IP -> Responsible Person
Is there an algorithm that one can feed an IP address into and return the email address of the responsible person for the IP to report spam to?
Re: IP -> Responsible Person
Marc Perkel wrote: > Is there an algorithm that one can feed an IP address into and return > the email address of the responsible person for the IP to report spam to? > > That works 100%? no. That works sometimes? ARIN's ip whois. That's really the most accurate source out there.
Re: IP -> Responsible Person
Matt Kettler wrote: Marc Perkel wrote: Is there an algorithm that one can feed an IP address into and return the email address of the responsible person for the IP to report spam to? That works 100%? no. That works sometimes? ARIN's ip whois. That's really the most accurate source out there. I wish abuse.net supported that for the [EMAIL PROTECTED] email stuff (so you could email [EMAIL PROTECTED]). But that'd probably be much harder for them to keep track of.
RE: IP -> Responsible Person
> -Original Message- > From: Marc Perkel [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 25, 2007 12:04 AM > To: users@spamassassin.apache.org > Subject: IP -> Responsible Person > > > Is there an algorithm that one can feed an IP address into and return > the email address of the responsible person for the IP to > report spam to? > > You could do extended whois lookups, backtrace that if there is an rwhois reference. (RFCI used to keep a blacklist of those with messed up contact information) but this information is unreliable, despite RFC's stating it should be accurate. You could do AS number lookups, but most likely you will be targeting a large ISP or IAP. NEITHER OF WHICH is supposed to be used to report abuse. (example: whois 204.89.241.175 brings you our dns contact addresses. NOT our abuse addresses) Another example: if you looked up our routing/AS number, it would be for our tier1 provider. Yes, you could submit abuse reports there, but why bother?. I think spamcop TRIES, and if you sign up for a spamcop account and use spamassassin -r they will attempt to backtrace it. -- Michael Scheidell, CTO Join SECNAP at SecureWorld Atlanta, May 1-2 http://www.secnap.com/events for free and discounted seminar tickets _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: IP -> Responsible Person
Michael Scheidell wrote: -Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 12:04 AM To: users@spamassassin.apache.org Subject: IP -> Responsible Person Is there an algorithm that one can feed an IP address into and return the email address of the responsible person for the IP to report spam to? You could do extended whois lookups, backtrace that if there is an rwhois reference. (RFCI used to keep a blacklist of those with messed up contact information) but this information is unreliable, despite RFC's stating it should be accurate. You could do AS number lookups, but most likely you will be targeting a large ISP or IAP. NEITHER OF WHICH is supposed to be used to report abuse. (example: whois 204.89.241.175 brings you our dns contact addresses. NOT our abuse addresses) Right, but there are some registries that put in a blank for the abuse address. Though, I can't think of any examples right now. I just know I've seen an abuse field in some registry lookups in the past. It would be nice if it was a required field for all IP whois entries, from all registries.
Re: IP -> Responsible Person
On Tue, Apr 24, 2007 at 09:03:51PM -0700, Marc Perkel wrote:
> Is there an algorithm that one can feed an IP address into and return
> the email address of the responsible person for the IP to report spam to?
There is the command-line "whois", as well as the ARIN web site
http://www.arin.net/whois/index.html
whois is quicker and easier and drills down to foreign registries, but
doesn't always return what you need. The ARIN web site isn't as easy
to use, but always returns useful information for North American
networks, and provides links to foreign registries like it.
I have a policy of reporting any spam I have to touch, such as that
sent to my postmaster address and submissions to my closed mailing
list. I have developed a script to automate as much of the look-up as
I can. I herewith offer it. I call it "ew" for "extended whois". It
sorts the email addresses found, so "abuse" is easily found at the
beginning of the list.
=8<
#!/usr/bin/perl -w
use strict;
my $myname = $0;
$myname =~ [EMAIL PROTECTED]/@@;
@ARGV || die("usage: $myname \n");
&whois(shift);
exit 0;
sub whois
{
my($arg) = @_;
# Strip out IPV6 stuff.
$arg =~ s/^::://;
my($line, $head, %ip, $val);
my(%email) = ();
my $state = "";
my $country = "";
my $netname = "";
if(open(WHO, "whois $arg|"))
{
while(defined($line = ))
{
chop $line;
# Some of these have CRs, too.
$line =~ s/\r//g;
# Look for any net names in parens.
$line =~ /\((NET-[\w-]+)\)/ && do
{
$netname = $1;
};
next unless (($arg, $val) = split(/ *: */, $line, 2));
# Extract any email addresses;
$arg =~ /mail/i && do
{
$email{$val} = 1;
# If it's the abuse email, that's enough for us.
last if $arg =~ /abuseemail/i;
};
$arg =~ /trouble/i && do
{
$val =~ /([EMAIL PROTECTED])/ && ($email{$1} =
1);
next;
};
$arg =~ /remarks/i && do
{
$val =~ /([EMAIL PROTECTED])/ && ($email{$1} =
1);
next;
};
# Take the first state entry.
$line =~ /state/i && do
{
$state = $val unless $state;
next;
};
# Take the first country entry.
$line =~ /country/i && do
{
$country = $val unless $country;
next;
};
# Catch-all
$line =~ /([EMAIL PROTECTED])/ && ($email{$1} = 1);
}
close WHO;
($state || $country) && print "Owner is in $state, $country\n";
%email && print "Email to ", join(", ", sort keys %email), "\n";
}
else
{
warn "Could not run whois: $!\n";
}
$netname && do
{
# warn "netname found: $netname";
$netname ne $arg && &whois($netname);
}
}
=8<
Cheers,
--
Bob McClure, Jr. Bobcat Open Systems, Inc.
[EMAIL PROTECTED] http://www.bobcatos.com
If my people, who are called by my name, will humble themselves and
pray and seek my face and turn from their wicked ways, then will I
hear from heaven and will forgive their sin and will heal their land.
2 Chronicles 7:14 (NIV)
RE: IP -> Responsible Person
Bob McClure Jr wrote: > On Tue, Apr 24, 2007 at 09:03:51PM -0700, Marc Perkel wrote: >> Is there an algorithm that one can feed an IP address into and return >> the email address of the responsible person for the IP to report >> spam to? > > There is the command-line "whois", as well as the ARIN web site > > http://www.arin.net/whois/index.html > I have been using a tool called Sam Spade since '99 or so. Quick and works pretty well although it still has the same problems outlined earlier in the thread as all it does is whois lookups. But on the plus side it's really quick and gives you the opportunity to either go with a "magic" lookup which tries to auto-determine the correct whois server or it lets you select the server you want to hit. I use it not only for these kinds of lookups, but it's also very useful when going through my logs looking at questionable connections. When doing any kind of lookups I always start with this tool. I really like the fact that if there is a subnet block in the whois returned, you can simply click on any of the subnets and it will do a lookup on that subnet. For that matter you have the ability to click on any blue link in the returned data and it will pre-fill that into the lookup box to do another lookup... very useful. It also attempts to do lookups at abuse.net although this is only sometimes helpful. AFAIK it only runs on Windose machines but there may be a *nix version out there somewhere. A quick google search turned up http://www.softpedia.com/get/Network-Tools/Network-Tools-Suites/Sam-Spade.sh tml HTH Kind regards, Ken Ken Goods Network Administrator
Re: IP -> Responsible Person
My thinking on this is that if we had better automated reporting then spammers could be shut down at the source and we could reduce spam that way. I think what needs to happen is to develop some sort of auto-reporting of spam process that's easy and tie in ISPs and the big boys into the databse so that a surge of reports could auto shutdown spammers. I'm trying an experiment with Yahoo, Gmail, Hotmail, etc. where I'm forwarding all Hotmail spam to [EMAIL PROTECTED], yahoo spam to [EMAIL PROTECTED] with the idea of shutting down the perps at the source. What do you all think of this. Can we build a tool or a web service that gathers and stores abuse info and turns IP addresses and domain names into abuse addresses and do automatic reporting?
Re: IP -> Responsible Person
On Wed, Apr 25, 2007 at 09:10:04AM -0700, Marc Perkel wrote: > My thinking on this is that if we had better automated reporting then > spammers could be shut down at the source and we could reduce spam that > way. I think what needs to happen is to develop some sort of > auto-reporting of spam process that's easy and tie in ISPs and the big > boys into the databse so that a surge of reports could auto shutdown > spammers. That's my thinking, too. > I'm trying an experiment with Yahoo, Gmail, Hotmail, etc. where I'm > forwarding all Hotmail spam to [EMAIL PROTECTED], yahoo spam to > [EMAIL PROTECTED] with the idea of shutting down the perps at the source. You _are_ going to the IP address in the Received: line(s) and not the From: address or the envelope sender, right? > What do you all think of this. Can we build a tool or a web service that > gathers and stores abuse info and turns IP addresses and domain names > into abuse addresses and do automatic reporting? Looks like abuse.net has a good start on it. Have a look at http://www.abuse.net/using.phtml In my (abundant) spare time, I'm going to wire that into my "ew" tool, and if that works reliably enough, I'm going to build a more automated tool. In my best of all possible worlds, instead of throwing away obvious spam (scoring 10 or more), I'm going to identify the sending IP and auto-report the stuff. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com If my people, who are called by my name, will humble themselves and pray and seek my face and turn from their wicked ways, then will I hear from heaven and will forgive their sin and will heal their land. 2 Chronicles 7:14 (NIV)
Re: IP -> Responsible Person
Marc Perkel wrote:
My thinking on this is that if we had better automated reporting then
spammers could be shut down at the source and we could reduce spam that
way. I think what needs to happen is to develop some sort of
auto-reporting of spam process that's easy and tie in ISPs and the big
boys into the databse so that a surge of reports could auto shutdown
spammers.
I'm trying an experiment with Yahoo, Gmail, Hotmail, etc. where I'm
forwarding all Hotmail spam to [EMAIL PROTECTED], yahoo spam to
[EMAIL PROTECTED] with the idea of shutting down the perps at the source.
What do you all think of this. Can we build a tool or a web service that
gathers and stores abuse info and turns IP addresses and domain names
into abuse addresses and do automatic reporting?
Auto-reporting is a colossally bad idea.
a) One person's trash is another person's treasure. Similarly, one
person's treasure is another person's trash.
b) Being blacklisted for a false-positive is inexcusable.
c) Being blacklisted due to stupid-user reports is also inexcusable.
d) flooding an abuse address with messages that may or may not actually
be spam is also inexcusably rude.
The only way to prevent the problems that are caused by these is to
insist upon some level of human review of the message before it is sent
on to an external mechanism or process.
You shouldn't automatically send things that SA (or any other spam
detector) said was spam to the related abuse@ address ... because the
spam detector may be wrong. What if you're sending them a bunch of
false positives? That just undermines YOUR credibility with the abuse
group you're reporting to, making community anti-spam efforts HARDER
instead of easier.
Further, a deluge of spam is not helpful. An analysis of the problem
("your web server is sending this out through your outbound mail
gateway, and it looks like you've got a broken submit form on the web
server") followed by links to evidence (copies of the messages) that
backs up the analysis is FAR more useful than just forwarding the
alleged spam itself.
Re: IP -> Responsible Person
John Rudd wrote:
Marc Perkel wrote:
My thinking on this is that if we had better automated reporting then
spammers could be shut down at the source and we could reduce spam
that way. I think what needs to happen is to develop some sort of
auto-reporting of spam process that's easy and tie in ISPs and the
big boys into the databse so that a surge of reports could auto
shutdown spammers.
I'm trying an experiment with Yahoo, Gmail, Hotmail, etc. where I'm
forwarding all Hotmail spam to [EMAIL PROTECTED], yahoo spam to
[EMAIL PROTECTED] with the idea of shutting down the perps at the source.
What do you all think of this. Can we build a tool or a web service
that gathers and stores abuse info and turns IP addresses and domain
names into abuse addresses and do automatic reporting?
Auto-reporting is a colossally bad idea.
a) One person's trash is another person's treasure. Similarly, one
person's treasure is another person's trash.
b) Being blacklisted for a false-positive is inexcusable.
c) Being blacklisted due to stupid-user reports is also inexcusable.
d) flooding an abuse address with messages that may or may not
actually be spam is also inexcusably rude.
The only way to prevent the problems that are caused by these is to
insist upon some level of human review of the message before it is
sent on to an external mechanism or process.
You shouldn't automatically send things that SA (or any other spam
detector) said was spam to the related abuse@ address ... because the
spam detector may be wrong. What if you're sending them a bunch of
false positives? That just undermines YOUR credibility with the
abuse group you're reporting to, making community anti-spam efforts
HARDER instead of easier.
Further, a deluge of spam is not helpful. An analysis of the problem
("your web server is sending this out through your outbound mail
gateway, and it looks like you've got a broken submit form on the web
server") followed by links to evidence (copies of the messages) that
backs up the analysis is FAR more useful than just forwarding the
alleged spam itself.
I agree it would have to be done right. Here's what I'm thinking is that
autoreporting could go to a screening system that would track these auto
generated complaints. A few complains wouldn't cause anything to happen
but lest say the complaint rate is coming in really fast. That would
indicate a problem. For example, say I'm Comcast and I see hundreds of
complains coming it for a dynamic IP. They probably have a virus.
Software could shut down port 25 or at least rate limit it until someone
can look into it.
Re: IP -> Responsible Person
On Wed, 25 Apr 2007, Marc Perkel wrote: I agree it would have to be done right. Here's what I'm thinking is that autoreporting could go to a screening system that would track these auto generated complaints. A few complains wouldn't cause anything to happen but lest say the complaint rate is coming in really fast. That would indicate a problem. For example, say I'm Comcast and I see hundreds of complains coming it for a dynamic IP. They probably have a virus. Software could shut down port 25 or at least rate limit it until someone can look into it. What do spammers do best? I'll give you a minute to think about it. ... If you said, "Send a lot of email really quickly," you were right! Why on earth would you willingly make the ability to DOS a site dependent on volume, the one thing that spammers are the best at? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University Never send mail to [EMAIL PROTECTED]
Re: IP -> Responsible Person
Chris St. Pierre wrote: > On Wed, 25 Apr 2007, Marc Perkel wrote: > >> I agree it would have to be done right. Here's what I'm thinking is >> that autoreporting could go to a screening system that would track >> these auto generated complaints. A few complains wouldn't cause >> anything to happen but lest say the complaint rate is coming in really >> fast. That would indicate a problem. For example, say I'm Comcast and >> I see hundreds of complains coming it for a dynamic IP. They probably >> have a virus. Software could shut down port 25 or at least rate limit >> it until someone can look into it. > > What do spammers do best? I'll give you a minute to think about it. > > ... > > If you said, "Send a lot of email really quickly," you were right! > > Why on earth would you willingly make the ability to DOS a site > dependent on volume, the one thing that spammers are the best at? > > Chris St. Pierre If it was based upon the last hop IP, then they are already in trouble for generating so much sending traffic. The issue with mailing someone 'in charge' or the abuse address is that most ISP's really could care less if one of their users were spamming. It isn't really profit effective for them to block outbound spam. No amount of paying users will change this. The only way, I see any how, for ISP's to change their ways is when their profit margins are hurt by their users spamming. Their concerns now, from what I read, is based more on P2P usage or some kind of streaming service. It seems ISPs really could care less. At one point in time, I tried to send reports to some ISP's (RR, Comcast, AOL, Bellsouth, Verizon and a few others) with no noticeable change in the amount of spam received from these ISP's. If such a system were implemented I'm willing to bet one automated system will talk to another that will simply, over time, just /dev/null the reports. -- Thanks, James
Re: IP -> Responsible Person
JamesDR wrote: At one point in time, I tried to send reports to some ISP's (RR, Comcast, AOL, Bellsouth, Verizon and a few others) with no noticeable change in the amount of spam received from these ISP's. If such a system were implemented I'm willing to bet one automated system will talk to another that will simply, over time, just /dev/null the reports. I used to do something similar, but not with spam. It was with virus infected messages. It would send a report for each mail relay, with stanzas for each virus laden email message that had hit my mail servers from that relay. It did various things to try to send to the abuse address for that relay. For 80-90% of the messages sent, I never got any kind of response. Of the responses I did get, the majority were dumb auto-responders. A big chunk were ticket system auto-responders, for which I almost never got a follow up. The very few messages where I did eventually get a follow-up via their ticket system, or a personal reply, were from the minor ISPs and medium to small sized companies. I never got responses from yahoo, aol, nor hotmail (and I stopped doing this before gmail got to be big enough to show up on my horizon). Mostly, the report served to fill up my own "root" mail folder with reports. It didn't seem to actually be very useful for cleaning up the larger problem. The main offenders, ISP wise, tended to be pretty consistent.
Re: IP -> Responsible Person
Marc Perkel wrote: > > I agree it would have to be done right. Here's what I'm thinking is > that autoreporting could go to a screening system that would track > these auto generated complaints. A few complains wouldn't cause > anything to happen but lest say the complaint rate is coming in really > fast. That would indicate a problem. For example, say I'm Comcast and > I see hundreds of complains coming it for a dynamic IP. They probably > have a virus. Software could shut down port 25 or at least rate limit > it until someone can look into it. You imply Comcast has sufficient technical know-how to manage a network. For a while their own outbound mailserver wasn't even generating a HELO or EHLO.
Re: IP -> Responsible Person
Matt Kettler wrote: You imply Comcast has sufficient technical know-how to manage a network. For a while their own outbound mailserver wasn't even generating a HELO or EHLO. Is that what it was? I had been getting a lot of complaints that random Comcast users couldn't email anyone one our servers and I never did figure out what the problem was. I thought theywere using some brain dead MTA like Qmail and couldn't set their RDNS correctly, another Comcast problem.
