[ On Wed, May 27, 1998 at 14:45:22 (-0400), Dave C. wrote: ]
> Subject: [EXIM] OFF-TOPIC
>
>
> When a spam is received, most of us probably know how to pick out all
> sorts of identifying information, IP addresses, etc out of the headers,
> and figure out who to report the offense to (Eg, the dialup provider,
> the provider of the advertised www page, the postmaster at the relay,
> and perhaps abuse@ for the domains of any forged addresses included),
> and we all hope for swift action by any concerned party.
>
> However, we all undoubtedly realize that the recipients of these
> reports/complaints have (especially the admins at national "online
> services" and national dialup providers) to sift thru a massive ton of
> these things by hand, which certainly include a massive number of
> duplicate reports of the same offender, but in different formats and
> including different information.
What could be more "standard" than just forwarding an exact copy of the
spam as you received it, headers and all?
There are at least two recognized *standard* ways to forward messages
within the body of another message. I found out much to my horror that
using MIME is *not* a good idea. Many people cannot see all the headers
in such messages as their MIME viewers will strip out most of the
interesting stuff (i.e. the "Received:" headers) [eg. Pine does this!].
As a result I always use plain old RFC 934 format. (Some people think
that RFC1153 would be an OK format too, but it's much more oriented to
digests than 934 is.)
If you forward a copy of your spam as an RFC 934 encapsulated message,
complete with all headers, then *anyone* can read it with *any* mail
reader. The recipient can then apply their own interpretation to the
message and verify your claims directly. Assuming your mailer doesn't
do something totally asinine, such as re-filling lines in the
encapsulated message, then the recipient can do byte-for-byte
comparisons with other copies they recieve in order to be sure they can
identify common copies.
In addition you can add a paragraph or two in your message to explain
your interpretation of the events. Given that most of the spam I now
receive directly is forwarded through unsuspecting open relay hosts, I
usually include a couple of paragraphs similar to the following
templates to both the relay host contacts (all of them), and the
originating ISP (usually just the <abuse> address if I know it works):
It would appear that the mailer at <host-I-recvd-directly-from>
is susceptible to theft of service attacks. You probably want
to fix this as soon as possible by either re-configuring,
upgrading, or replacing your mailer.
This attack would not likely have been possible if <source-ISP>
had installed filters on their network to prevent their users
from making unauthorized SMTP connections. Hopefully they can
be encouraged to install such filters as soon as possible and I
invite you to join me in applying such encouragement.
Anything more than this would effectively require we all agree on the
design and output format for an AI-like tool that would interpret the
headers for us.
--
Greg A. Woods
+1 416 443-1734 VE3TCP <gwoods@???> <robohack!woods>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>
--
*** Exim information can be found at
http://www.exim.org/ ***
