "66.228.134.123", which resolves fine[1] > I think doing that kind of filtering is a little silly when it comes to > spam. I get so much spam daily that has faked host details for the first 2 You cannot fake your IP address. > received lines that this kind of checking would be pointless. Also check It's not about checking headers at all. The rejection takes place even before the client send his EHLO greeting. Cheers, Johannesmailto:[EMAIL PROTECTED] [1] [EMAIL PROTECTED]:~$ host 66.228.134.123 Name: netdork.net Address: 66.228.134.123 [EMAIL PROTECTED]:~$ -- The light at the end of the tunnel is the headlight of an approaching train. Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
> On 15:59 15.03.2003, you [Jonathan Angliss ([..])] wrote... Will you PLEASE stop putting my email address in the reply template. Thank you! >> Actually it is more than possible. Some ISDN blocks sit in the same >> block (/24) as dialups, albeit a different subnet mask. When RBL >> lists blacklist addresses, they often don't research into the extent >> of the range, and just block the whole /24 range, while the dialup >> range stops halfway through that subnet. > While we're at it, this is a quick copy&paste from an MTA mailing > list, targeted at "how to block spammers": > > ***+++*** > > A few options that can be done, sender verification can be done. > Create a filter that contains > > if (($sender_host_name contains "ppp") or > ($sender_host_name contains "dsl") or > ($sender_host_name contains "pool") or > ($sender_host_name contains "dhcp") or > ($sender_host_name contains ".cpe.") or > ($sender_host_name contains "interbusiness.it") or > (($sender_host_name contains "cable") and ($sender_host_name does > not contain "bloor.is.net.cable.rogers.com"))) then And what is that supposed to achieve? And where does the checking occur. I think doing that kind of filtering is a little silly when it comes to spam. I get so much spam daily that has faked host details for the first 2 received lines that this kind of checking would be pointless. Also check the host details of this mail... sent over a DSL connection... bet you won't be seeing any details of that :) -- Jonathan Angliss Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
>> Actually it is more than possible. Some ISDN blocks sit in the same >> block (/24) as dialups, albeit a different subnet mask. When RBL >> lists blacklist addresses, they often don't research into the extent >> of the range, and just block the whole /24 range, while the dialup >> range stops halfway through that subnet. > Well, then complain to your provider to get this fixed. They should > not take IPs from dial-up pools and assigned to them fixed customers. > With a fixed IP, you should get your own PTR record and so on, and > this is not possible with dial-up pools. How the ISP sets the addresses up is up the them. Mine doesn't do it... but I have seen some that do. And you're wrong... the IP doesn't come from the dial-up pool... it's a different subnet... just some RBL systems block whole /24 class addresses, instead of investigating where the dial-up pools go from and to. -- Jonathan Angliss Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
Dear Jonathan, On 15:59 15.03.2003, you [Jonathan Angliss ([EMAIL PROTECTED])] wrote... > Actually it is more than possible. Some ISDN blocks sit in the same block > (/24) as dialups, albeit a different subnet mask. When RBL lists blacklist > addresses, they often don't research into the extent of the range, and just > block the whole /24 range, while the dialup range stops halfway through > that subnet. While we're at it, this is a quick copy&paste from an MTA mailing list, targeted at "how to block spammers": ***+++*** A few options that can be done, sender verification can be done. Create a filter that contains if (($sender_host_name contains "ppp") or ($sender_host_name contains "dsl") or ($sender_host_name contains "pool") or ($sender_host_name contains "dhcp") or ($sender_host_name contains ".cpe.") or ($sender_host_name contains "interbusiness.it") or (($sender_host_name contains "cable") and ($sender_host_name does not contain "bloor.is.net.cable.rogers.com"))) then [ Note Rogers.com uses cable within their sending mail server ] Lastly you can create a list of networks to deny from. ***+++*** Blocks based on reverse hostname dial-up clients. Cheers, Johannesmailto:[EMAIL PROTECTED] -- Excuse my english. I went to US public school. Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
Dear Jonathan, On 15:59 15.03.2003, you [Jonathan Angliss ([EMAIL PROTECTED])] wrote... > Actually it is more than possible. Some ISDN blocks sit in the same block > (/24) as dialups, albeit a different subnet mask. When RBL lists blacklist > addresses, they often don't research into the extent of the range, and just > block the whole /24 range, while the dialup range stops halfway through > that subnet. Well, then complain to your provider to get this fixed. They should not take IPs from dial-up pools and assigned to them fixed customers. With a fixed IP, you should get your own PTR record and so on, and this is not possible with dial-up pools. Cheers, Johannesmailto:[EMAIL PROTECTED] -- If you put garbage in a computer nothing comes out but garbage. But this garbage, having passed through a very expensive machine, is somehow enobled and none dare criticize it. Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
On March 15, 4:56 am Johannes Posel wrote: > On 12:54 03.03.2003, you [Marck D Pearlstone ([..])] > wrote... You might want to avoid doing that... I'm sure Marck doesn't want his email address put on a public archive like that ;) >> And here. I have a static IP address on a dialup ISDN. I have been >> running my own mail server for my own domain (silverstones.com) for >> nearly 8 years now. I have been a computer communications > > Then this is not a focus of a dial-up RBL! These lists contain > *dynamic* IP ranges, whereas your fixed IP is easily traceable. Actually it is more than possible. Some ISDN blocks sit in the same block (/24) as dialups, albeit a different subnet mask. When RBL lists blacklist addresses, they often don't research into the extent of the range, and just block the whole /24 range, while the dialup range stops halfway through that subnet. -- Jonathan Angliss Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
-BEGIN PGP SIGNED MESSAGE- Dear Marck, On 12:54 03.03.2003, you [Marck D Pearlstone ([EMAIL PROTECTED])] wrote... > And here. I have a static IP address on a dialup ISDN. I have been > running my own mail server for my own domain (silverstones.com) for > nearly 8 years now. I have been a computer communications Then this is not a focus of a dial-up RBL! These lists contain *dynamic* IP ranges, whereas your fixed IP is easily traceable. > somewhere else to do it. But more and more ISPs use blacklists and > even SpamCop uses his Monkeys.com open relay blacklist :-(((. I can understand why there are dial-up blacklists. The biggest german ISP, T-Online, uses them too. You'd laught, they even forbid *their own customers* to deliver mail to their own MXes, requiring them to use a smart-host. The idea is that if you're a private cutsomer on a *dynamic* IP, which is not intended to run servers, then you should use your ISPs smarthost mailserver. Cheers, Johannesmailto:[EMAIL PROTECTED] - -- "The Government can't take down Microsoft, but Microsoft CAN take down the Government"- -BEGIN PGP SIGNATURE- Version: PGP Cyber-Knights Templar build 6.5.8ckt09 Comment: Freiheit stirbt in kleinen Stuecken... Comment: KeyID: 0x73D62D41 Comment: Fingerprint: 69C0 50A1 C96A FF3F 3F09 6E91 F9B8 B727 iQEVAwUBPnL44gt4MvNz1i1BAQFMGggAjg0Rl0syIn/6iKDzIImAJGpGWoU6YDI/ 6dK8O01rbgnrHl7OMikbtb0B83Ie24rm5TZeUlIGccgELn1BawMc4tpbf1d9hhnY 8kS4As5Z3inUUTiciCFZl6otUXxMXt24AT5FKjrnrciU7zUb+QdWpUvAwOXNOoNk o7mhKPxBiKy3yiJO8Ta8TWaKaZtmJfFF2K+wXxwjMD35VCO29AGXfW7ntdNuIzkz muwjmmins3NR9WB7pA4XGZOCuJGMlO6Gt/9f1t3FFBezQI5FRqXOXy6Anzl1TVUI 1cKVcJdWWAOoI/9RYs1+Up3l2Chelq8GXIhmF9VTLc1spR2x0T5drg== =DqsX -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
Hello Task, > I believe the best solution to no lost mails is: POPFile :-) -- Best regards, Miguel A. Urech (El Escorial - Spain) Using The Bat! v1.62i Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: LIKELY SPAM
Estimados seguidores del tbudl arroba thebat.dutaint.com: En relación a lo que Jonathan en su momento posteó: JA> find out it is a dial-up/dsl/isdn with a dynamic IP address, and JA> for "the safety of the internet", blacklist that block too. As you JA> can see... from one persons mistake, it can result in the possible JA> 254 people being blocked immediately. Nice huh? What is even worse JA> is if you are on a large ISP, In the past (2 years ago) i used the bigfoot service, but bigfoot use the orlb.org database to filter, some friends ("dummy users of internet") are using the smtp server from your isp and the account of the isp. And orlb has in your database this server and this @server.com. Bigfoot was delete the mails of my dummy-friends, *whitout questions*. I do not use bigfoot service yet. The problem is: - i know that spam i recibed - some spam for my is not spam for others, i.e: "fwd: fwd: fwd..." messages. - some spam for others is not spam for my. i.e. Airlines distributions lists, cinemas distribution lists. I believe the best solution to no lost mails is: the final user need make your own lists, the final user do not need publish their address, the server *do not* filters the mails. -- Se despide, Task Control mail: TaskControl at SoftHome dot net correo: TaskControl arroba SoftHome punto net Usando: - Windows 98 4.10.1998 - AVG 6.0 Free Edition - The Bat! 1.63 Beta/7 - Trillian PRO 1.0 B Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday, March 03, 2003, Thomas Fernandez wrote... >> But more and more ISPs use blacklists and even SpamCop uses his >> Monkeys.com open relay blacklist :-(((. > I don't like what I'm reading. Julian Haight was for me "the good > guy on the internet". I know SpamCop checks with monkeys.com, but I > didn't know monkeys.com lists false positives. So is reporting to > SpamCop still good? It's not that they always list false positives. Often you'll find if they check a host, and find it open (proxies on monkeys.com I believe), they don't alert the owner, but black list it They then find out it is a dial-up/dsl/isdn with a dynamic IP address, and for "the safety of the internet", blacklist that block too. As you can see... from one persons mistake, it can result in the possible 254 people being blocked immediately. Nice huh? What is even worse is if you are on a large ISP, say verizon, or AOL for example, where their IP blocks span whole blocks... so you could be caught in a nasty block from caused by somebody on the other side of the country, not even on the same subnet as yourself. I personally think submitting to SpamCop is a good idea as it allows spam reports to be submitted quickly. I'm not sure what SpamCop does with the information it has, I am on the fence. I noticed they submit the addresses for testing at the various blacklists if they aren't found in a lookup... That can be a good and bad thing I guess. - -- Jonathan Angliss ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- Comment: Fingerprint: 676A 1701 665B E343 E393 B8D2 2B83 E814 F8FD 1F73 iQA/AwUBPmQyhiuD6BT4/R9zEQKGbACdFGLWeiVtRymyUaHc1oHp+nBL5QoAnjUx Z6Pls1L7URakVH/mu+DHdKO3 =vQpO -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
Hello Marck, On Mon, 3 Mar 2003 11:54:22 + GMT (03/03/03, 18:54 +0700 GMT), Marck D Pearlstone wrote: > But more and more ISPs use blacklists and even SpamCop uses his > Monkeys.com open relay blacklist :-(((. I don't like what I'm reading. Julian Haight was for me "the good guy on the internet". I know SpamCop checks with monkeys.com, but I didn't know monkeys.com lists false positives. So is reporting to SpamCop still good? -- Cheers, Thomas. Moderator der deutschen The Bat! Beginner Liste. "They that can give up essential liberty to obtain a little temporary saftey deserve neither liberty not saftey." (Benjamin Franklin, 1759) Message reply created with The Bat! 1.63 Beta/5 under Chinese Windows 98 4.10 Build A using an AMD Athlon K7 1.2GHz, 128MB RAM Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday, March 03, 2003, Marck D Pearlstone wrote... > And here. I have a static IP address on a dialup ISDN. I have been > running my own mail server for my own domain (silverstones.com) for > nearly 8 years now. I have been a computer communications > professional for 18 years. Suddenly I'm being told "If you don't > like our rules, then go find your own Internet. We were here before > you." and "You are just another bozo clueless home hobbist among a > veritable sea of them. Why don't you just go away now and leave the > running of the Internet to the professionals. (You clearly aren't > one of us.)". I unfortunately think this kind of attitude is what gets the internet in trouble a lot of the times. Most of the people that think they are doing right are in some cases making things worse. If these so called "experts" were to educate the "non-experts" in what was wrong, then the need for such "systems of abuse" would not be needed. It doesn't take long to explain the points of securing a mail server... or even point them to a website with guides... hell, I can pull up two links off the top of my head, and even assist on postfix, and sendmail securing. > This is Ron Guilmette's way of explaining why the blacklists can do > as they please and why he considers that there is no possibility > that I know what I am doing, his evidence being that I only have a > dialup connection. This was an argument about a proxy server that > was open for a couple of days before I correctly re-configured it. > Without any help from him or anyone else. Although I like the system, and the idea of it... It *does* reduce the spam a bit... I think education is a better method of ensuring things are corrected, and reporting abuse is also a better way to go. > These extracts from his last couple of communications were the clean > bits. He takes "rude" into a whole new dimension! There really > should be some way of letting him know that, no, actually this is > *our* Internet and if he wants to play god he will have to find > somewhere else to do it. But more and more ISPs use blacklists and > even SpamCop uses his Monkeys.com open relay blacklist :-(((. I think using SpamCop as a reporting service is an excellent idea, as it does 90% of the hardwork for those that don't know how to do it. I think also getting SpamCop to use such services as monkeys.com for lookup on information is also a good idea... but I am not sure about spamcop's hosted mail services. I think you unfortunately ran into one of the internet evangelists, who thinks what they do is right, no matter what really is happening. I've always had the view that education is often better than using services such as monkeys.com or ordb.org. I do myself use them, but not an explicit block, I get the mails tagged as sent from open relays, then I often contact the owner of the server, and alert them to the issue. - -- Jonathan Angliss ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- iQA/AwUBPmN75CuD6BT4/R9zEQLPBQCgrdGEVThElE/4RE9ReyHuSDaVuscAoPBy /WjY9Rqu1th+EwcQOzwc25oL =hWGF -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM: Re[2]: LIKELY SPAM: Re[2]: plugin for the bat!:vampire
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday, March 02, 2003, Marck D Pearlstone wrote... MDP>>> FYI - Osiris also BLs Dial-up users like me Z>> Why do they do that? > Because the *nix propeller heads that think they own the Internet > don't think that any serious mail server user should hide behind a > dial-up connection. One such runs monkeys.com, a major open relay > blacklist, and goes by the name of Ron Guilmette. I got a major > roasting from him because of my dial-up IP and sub-hosted domain > status. This is a slightly unusual view... but I have noticed monkeys.com does blacklist a lot of addresses that it shouldn't. It is often the case that people like the mention will blacklist whole dialup blocks because of constant spam attacks from those blocks. Often the do a blanket mask on that address too, catching a lot of innocent people. This usually means that: a) you're unlikely to be able to run your own mail server b) you're not likely to be able to connect directly with the end smtp server I do think that sometimes it is necessary to block off a whole bunch of addresses, but other times, it is unjust and the people doing the blocking really don't research what they're doing, for example I found the other day that earthlink.net (a fairly large ISP over in the US) had decided to block my line providers whole block, dial up, and static connections. I think they used monkeys.com too. I was removed shortly after I complained about that though. - -- Jonathan Angliss ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- iQA/AwUBPmN5giuD6BT4/R9zEQJIFACgmb9qpyE6/VmhE2N1HYek4OWKnZsAnA95 A5ANe5TyPNORdNYwSmC9Yv9y =v5tr -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Re:re:re:re:..ree ree!!Re: LIKELY SPAM: Re[2]: LIKELY SPAM:Re[2]: plugin for the bat!: vampire
On Sunday, March 2, 2003, 10:54 PM, you wrote: MW> I think this subject line is getting a little out of hand, too... MW> -Mark Wieder were you around for the Potatoe Guy thread? now THERE was a MONSTER!! -- Paul Using The Bat! v1.63 Beta/5 on Windows XP 5.1 Build 2600 Service Pack 1 Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Deborah, @3-Mar-2003, 11:19 Deborah W [DW] in mid:[EMAIL PROTECTED] said: DW> On Monday, March 3, 2003, 12:24:59 AM, Marck D Pearlstone wrote: MDP>> Because the *nix propeller heads that think they own the Internet MDP>> don't think that any serious mail server user should hide behind a MDP>> dial-up connection. DW> Really? Then how do they think those of us in areas where the DW> *only* option is dial-up are supposed to work?! Exactly! DW> ... Dial-up is the only choice for anyone in this area (& in DW> many others). And here. I have a static IP address on a dialup ISDN. I have been running my own mail server for my own domain (silverstones.com) for nearly 8 years now. I have been a computer communications professional for 18 years. Suddenly I'm being told "If you don't like our rules, then go find your own Internet. We were here before you." and "You are just another bozo clueless home hobbist among a veritable sea of them. Why don't you just go away now and leave the running of the Internet to the professionals. (You clearly aren't one of us.)". This is Ron Guilmette's way of explaining why the blacklists can do as they please and why he considers that there is no possibility that I know what I am doing, his evidence being that I only have a dialup connection. This was an argument about a proxy server that was open for a couple of days before I correctly re-configured it. Without any help from him or anyone else. These extracts from his last couple of communications were the clean bits. He takes "rude" into a whole new dimension! There really should be some way of letting him know that, no, actually this is *our* Internet and if he wants to play god he will have to find somewhere else to do it. But more and more ISPs use blacklists and even SpamCop uses his Monkeys.com open relay blacklist :-(((. - -- Cheers -- .\\arck D Pearlstone -- List moderator TB! v1.63 Beta/7 on Windows 2000 5.0.2195 Service Pack 2 ' -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1rc1-nr1 (Windows 2000) iD8DBQE+Y0JxOeQkq5KdzaARArIlAKCKxQK+7hAkNmXZLmsDtU4JA20AkgCfX3yF IJThXMc0GJO8BqF/XtmPan4= =F/6n -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: LIKELY SPAM: Re[2]: LIKELY SPAM: Re[2]: plugin for the bat!:vampire
On Monday, March 3, 2003, 12:24:59 AM, Marck D Pearlstone wrote: MDP> Because the *nix propeller heads that think they own the Internet MDP> don't think that any serious mail server user should hide behind a MDP> dial-up connection. Really? Then how do they think those of us in areas where the *only* option is dial-up are supposed to work?! Despite living in an urban area less than ten miles from the largest city in Northern Ireland, we have no cable anything, no broadband access, not even a choice of telephone providers without plugging the phone into a re-routing box. Dial-up is the only choice for anyone in this area (& in many others). -- Deborah Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM: (was: plugin for the bat!: vampire)
Hello Task, On Sunday, March 2, 2003 at 10:22:55 PM you [TC]wrote (at least in part): z>> SPAM: RCVD_IN_SBL(3.2 points) RBL: Received via z>> SBLed relay, see http://www.spamhaus.org/sbl/ TC> The route that follow the mail? can i change this? i think not. No. But you can point your ISP to http://spamhaus.org/SBL/sbl.lasso?query=SBL6652 and http://spews.org/html/S331.html and he taking the appropriate actions to be delisted at there. Osirusoft is in fact a argumentative database, but the IP listed there contained in your mails is not in the database for being a dial-up IP, but "a spammer hosting" one like Spamhaus states too. So in this case you're the innocent victim of your ISPs actions. -- Regards Peter Palmreuther (The Bat! v1.63 Beta/7 on Windows 2000 5.0 Build 2195 Service Pack 1) "Bother" said Pooh, as he destroyed New Hampshire. Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: LIKELY SPAM: Re[2]: LIKELY SPAM: Re[2]: plugin for the bat!:vampire
On Sunday, March 2, 2003, 4:24:59 PM, Marck D Pearlstone wrote: MDP> Because the *nix propeller heads that think they own the Internet MDP> don't think that any serious mail server user should hide behind MDP> a dial-up connection. I can believe that. An unfortunately large number of *nix people are not known for having open minds. :- ztrader Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: LIKELY SPAM: Re[2]: LIKELY SPAM: Re[2]: plugin for the bat!:vampire
Marck- ROTFL. Methinks ignorance and arrogance are two major prerequisites for attaining ISPdom. I think this subject line is getting a little out of hand, too... -Mark Wieder Using The Bat! v1.63 Beta/4 on Windows 2000 5.0 Build 2195 Service Pack 2 -- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM: Re[2]: LIKELY SPAM: Re[2]: plugin for the bat!:vampire
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi ztrader, @2-Mar-2003, 16:01 -0800 (00:01 UK time) ztrader [Z] in mid:[EMAIL PROTECTED] said: MDP>> FYI - Osiris also BLs Dial-up users like me Z> Why do they do that? Because the *nix propeller heads that think they own the Internet don't think that any serious mail server user should hide behind a dial-up connection. One such runs monkeys.com, a major open relay blacklist, and goes by the name of Ron Guilmette. I got a major roasting from him because of my dial-up IP and sub-hosted domain status. - -- Cheers -- .\\arck D Pearlstone -- List moderator TB! v1.63 Beta/7 on Windows 2000 5.0.2195 Service Pack 2 ' -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1rc1-nr1 (Windows 2000) iD8DBQE+YqDdOeQkq5KdzaARAkcRAKCbxa5F7sa9nuBl7lIy9FicbUxHiQCbBiW4 qPagMIokh1rsbY/8OqyeYU8= =hcEz -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: LIKELY SPAM: Re[2]: LIKELY SPAM: Re[2]: plugin for the bat!:vampire
On Sunday, March 2, 2003, 2:54:50 PM, Marck D Pearlstone wrote: MDP> FYI - Osiris also BLs Dial-up users like me Why do they do that? MDP> so this message will MDP> get a positive score from them too. It's a *bad* test! The score for your message was only 0.7, with 5.0 as the trigger - reasonably low. It would seem as though there were enough other factors to compensate for the Osiris factor. Some factors are negative, and subtract from an otherwise high score from routing. There was a rather big discussion about including Osiris, etc in the scoring. Many seemed to be innocent users who had an ISP that was not good about curtailing spam. Most people thought it would, overall, be a good idea to keep it, and so I left the usual BL suspects in. This was in part because I wanted a 'tight' scoring, but it seems to work very well even with these included. ztrader Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM: Re[2]: LIKELY SPAM: Re[2]: plugin for the bat!:vampire
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi ztrader, @2-Mar-2003, 14:38 -0800 (22:38 UK time) ztrader [Z] in mid:[EMAIL PROTECTED] said: TC>> The route that follow the mail? can i change this? i think not. Z> It seems as though most of the 'score' is from your routing. Without Z> the routing, your email would be a rather low score and would get Z> through easily. You might ask your ISP why they are using a confirmed Z> spammer route, and forward the above headers to them to help them Z> check it out. FYI - Osiris also BLs Dial-up users like me so this message will get a positive score from them too. It's a *bad* test! - -- Cheers -- .\\arck D Pearlstone -- List moderator TB! v1.63 Beta/7 on Windows 2000 5.0.2195 Service Pack 2 ' -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1rc1-nr1 (Windows 2000) iD8DBQE+You7OeQkq5KdzaARAhMdAKCE3rmIysvRguik/6joqjFLTSGJJwCguRie JzksA9YiRc2UPqv8j0v1fLI= =m7wA -END PGP SIGNATURE- Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM: Re[2]: LIKELY SPAM: Re[2]: plugin for the bat!:vampire
On Sunday, March 2, 2003, 1:22:55 PM, Task Control wrote: TC> Estimados seguidores del tbudl arroba thebat.dutaint.com: TC> En relación a lo que ztrader en su momento posteó: z>> I've included the filter analysis part so you can see why. TC> I analzie this but o do not understand why. z>> SPAM: SPAM_PHRASE_00_01 (0.8 points) BODY: Spam phrases score is 00 to 01 (low) z>> SPAM: RCVD_IN_OSIRUSOFT_COM (0.4 points) RBL: Received via z>> SPAM: RCVD_IN_RFCI (2.3 points) RBL: Received via a z>> relay in ipwhois.rfc-ignorant.org z>> SPAM: RCVD_IN_SBL(3.2 points) RBL: Received via z>> SBLed relay, see http://www.spamhaus.org/sbl/ TC> The route that follow the mail? can i change this? i think not. It seems as though most of the 'score' is from your routing. Without the routing, your email would be a rather low score and would get through easily. You might ask your ISP why they are using a confirmed spammer route, and forward the above headers to them to help them check it out. ztrader Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: LIKELY SPAM: Re[2]: plugin for the bat!: vampire
On Sunday, March 2, 2003, 11:14:57 AM, Miguel A. Urech wrote: MAU> Hello ztrader, >> You might find this interesting - your email is thought to be spam >> according to a good spam filter. :-) I've included the filter analysis >> part so you can see why. MAU> Well, then the filter perhaps is not that good :-) It wasn't flagged as MAU> spam by my POPFile which is running on 99.43% accuracy. I get 500-600 emails a day, and it typically misplaces only one email every 1-3 days - not bad, I'd say. Also, I have it set 'tight' so it is more likely to have a false positive (as this was) than to pollute an otherwise good folder. I just sent it along to let the writer know the items that were causing it to get flagged. There was a bit of humor because the writer was talking about an anti-spam program. ztrader Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: LIKELY SPAM: Re[2]: plugin for the bat!: vampire
Estimados seguidores del tbudl arroba thebat.dutaint.com: En relación a lo que ztrader en su momento posteó: z> I've included the filter analysis part so you can see why. I analzie this but o do not understand why. z> SPAM: SPAM_PHRASE_00_01 (0.8 points) BODY: Spam phrases score is 00 to 01 (low) z> SPAM: RCVD_IN_OSIRUSOFT_COM (0.4 points) RBL: Received via z> SPAM: RCVD_IN_RFCI (2.3 points) RBL: Received via a z> relay in ipwhois.rfc-ignorant.org z> SPAM: RCVD_IN_SBL(3.2 points) RBL: Received via z> SBLed relay, see http://www.spamhaus.org/sbl/ The route that follow the mail? can i change this? i think not. -- Se despide, Task Control mail: TaskControl at SoftHome dot net correo: TaskControl arroba SoftHome punto net Usando: - Windows 98 4.10.1998 - AVG 6.0 Free Edition - The Bat! 1.63 Beta/7 - Trillian PRO 1.0 B Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM: Re[2]: plugin for the bat!: vampire
Hello Paul, > so, I am a confirmed spam source:) cool! > I'm not sure I understand exactly why my email got caught, sorry, it > still doesn't make much sense. No, you are not a spammer. It wasn't your message Paul, it was the one sent by Task Control :) -- Best regards, Miguel A. Urech (El Escorial - Spain) Using The Bat! v1.62i Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM: Re[2]: plugin for the bat!: vampire
Hello ztrader, > You might find this interesting - your email is thought to be spam > according to a good spam filter. :-) I've included the filter analysis > part so you can see why. Well, then the filter perhaps is not that good :-) It wasn't flagged as spam by my POPFile which is running on 99.43% accuracy. -- Best regards, Miguel A. Urech (El Escorial - Spain) Using The Bat! v1.62i Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM: Re[2]: plugin for the bat!: vampire
On Sunday, March 2, 2003, 12:36 PM, you wrote: z> You might find this interesting - your email is thought to be spam z> according to a good spam filter. :-) I've included the filter analysis z> part so you can see why. SPAM: X_OSIRU_SPAM_SRC (2.7 points) RBL: DNSBL: sender is Confirmed Spam Source so, I am a confirmed spam source:) cool! I'm not sure I understand exactly why my email got caught, sorry, it still doesn't make much sense. -- Paul Using The Bat! v1.63 Beta/5 on Windows XP 5.1 Build 2600 Service Pack 1 Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: LIKELY SPAM: Re[2]: plugin for the bat!: vampire
You might find this interesting - your email is thought to be spam according to a good spam filter. :-) I've included the filter analysis part so you can see why. ztrader On Sunday, March 2, 2003, 6:39:16 AM, Task Control wrote: TC> SPAM: Start SpamAssassin results -- TC> SPAM: This mail is probably spam. The original message has been altered TC> SPAM: so you can recognise or block similar unwanted mail in future. TC> SPAM: See http://spamassassin.org/tag/ for more details. TC> SPAM: TC> SPAM: Content analysis details: (7.60 hits, 5 required) TC> SPAM: IN_REP_TO (-0.8 points) Found a In-Reply-To header TC> SPAM: REFERENCES (-0.5 points) Has a valid-looking References header TC> SPAM: USER_AGENT_THEBAT (0.3 points) X-Mailer header indicates a non-spam MUA (The Bat!) TC> SPAM: SPAM_PHRASE_00_01 (0.8 points) BODY: Spam phrases score is 00 to 01 (low) TC> SPAM:[score: 0] TC> SPAM: SIGNATURE_LONG_SPARSE (-0.3 points) Long signature present (empty lines) TC> SPAM: RCVD_IN_OSIRUSOFT_COM (0.4 points) RBL: Received via a relay in relays.osirusoft.com TC> SPAM:[RBL check: found 49.58.62.200.relays.osirusoft.com., type: 127.0.0.4] TC> SPAM: RCVD_IN_RFCI (2.3 points) RBL: Received via a relay in ipwhois.rfc-ignorant.org TC> SPAM:[RBL check: found 49.58.62.200.ipwhois.rfc-ignorant.org., type: 127.0.0.6] TC> SPAM: RCVD_IN_SBL(3.2 points) RBL: Received via SBLed relay, see http://www.spamhaus.org/sbl/ TC> SPAM:[RBL check: found 49.58.62.200.sbl.spamhaus.org.] TC> SPAM: X_OSIRU_SPAM_SRC (2.7 points) RBL: DNSBL: sender is Confirmed Spam Source TC> SPAM: AWL(-0.5 points) AWL: Auto-whitelist adjustment TC> SPAM: TC> SPAM: End of SpamAssassin results - TC> Estimados seguidores del tbudl arroba thebat.dutaint.com: TC> En relación a lo que Paul en su momento posteó: PC>> very nice, but what is it TC> It is a plug'in for the new The Bat 1.63+ Series, and this "the bat" TC> versions are in beta testing now. (currently Beta7) PC>> and what does it do? TC> Scan yours mail message and if it find any spam, it kill it. The User TC> need configure and define the rules to know when some mail is spam. TC> Some mail can be suspect to spam, the user define it's again. And this TC> mails will be puted in a junk mail folder (you can rescue it). PC>> The web page said to download it, but there was no info on the PC>> product, TC> When you was installed it, you can see a readme file. PC>> and the authors web page was in Spanish ( Chilean?). TC> Yeah, Chilean, The southest country in america (pacific ocean side) Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html