Re: Spammer auto-confirming their spam

Sat, 07 Dec 2002 18:39:58 -0800

I got one of those once. I simply blacklisted that whole domain. Haven't received another since. It's so rare that I'm not willing spend any time worrying about it.

Troy.
#

At 07:28 PM 12/7/2002 Saturday, Roy Badami wrote:
------- Start of forwarded message -------

FYI:

I just received a spam which was successfully confirmed by an
autoresponder from the sender.

It's not clear that the autoresponse was designed to bypass TMDA,
because the response has body content, which is obviously unnecessary
in a confirmation response.

I suspect that it's simply a dump autoresponder, but unfortunately,
the body content appears to be in Korean, so it's difficult to be
sure. Still, a dumb autoresponder is good enough to get round TMDA :-(

Sendmail logs and a copy of the spam and response are included below.

-roy

--------------------

Here is the sendmail log of the original message coming in:

Dec 6 05:35:01 moriarty sm-mta[24216]: gB65Z0N1024216: from=<[EMAIL PROTECTED]>, size=1730, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=fetchmail@localhost [127.0.0.1]
Dec 6 05:36:05 moriarty sm-mta[24225]: gB65Z0N1024216: to=<roy@localhost>, delay=00:01:04, xdelay=00:01:04, mailer=local, pri=31927, dsn=2.0.0, stat=Sent

Here is the confirmation request going out:

Dec 6 05:36:05 moriarty sm-mta[24234]: gB65a4N1024234: from=<>, size=4749, class=-60, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=roy@localhost [127.0.0.1]
Dec 6 05:36:17 moriarty sm-mta[24237]: gB65a4N1024234: to=<[EMAIL PROTECTED]>, delay=00:00:12, xdelay=00:00:12, mailer=esmtp, pri=138421, relay=rcvmail3.naver.com. [211.218.150.222], dsn=2.0.0, stat=Sent (Message accepted for delivery)

And here is the confirmation coming back:

Dec 6 05:40:08 moriarty sm-mta[24260]: gB65e7N1024260: from=<[EMAIL PROTECTED]>, size=9195, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=fetchmail@localhost [127.0.0.1]
Dec 6 05:41:11 moriarty sm-mta[24269]: gB65e7N1024260: to=<roy+confirm+1039152964.24233.29e7b9@localhost>, delay=00:01:03, xdelay=00:01:03, mailer=local, pri=39422, relay=confirm+1039152964.24233.29e7b9, dsn=2.0.0, stat=Sent


Here is the spam as received by me:


>From [EMAIL PROTECTED] Fri Dec 6 05:35:01 2002
Return-Path: <[EMAIL PROTECTED]>
Received: from localhost (fetchmail@localhost [127.0.0.1])
by moriarty.gnomon.org.uk (8.12.3/8.12.3/Debian -4) with ESMTP id gB65Z0N1024216
for <roy@localhost>; Fri, 6 Dec 2002 05:35:01 GMT
Received: from pop3.demon.co.uk
by localhost with POP3 (fetchmail-5.9.11)
for roy@localhost (multi-drop); Fri, 06 Dec 2002 05:35:01 +0000 (GMT)
Received: from punt-1.mail.demon.net by mailstore for [EMAIL PROTECTED]
id 1039152512:10:02853:0; Fri, 06 Dec 2002 05:28:32 GMT
Received: from smtp.easydns.com ([205.210.42.30]) by punt-1.mail.demon.net
id aa1002446; 6 Dec 2002 5:28 GMT
Received: from gnomon.org.uk (unknown [218.232.31.136])
by smtp.easydns.com (Postfix) with SMTP id 7E9D12C55F
for <[EMAIL PROTECTED]>; Fri, 6 Dec 2002 00:28:08 -0500 (EST)
From: <[EMAIL PROTECTED]>
Subject: () ...
Content-Type: text/html;charset=ks_c_5601-1987
Message-Id: <[EMAIL PROTECTED]>
Date: Fri, 6 Dec 2002 00:28:08 -0500 (EST)
To: undisclosed-recipients:;


<DIV align=center>
<FONT face= size=2 color=#8bb5e2>
[] .</FONT><BR>
<A style="PADDING-RIGHT: 3px; PADDING-LEFT: 3px; FONT-SIZE: 12px;
PADDING-BOTTOM: 3px; COLOR: #ffff00; PADDING-TOP: 3px; FONT-FAMILY: ;
BACKGROUND-COLOR: #8bb5e2; TEXT-DECORATION: none"
href="mailto:[EMAIL PROTECTED]";>[Deny]</A>
<FONT color=#8bb5e2 size=2 color=#8bb5e2> .<br>
If you don't want to receive this mail anymore, click here [Deny]</FONT>
</DIV>
<HR color=#8bb5e2>




And here is the confirmation message:

>From [EMAIL PROTECTED] Fri Dec 6 05:40:08 2002
Return-Path: <[EMAIL PROTECTED]>
Received: from localhost (fetchmail@localhost [127.0.0.1])
by moriarty.gnomon.org.uk (8.12.3/8.12.3/Debian -4) with ESMTP id gB65e7N1024260
for <roy+confirm+1039152964.24233.29e7b9@localhost>; Fri, 6 Dec 2002 05:40:08 GMT
Received: from pop3.demon.co.uk
by localhost with POP3 (fetchmail-5.9.11)
for roy+confirm+1039152964.24233.29e7b9@localhost (multi-drop); Fri, 06 Dec 2002 05:40:08 +0000 (GMT)
Received: from punt-1.mail.demon.net by mailstore
for [EMAIL PROTECTED]
id 1039152785:10:08461:24; Fri, 06 Dec 2002 05:33:05 GMT
Received: from [211.218.150.124] ([211.218.150.124]) by punt-1.mail.demon.net
id aa1007508; 6 Dec 2002 5:32 GMT
Received: (qmail 28411 invoked from network); 6 Dec 2002 05:32:08 -0000
Received: from naver332.naver.com (HELO naver332) (211.218.150.12)
by naver775.naver.com with SMTP; 6 Dec 2002 05:32:08 -0000
MIME-Version: 1.0
Message-Id: <[EMAIL PROTECTED]>
Content-Type: Multipart/Mixed;
boundary="------------Boundary-00=_JDNOPWYXFQQMYJ0CCJD0"
From: <[EMAIL PROTECTED]>
Date: Fri, 6 Dec 2002 14:32:07 +0900 (KST)
To: <[EMAIL PROTECTED]>
Subject: =?ks_c_5601-1987?B?uN7AzyDA/LzbIL3HxtAgvsu4siA8eGl4bnNkQG5hdmVyLmNvbT4=?=
X-Mailer: NAVER Mailer 1.0


--------------Boundary-00=_JDNOPWYXFQQMYJ0CCJD0
Content-Type: Multipart/Alternative;
boundary="------------Boundary-00=_JDNOZBQXFQQMYJ0CCJD0"


--------------Boundary-00=_JDNOZBQXFQQMYJ0CCJD0
Content-Type: Text/Plain;
charset="euc-kr"
Content-Transfer-Encoding: base64

Ck5BVkVSIC0gaHR0cDovL3d3dy5uYXZlci5jb20vCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tCgqzqry6tOsgKHhpeG5zZCkgtNSysiC6uLO7vcUguN7AzyA8UGxl
YXNlIGNvbmZpcm0geW91ciBtZXNzYWdlPiDAzCC02cC9sPogsLDAuiDAzMCvt84gwPy82yC9x8bQ
x9+9wLTPtNkuCgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQoK
vPa9xcDawMcguN7AzyC6uLD8IL/rt67AzCCwobXmwvcgwNa9wLTPtNkuILOqwd+/oSC02b3DIL3D
tbXHz73KvcO/wC4KCgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LQo=

--------------Boundary-00=_JDNOZBQXFQQMYJ0CCJD0
Content-Type: Text/HTML;
charset="euc-kr"
Content-Transfer-Encoding: base64

CjxodG1sPgo8aGVhZD4KPHRpdGxlPrPXwMy59iC43sDPPC90aXRsZT4KPHN0eWxlPgpBIHt0ZXh0
LWRlY29yYXRpb246IG5vbmV9CkE6bGluayB7Y29sb3I6IGJsdWV9CkE6dmlzaXRlZCB7Y29sb3I6
ICM2NjY2NjZ9CkE6aG92ZXIge2NvbG9yOiAjZmY5OTMzfSAKI3JlZCB7Y29sb3I6ICNkZDNmMDB9
CiN0aW55IHtmb250LXNpemU6IDlwdH0KI3VkbGluZSB7Cgl0ZXh0LWRlY29yYXRpb246IHVuZGVy
bGluZTsKCWNvbG9yOiAjMDAwMGZmOwp9Cjwvc3R5bGU+CjwvaGVhZD4KPGJvZHkgYmdjb2xvcj0j
ZmZmZmZmPgo8Y2VudGVyPgo8Zm9udCBzaXplPTE+PGJyPjwvZm9udD4KPHRhYmxlIHdpZHRoPTk4
JSBjZWxscGFkZGluZz0yIGNlbGxzcGFjaW5nPTAgYm9yZGVyPTA+Cjx0cj4KCTx0ZD48YSBocmVm
PWh0dHA6Ly93d3cubmF2ZXIuY29tPjxpbWcgc3JjPWh0dHA6Ly9zdGF0aWMubmF2ZXIuY29tL21h
aWwvaW1hZ2VzMi9sb2dvX2RtbmF2ZXIuZ2lmIHdpZHRoPTE1NSBoZWlnaHQ9MzAgYm9yZGVyPTA+
PC9hPjwvdGQ+CjwvdHI+Cjx0cj48dGQgaGVpZ2h0PTEwPjwvdGQ+PC90cj4KPHRyPgoJPHRkPgoJ
CTxmb250IHNpemU9MiBpZD10aW55PgoJCbOqvLq06yAoeGl4bnNkKSC01LKyILq4s7u9xSC43sDP
IDxmb250IGNvbG9yPSNjYzAwMDA+Jmx0O1BsZWFzZSBjb25maXJtIHlvdXIgbWVzc2FnZSZndDs8
L2ZvbnQ+CgkJwMwgtNnAvbD6ILCwwLogwMzAr7fOIMD8vNsgvcfG0MffvcC0z7TZLgoJCTwvZm9u
dD4KCTwvdGQ+CjwvdHI+Cjx0cj48dGQ+LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS08L3RkPjwvdHI+Cjx0cj48dGQgaGVpZ2h0PTU+PC90ZD48L3RyPgo8dHI+Cgk8
dGQ+CgkJPGZvbnQgc2l6ZT0yIGNvbG9yPSMwMDAwZmY+Crz2vcXA2sDHILjewM8guriw/CC/67eu
wMwgsKG15sL3IMDWvcC0z7TZLiCzqsHfv6EgtNm9wyC9w7W1x8+9yr3Dv8AuCgoJCTwvZm9udD4K
CTwvdGQ+CjwvdHI+CQkKPHRyPjx0ZCBoZWlnaHQ9NT48L3RkPjwvdHI+Cjx0cj48dGQ+LS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS08L3RkPjwvdHI+CjwvdGFibGU+
Cgo8L2NlbnRlcj4KPC9ib2R5Pgo8L2h0bWw+Cg==

--------------Boundary-00=_JDNOZBQXFQQMYJ0CCJD0--

--------------Boundary-00=_JDNOPWYXFQQMYJ0CCJD0
Content-Type: message/rfc822;
name="Please confirm your message.eml"
Content-Disposition: attachment;
Filename="Please confirm your message.eml"
Content-Transfer-Encoding: 8bit

Received: (qmail 21936 invoked from network); 6 Dec 2002 05:31:59 -0000
Received: from unknown (HELO naver442.naver.com) (211.218.150.222)
by naver332 with SMTP; 6 Dec 2002 05:32:00 -0000
Received: from [80.4.0.12] by
naver442.naver.com (Terrace Internet Messaging Server 3.1)
with ESMTP id 2002120614:31:56:361774.17086.41271518
for <[EMAIL PROTECTED]>;
Fri, 06 Dec 2002 14:31:54 +0900 (KST)
Received: from moriarty.gnomon.org.uk (roy@localhost [127.0.0.1])
by moriarty.gnomon.org.uk (8.12.3/8.12.3/Debian -4) with ESMTP id gB65a4N1024234
for <[EMAIL PROTECTED]>; Fri, 6 Dec 2002 05:36:05 GMT
From: "Roy Badami" <[EMAIL PROTECTED]>
Subject: Please confirm your message
Date: Fri, 06 Dec 2002 05:36:04 +0000 (GMT)
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Precedence: bulk
X-Delivery-Agent: TMDA/0.62

This message was created automatically by mail delivery software (TMDA).

Your e-mail message with the subject of "() ..."
is being held because your address has not been verified.

To release your message for delivery, please send an empty message
to the following address, or use your mailer's "Reply" feature.

[EMAIL PROTECTED]

This confirmation verifies that your message is legitimate and not
junk-mail. You should only have to confirm your address once.

(If you do not respond to this confirmation request, your message will
not be delivered. This works to combat junk mail because most senders
of junk mail do not include a valid return address, and those that do
rarely respond to requests such as these.)

--- Enclosed is a copy of your message.

>From [EMAIL PROTECTED] Fri Dec 6 05:35:01 2002
Return-Path: <[EMAIL PROTECTED]>
Received: from localhost (fetchmail@localhost [127.0.0.1])
by moriarty.gnomon.org.uk (8.12.3/8.12.3/Debian -4) with ESMTP id gB65Z0N1024216
for <roy@localhost>; Fri, 6 Dec 2002 05:35:01 GMT
Received: from pop3.demon.co.uk
by localhost with POP3 (fetchmail-5.9.11)
for roy@localhost (multi-drop); Fri, 06 Dec 2002 05:35:01 +0000 (GMT)
Received: from punt-1.mail.demon.net by mailstore for [EMAIL PROTECTED]
id 1039152512:10:02853:0; Fri, 06 Dec 2002 05:28:32 GMT
Received: from smtp.easydns.com ([205.210.42.30]) by punt-1.mail.demon.net
id aa1002446; 6 Dec 2002 5:28 GMT
Received: from gnomon.org.uk (unknown [218.232.31.136])
by smtp.easydns.com (Postfix) with SMTP id 7E9D12C55F
for <[EMAIL PROTECTED]>; Fri, 6 Dec 2002 00:28:08 -0500 (EST)
From: <[EMAIL PROTECTED]>
Subject: () ...
Content-Type: text/html;charset=ks_c_5601-1987
Message-Id: <[EMAIL PROTECTED]>
Date: Fri, 6 Dec 2002 00:28:08 -0500 (EST)
To: undisclosed-recipients:;
X-Spam-Status: Yes, hits=13.3 required=5.0
tests=AWL,CLICK_BELOW,CTYPE_JUST_HTML,HTML_50_70,
HTML_FONT_COLOR_BLUE,HTML_FONT_COLOR_RED,
HTML_FONT_COLOR_UNSAFE,HTML_FONT_FACE_BAD,
HTML_FONT_FACE_ODD,MAILTO_LINK,MAILTO_TO_SPAM_ADDR,
NO_REAL_NAME,PORN_4,RAZOR2_CHECK,RCVD_IN_RFCI,
SPAM_PHRASE_05_08,UNDISC_RECIPS
version=2.43
X-Spam-Flag: YES
X-Spam-Level: *************
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)
X-Spam-Report: 13.30 hits, 5 required;
* 1.5 -- Valid-looking To "undisclosed-recipients"
* 1.3 -- From: does not include a real name
* 0.3 -- BODY: Asks you to click below
* 1.6 -- BODY: Spam phrases score is 05 to 08 (medium)
[score: 5]
* 0.3 -- BODY: HTML font face is not a commonly used face
* 0.3 -- BODY: HTML font color is red
* 0.3 -- BODY: Message is 50-70% HTML tags
* 0.3 -- BODY: HTML font color not within safe 6x6x6 palette
* 0.2 -- BODY: HTML font color is blue
* 0.2 -- BODY: HTML font face is not a word
* 0.2 -- BODY: Includes a URL link to send an email
* 1.4 -- URI: URL uses words and phrases which indicate porn (4)
* 0.7 -- URI: Includes a link to a likely spammer email address
* 3.9 -- Listed in Razor2, see http://razor.sf.net/
* 2.3 -- RBL: Received via a relay in ipwhois.rfc-ignorant.org
[RBL check: found 136.31.232.218.ipwhois.rfc-ignorant.org., type: 127.0.0.6]
* 0.4 -- HTML-only mail, with no text version
* -1.9 -- AWL: Auto-whitelist adjustment


<DIV align=center>
<FONT face= size=2 color=#8bb5e2>
[] .</FONT><BR>
<A style="PADDING-RIGHT: 3px; PADDING-LEFT: 3px; FONT-SIZE: 12px;
PADDING-BOTTOM: 3px; COLOR: #ffff00; PADDING-TOP: 3px; FONT-FAMILY: ;
BACKGROUND-COLOR: #8bb5e2; TEXT-DECORATION: none"
href="mailto:[EMAIL PROTECTED]";>[Deny]</A>
<FONT color=#8bb5e2 size=2 color=#8bb5e2> .<br>
If you don't want to receive this mail anymore, click here [Deny]</FONT>
</DIV>
<HR color=#8bb5e2>




--------------Boundary-00=_JDNOPWYXFQQMYJ0CCJD0--

_____________________________________________
tmda-users mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-users

_____________________________________________
tmda-users mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-users

Reply via email to