Re: [EXIM] Buffalo Jerky (fwd)

Top Page
Delete this message
Reply to this message
Author: Dave C.
Date:  
To: Sherwood Botsford
CC: Exim List
Subject: Re: [EXIM] Buffalo Jerky (fwd)


On Fri, 23 Jan 1998, Sherwood Botsford wrote:

> Date: Fri, 23 Jan 1998 13:37:47 -0700 (MST)
> From: Sherwood Botsford <sherwood@???>
> To: Exim List <exim-users@???>
> Subject: [EXIM] Buffalo Jerky (fwd)
>
> No,no, you didn't get spammed.
>
> Just that I've not figured out how to deal with this
> type.
>
> Suppose that you are a adscammer -- someone who is making
> a living by exploding email. You get a client, *he*
> has a virtual domain, in this case buffalojerky.com.
>
> He sends mail to you, and for a pre-arranged fee
> he sends it to a zillion addresses.
>
> Now on receipt, I add *.buffalojerky.com to my spam list
> BUT this may well have been a one shot affair. What I really
> want to do is figure out a way to spot when more than one spammer
> has come through the relay point, (repulse.concentric.net) and
> and then block mail from that relay.
>
> 1. How do I block a relay, instead of a sender?
>
> Sender_*_*_relay allows me to control what hosts use
> me as a relay.
>
> I think we may need an option such as
>
> relay_direct_accept_from
> relay_direct_reject_from
> relay_accept_from
> relay_reject_from



Take a look at host_reject, and host_reject_recpients, and also my note
below...

>
> The first two control which hosts we accept a direct
> relay. That is, regardless of who the message is from,
> we won't accept a message connecting from the relay box.
>
> The second form is stronger. In it's case, we won't accept
> a message that has passed through the relay box.
>
> Current common situation:
>
> Spam -> Me
>
> I add Spam to my sender_host_reject. No problem.
>
> The message that prompted me:
> Spam -> Relay -> Me
>
> I can add Spam to sender_host_reject, but I'm still vulnerable to
> Relay's next sale to Spam2.
>
> But if I add Relay to relay_direct_reject_from, then
> all of Relay's crap will be filtered out. Normally I'd
> do this only after getting several spams passed through Relay.
>
> Now a truly enterprising adspammer would do this:
>
> Spam -> Relay -> RelayVictim -> Me
>
> (This happened to me. One of my boxes was relaying porn mail for a site
> in the Netherlands.)
>
> In this case I want to add Relay to relay_reject_from
> meaning that no matter how it got here, I won't accept any mail
> that has been through this box.
>
> I make a distinction because the direct form can be blocked at
> an earlier stage. The more general form requires accepting all
> the data first.
>
> Thoughts?
>
> I've included the headers from the message for your amusement.
>
>
> A -> B -> C -> Me
>
> sender*relay allows me to add A to my list, and never see him again.
>
>
>
>
> Sherwood Botsford     | email avatar@???
> Sorcerers Apprentice    | Office CAB 642B
> System Administrator    | Tel: 403 492 5728 
> Trouble shooter            | Fax: 403 492 6826

>
> Log entry:
> 1998-01-23 12:49:33 0xvp6a-0007TX-00 <= marketing@???
> H=(repulse.concentric.net) [207.155.248.4]
> P=esmtp S=1401 id=199801231936.OAA01832@???
>



buffalojerky.com wouldnt even have had to exist for this message to be
sent.

If you'll take a closer look at your headers below, you'll note that a
computer _claiming_ to be buffalojerky.com (using 206.173.248.102,
which appears to be in fact a concentric dynamic dialup address),
connected to concentric's mail relay to send this message. Blocking the
individual dynamic dial up address would be silly, since they always
change. You could block all mail from concentric's relay, but that
would be silly becuase concentric isn't the spammer, they are just the
ISP the spammer used a (presumably throwaway) dialup account thru which
to send the junk, and they use a different account, with different
ISP's each time one is cut off.

The best you can do with this is report it to
postmaster@???, including the same full headers, so they can
identify this scumbag and cut him off, and also try to contact the
organization being advertised and make sure they know they are pissing
off potential customers (regardless of wether you are a potential beef
jerky customer or not - tell them you love it, but are specifically NOT
going to do business with them becuase they used spam to advertise)

Since buffalojerky.com does in fact exist and appears to be a customer
of concentric, a report of this spam might get not only their dialup
cut off but also their web page (assuming concentric has a reasonable
anti-spam policy with some teeth)

[rs.internic.net]
Buffalo Bill's Jerky (BUFFALOJERKY-DOM)
1426 S. Allec Street
Anaheim, CA 92805
US

Domain Name: BUFFALOJERKY.COM

   Administrative Contact:
      Volmar, Scott M  (SMV9)  Volmar@???
      714-991-8352 (FAX) 714-991-0643
   Technical Contact, Zone Contact:
      Concentric Network Corporation  (CNCXCH-ORG)
hostmaster@???
      408-342-2810Fax- 408-342-2810 Fax- - 408-342-2810




>
>
> ---------- Forwarded message ----------
> Received: from (repulse.concentric.net) [207.155.248.4] 
>     by vega.math.ualberta.ca with esmtp (Exim 1.82 #3)
>     id 0xvp6a-0007TX-00 ; Fri, 23 Jan 1998 12:49:32 -0700
> Received: from buffalojerky.com (ts027d42.lax-ca.concentric.net [206.173.248.102])
>     by repulse.concentric.net (8.8.5/)
>     id OAA01832; Fri, 23 Jan 1998 14:36:21 -0500 (EST)
>     [ConcentricHost SMTP Relay]
> Date: Fri, 23 Jan 1998 14:36:21 -0500 (EST)
> From: marketing@???
> Message-ID: <199801231936.OAA01832@???>
> Errors-To: <marketing@???>
> To: marketing@???
> Subject: Buffalo Jerky

>
> EXPERIENCE THE FLAVOR OF THE OLD WEST!
>
> [munch]
>
>
>
>
>
> --
> *** Exim information can be found at http://www.exim.org/ ***
>
>



--
*** Exim information can be found at http://www.exim.org/ ***