Text 217, 172 rader
Skriven 2005-02-09 14:00:47 av Gerald Miller (1:342/512)
Kommentar till text 215 av mark lewis (1:3634/12)
Ärende: Header
==============
Hello mark,
Responding to a post in the INTERNET area:
On Tuesday February 08 2005 at 04:15,
mark lewis [1:3634/12] wrote to Gerald Miller,
about: Header
[snip]
GM>>>> Is this an "automated" process or is the user able to edit?
ml>>> the edits are done in the templates in the options menu... i've
ml>>> actually modified mine very little, left their basic sig in
ml>>> place, am using a sneakemail address and have no references to
ml>>> my moniker or email address anywhere...
GM>> I guess the first thing that I should get serious about is
GM>> obtaining the sneakemail address -- they don't tell you that
GM>> in the "brief" help file within Abuse!
ml> the abuse folk may not even know about sneakemail ;)
That is a possibility...
ml>>>>> as mentioned in another message, i go thru the spam and
ml>>>>> obfuscate anything that i feel may be some sort of identifier
ml>>>>> to prevent the report from being traced back to me since some
ml>>>>> ISPs turn the reports over to those being accused...
GM>>>> Obfuscate your e-mail address and your ISP address?
ml>>> yup... just like spamcop replaces occurances of foo@bar with a
ml>>> simple x, i, too, do the same... also with message ids, too...
ml>>> following the spamcop methods, i leave the first and last four
ml>>> characters of the ids... however, i don't always replace the
ml>>> removed characters with the same number of underscores...
GM>> It would be preferable if the process of obfuscation was
GM>> "automated"...
ml> agreed!
Such a process may "complicate" the configuration, but my suggestion is an
Abused_User template. The concept is relatively simple... Every
occurrence of user.name is replaced by MY.EMAIL and every occurrence of
isp.address is replaced by MY.ISP. As an example:
=== Cut Begin: ABUSED.TPL ===
Received: from pd4mr7so.prod.conga.net
(pd4mr7so-qfe3.prod.conga.net [10.0.141.84]) by l-daemon (iPlanet
Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id
<0IA5007LXX8D7A@l-daemon> for gerald.miller@conga.net; Tue, 11 Jan 2005
10:14:37 -0700 (MST)
=== Cut End: ABUSED.TPL ===
would be changed to:
=== Cut Begin: ABUSED.TPL ===
Received: from pd4mr7so.prod.my.isp
(pd4mr7so-qfe3.prod.my.isp [10.0.141.84]) by l-daemon (iPlanet
Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id
<0IA5007LXX8D7A@l-daemon> for my.email@my.isp; Tue, 11 Jan 2005
10:14:37 -0700 (MST)
=== Cut End: ABUSED.TPL ===
(Note: CONGA.NET is a "fictitious" ISP.)
ml>>>>> i also use a sneakemail.com address for all spam reports
ml>>>>> i send except those i process thru spamcop.net...
GM>>>> Wouldn't the use of a sneakemail.com address put you in the
GM>>>> same category as a spammer?
ml>>> in what way?? i'm reporting spam to the IP owner and i'm using a
ml>>> means of protecting myself from retribution by the spammers...
ml>>> some of those guys are extremely rabid... you /do not/ want to
ml>>> be the victim of a joe-job by a major spammer... i also do not
ml>>> believe in "list washing" where they remove my address from
ml>>> their list... having to do so still confirms my address as valid
ml>>> and live and there's nothing to stop them from adding said
ml>>> address to their "for sale" address list...
GM>> "in what way??" I was wondering about how an IP owner is
GM>> likely to attach any credence to your report and if they
GM>> would perform any action based on your preferred anonymity.
ml> that depends on the entity receiving the reports... there are many
ml> that will not accept spamcop.net reports and their excuse is the
ml> obfuscation stuffs... me? i don't care... if/when i make a report,
ml> anything that i think may be used to listwash me is obfuscated...
It is a "catch-22" situation! If you leave your email address and ISP
intact, you're open to retribution; if you obfuscate your email address and
ISP, the report is rejected as not being credible.
The aspect of spam is reaching epidemic proportions. The many forms of
spam make it extremely difficult to apply legal definitions to be used as
controls.
My Blacklist is sitting at 2,852 lines and I have MWP set to clean out
"unused" addresses every fifteen days. I have fourty-four filters set up
and I _should_ probably revise / expand the list. At one time, there was a
site that maintained an updated FILTERS.TXT file
(http://www.w5hq.com/MailWasher/MailWasherFilters.txt), but I just visited
it and the revision date is 2003-06-23. I guess the owner of the site has
lost interest and is not maintaining any updates. Are you aware of
anything more recent?
GM>> I think that your mention of retribution, etc, is what is
GM>> holding me from making "full use" of Abuse! I can appreciate
GM>> your "tread lightly" implications as I think my e-mail address
GM>> has been "sold" to the 'porners' and my wife is really freaking
GM>> out!!! Will likely have to contact my ISP and kill my current
GM>> e-mail addy in favor of something more obscure such as what I'm
GM>> using on the W98SE box...
ml> understood... however, one must also understand that there are ways of
ml> verifying that an address is live... one must also understand that one
ml> may have simply been found with a dictionary attack...
I think I understand the concept of a "dictionary attack" -- all possible
forms of a user name / ISP address are listed and sent to a robot? Or is
it more complex than that?
GM>>>> All the time that I've been using MailWasher Pro, I've never
GM>>>> sent a report to SpamCop.net; I only use their facilities to
GM>>>> identify known spam domains.
ml>>> yeah, i've seen problems with doing that... i always did my
ml>>> spamcop.net reporting manually, anyway...
ml>>> the problem i've seen with abuse reporting to spamcop.net
ml>>> appears that the messages are sent too fast and/or too many at a
ml>>> time and thus my ISP kills my access to their SMTP server
ml>>> temporarily 'cause they think that something is spamming from my
ml>>> connection... i've brought this up to the abuse folk but haven't
ml>>> checked over there in a while...
GM>> Is it not possible to queue the reports and release them over
GM>> a time span?
ml> no, it is not... not with abuse... each report goes now... but we must
ml> also remember that we're talking about the abuse capability of sending
ml> the spam to spamcop.net for one to report from... the problem is that
ml> if you select 50 spams at once to file with spamcop.net, all 50 are
ml> sent rapidly in much the same way that a report to 5 abuse addresses
ml> are all sent very fast...
Yes, I can see that "mass" processing would present some problems...
Ideally, Abuse! reporting should be coordinated with MWP. That is, when
spam is identified, only the obfuscated header should be written to a
report and the report being processed when the user processes the mail.
But then there is still the problem of "mass" mailing if there should be
many, unless a process is developed for "trickle" mailing the reports....
[snip]
GM>>>> I'm unsure about whether I should obfuscate my e-mail address
GM>>>> and my ISP address _before_ I do the analysis or before I
GM>>>> send the LART?
ml>>> you have to do it in the "evidence" before analysis cause you
ml>>> can't edit anything afterward...
GM>> I would like to start a new thread - "Spam Report; Procedure"
GM>> and step through the various steps if you are agreeable. It
GM>> may prove to be a learning experience for all; even the lurkers
GM>> who haven't said anything, yet.
ml> hummm... like a cookie cutter method of filing? that is ok for some
ml> types of things... maybe or not for this stuff... spamcop.net has
ml> several support forums and it is very obvious that this stuff is not a
ml> "one size fits all" situation...
I can see where the multiple forms would present a lot of problems....
I just jumped to the MWP website. What is the MailWasher Server Open
Source (http://oss.firetrust.com/home/)? I suspect that this source is not
meant for your average MWP client...
I'll get to the other messages in due time. I just completed a "whack" of
twelve hour night shifts and I'm running behind with all my
correspondences.
Cheers ... Gerald
... Buy Old Masters. They fetch a much better price than old mistresses.
--- GoldED+/DPMI32 v1.1.5-040330 [msg of February 09, 2005]
* Origin: That must be wonderful! I don't understand it at all. (1:342/512)
|