Re: google running an open relay?

2008-02-28 Thread Michelle Konzack 
Helo *,

Am 2008-02-26 07:36:23, schrieb Michael Scheidell:
> > If this was too much information, my apologies
> > 
> So, bottom line, either they are running an open relay (since we can 'be
> assured that it did not originate with Google'), or they lie.
> 
> I guess with a company the size of Google, we will be forced to eat our spam
> and love it.
> 
> Reminds me of he droidbot responses I got from yahoo with DKIM signed email
> originating with yahoo telling me that the email didn't come from yahoo.
> 
> Too bad yahoo and google are too high and mighty to actually care about spam
> complaints.
> 
> (anyone here been on the net long enough to remember the 'bimbo' usenet
> spams? What was the name of that big famous company that refused to deal
> with them? Sorry, I don't remember, they aren't around anymore)

My "official" E-Mail-Address (from which I am sending this message)
is hit by currently 2.000 to 63.000 spams per day and I get between
50 and 3000 over verified  accounts.

Also I am owner of (currently) 50 Mailservers worldwide with in summary
70.000 clients and I am hit by over 6million spams per day where over
150.000 coming from  accounts

On of the biggest pigs is <[EMAIL PROTECTED]> or <[EMAIL PROTECTED]>
and I have send over 800 messages to <[EMAIL PROTECTED]> and get only
automated responses...  and  is continuing to spam my E-Mail
and hundreds of mailinglists...

I think, I will setup a BOT to get rid of those  spams and hit ANY
gmail/google/googlegroops employes I can find...

I have done this with rejected messages from  long time ago
and it was working fine

(The owner of the E-Mail has forwarded an account which he/she use on
Debian-ML and the UOL has rejected those messages and created several
100.000 spams;  And of course, UOL is one of the BIGGER bresilian ISP's)

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Gmail captha broken: was Re: google running an open relay?

2008-02-26 Thread Michael Scheidell 

Maybe this is it:

(February 25, 2008)
Spammers have figured out a way to defeat the Gmail Captcha
challenge-response mechanism, which is used to ensure that requests to
create new accounts are coming from real people and not from automated
programs.  Spammers successfully broke the Hotmail Captcha program in the
last few weeks.

http://www.theregister.co.uk/2008/02/25/gmail_captcha_crack/print.html


_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_

Re: google running an open relay?

2008-02-26 Thread Michael Scheidell 
> From: Chris <[EMAIL PROTECTED]>
> Date: Mon, 25 Feb 2008 21:31:57 -0600
> To: 
> Subject: Re: google running an open relay?
> 
> I received the below from Google ref one of my spam reports, some content has
> been snipped:
> 
> Thank you for your note. This is an automated reply. If you're reporting a
> spam email with a Google return address, please be assured that it did not
> originate with Google. Google does not permit others to send unsolicited
> email through its mail servers.

[snip]
> If this was too much information, my apologies
> 
So, bottom line, either they are running an open relay (since we can 'be
assured that it did not originate with Google'), or they lie.

I guess with a company the size of Google, we will be forced to eat our spam
and love it.

Reminds me of he droidbot responses I got from yahoo with DKIM signed email
originating with yahoo telling me that the email didn't come from yahoo.

Too bad yahoo and google are too high and mighty to actually care about spam
complaints.

(anyone here been on the net long enough to remember the 'bimbo' usenet
spams? What was the name of that big famous company that refused to deal
with them? Sorry, I don't remember, they aren't around anymore)


-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBsd SpamAssassin Ports maintainer
Charter member, ICSA labs anti-spam consortium


_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_

Re: google running an open relay?

2008-02-25 Thread Chris 
On Monday 25 February 2008 9:34 am, Michael Scheidell wrote:
> Based on googles standard 'we don't have any clients who would email
> from google' ignore bot, then what? if google doesn't have any direct
> clients, then does this indicate they are running an open relay? (email
> purports to come from Argentina (and
>
> 201.231.43.135 does.)
>
> , RDNS for first untrusted looks like google. whois on netblock shows
> google in US.
> What types of emails (besides 'gmail.com' ) email is supposed to come
> from google? are we going to start getting postini clients relayed
> through google now?
>
>
> If they don't even have a web site to report 'spam' or open relays to,
> then how would you even contact them?
> (this is the first untrusted received line).
>
I received the below from Google ref one of my spam reports, some content has 
been snipped:

Thank you for your note. This is an automated reply. If you're reporting a
spam email with a Google return address, please be assured that it did not
originate with Google. Google does not permit others to send unsolicited
email through its mail servers.

This was sent from 
> From: "Google Help" <[EMAIL PROTECTED]>

I replied to them with the message headers and what I thought to be evidence 
that this spam in fact did come from a Google account. I use a formail recipe 
that adds the senders IP, ASN and CIDR to the end of all messages. This is 
what was shown for the spam from Google:

X-SenderIP: 72.14.204.239
X-ASN: ASN-15169
X-CIDR: 72.14.204.0/23

Looking up the senders IP gave this result:

> [EMAIL PROTECTED] ~]$ nslookup 72.14.204.239
> Server:         127.0.0.1
> Address:        127.0.0.1#53
> 
> Non-authoritative answer:
> 239.204.14.72.in-addr.arpa      name = qb-out-0506.google.com.
> 
> Authoritative answers can be found from:
> 204.14.72.in-addr.arpa  nameserver = ns2.google.com.
> 204.14.72.in-addr.arpa  nameserver = ns3.google.com.
> 204.14.72.in-addr.arpa  nameserver = ns1.google.com.
> 204.14.72.in-addr.arpa  nameserver = ns4.google.com.
> ns1.google.com  internet address = 216.239.32.10
> ns2.google.com  internet address = 216.239.34.10
> ns3.google.com  internet address = 216.239.36.10
> ns4.google.com  internet address = 216.239.38.10

The script that I run to report spam to NANAS and to the offending messages 
ISP's abuse addresses gave this result:

> Spam IP:  72.14.204.239 (qb-out-0506.google.com)
> Base domain:  google.com
> Message ID:   <[EMAIL PROTECTED]>
> ASN (0):  15169  - CIDR: 72.14.204.0/23
> ASN Org (0):  Google, Inc
> 
> Spamhaus:  
> IPWHOIS:   
> SpamCop:   
> Relays VISI:   
> Composite BL:  
> Dynablock BL:  
> DSBL Proxy:
> DSBL Multihop: 
> SORBS OR:  
> SPEWS L1:  
> SPEWS L2:  
> RFCI P'master: 
> RFCI Abuse:
> RFCI WHOIS:
> RFCI BogusMX:  
> 
> WHOIS Addrs (IP): [EMAIL PROTECTED]
> ASN Addrs:
> RFCI WHOIS:   
> 
> WHOIS addresses (google.com): 
> Abuse.net addresses (google.com): [EMAIL PROTECTED]
> Skipping recursed domains
> Ignore addresses: 
> Recipients: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Recursed recipients: 
> 
> Reporting to [EMAIL PROTECTED], [EMAIL PROTECTED]
> ...with: "Spam report: (72.14.204.239)  Queen Elizabeths The Sec II 
Foundation"

Whether the report to abuse@ and postmaster@ did any good I don't know, 
however, I haven't heard back from them. This will also give you abuse 
addresses for different domains:

> [EMAIL PROTECTED] ~]$ telnet whois.abuse.net 43
> Trying 208.31.42.95...
> Connected to whois.abuse.net (208.31.42.95).
> Escape character is '^]'.
> google.com
> [EMAIL PROTECTED] (for google.com)
> 

If this was too much information, my apologies

-- 
Chris
KeyID 0xE372A7DA98E6705C


pgplpEmC9FDtL.pgp
Description: PGP signature

google running an open relay?

2008-02-25 Thread Michael Scheidell 
Based on googles standard 'we don't have any clients who would email 
from google' ignore bot, then what? if google doesn't have any direct 
clients, then does this indicate they are running an open relay? (email 
purports to come from Argentina (and


201.231.43.135 does.)

, RDNS for first untrusted looks like google. whois on netblock shows 
google in US.
What types of emails (besides 'gmail.com' ) email is supposed to come 
from google? are we going to start getting postini clients relayed 
through google now?



If they don't even have a web site to report 'spam' or open relays to, 
then how would you even contact them?
(this is the first untrusted received line). 


maybe make a meta?
__FROM_GMAIL

__RCV_GOOGLE

and

GOOGLE_RELAY !__FROM_GMAIL && RCV_GOOGLE

Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.185])
by fl.us.spammertrap.net (Postfix) with ESMTP id F24DC2E116
for <[EMAIL PROTECTED]>; Mon, 25 Feb 2008 09:07:49 -0500 (EST)
Received: by rv-out-0910.google.com with SMTP id f5so1286176rvb.59
   for <[EMAIL PROTECTED]>; Mon, 25 Feb 2008 06:07:47 -0800 (PST)
Received: by 10.140.251.1 with SMTP id y1mr2106744rvh.149.1203948466792;
   Mon, 25 Feb 2008 06:07:46 -0800 (PST)
Received: from owcom2 ( [201.231.43.135])
   by mx.google.com with ESMTPS id s54sm6210986rnb.10.2008.02.25.06.06.41
   (version=SSLv3 cipher=RC4-MD5);
   Mon, 25 Feb 2008 06:07:35 -0800 (PST)
Message-ID: <[EMAIL PROTECTED]>
From: "Gonzalo Caseres - Openware" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Openware Argentina
Date: Mon, 25 Feb 2008 12:01:07 -0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_00AE_01C877A6.1A73C3D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Return-Path: [EMAIL PROTECTED]


--
Michael Scheidell, CTO
Main: 561-999-5000, Office: 561-939-7259
> *| *SECNAP Network Security Corporation
Winner 2008 Technosium hot company award.
www.technosium.com/hotcompanies/ 


_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com

_