On 10/19/2006 08:04 PM, José Alburquerque wrote:
José Alburquerque wrote:
Roberto C. Sanchez wrote:
Install spamassasin and train it. Go to the web archives, find the
offending message(s) and click the corresponding "Report this as Spam"
button on the page for the message. The list admins periodically train
spamassasin on lists.d.o with those messages which are reported as spam.
Regards,
-Roberto
Quick question on spamassasin: Will this work for those that do not
use fetchmail to download mail to server? I simply get my mail by
using mozilla-thunderbird. In my case, I guess I'd just click on the
"Junk Mail" button, although I'm afraid that it will begin to throw
out good messages on this list. However, I don't mind simply
deleting. I just thought that I'd make the observation in case there
might be other options. Thanks again.
As Roberto suggested, I went to the archives and reported the two
offending e-mails as spam. Thanks once more. :-)
Taking down the botnet is another way to fight the spam. It doesn't
always work as planned:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[EMAIL PROTECTED]
SMTP error from remote mailer after RCPT TO:<[EMAIL PROTECTED]>:
host mail.qixhosting.net [66.102.41.26]: 550 5.7.1 <[EMAIL PROTECTED]>...
Relaying denied
------ This is a copy of the message, including all the headers. ------
Return-path: <[EMAIL PROTECTED]>
Received: from [4.158.105.169] (helo=[4.158.105.169])
by elasmtp-kukur.atl.sa.earthlink.net with asmtp (Exim 4.34)
id 1GajdB-0001rN-AE; Thu, 19 Oct 2006 21:57:06 -0400
Message-ID: <[EMAIL PROTECTED]>
Date: Thu, 19 Oct 2006 20:45:24 -0500
From: "Mumia W.." <[EMAIL PROTECTED]>
User-Agent: Thunderbird 1.5.0.7 (X11/20060909)
MIME-Version: 1.0
To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Spam message reveals botnet on your networks
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I received a spam message that involves all of your networks. The spam
seems to advertise a website that is managed by a botnet. A botnet is a
group of machines controlled by Internet organized crime gangs (without
the knowledge of the true owners). A botnet consists of machines that
mutually support one another by sending spam, hosting websites and
providing DNS services for those websites.
The spam message came from this machine: 71.111.0.143 (verizon)
The spam-advertized websites are hosted on these machines:
www.lemuwin.com. 180 IN A 64.110.215.97 (sasktel)
www.lemuwin.com. 180 IN A 172.161.194.59 (AOL)
www.lemuwin.com. 180 IN A 172.195.44.236 (AOL)
www.lemuwin.com. 180 IN A 194.145.134.112 (Esat)
www.lemuwin.com. 180 IN A 211.223.172.213 (kornet)
And this site is linked to by the spam-advertised site:
www.14inch.com. 0 IN A 66.102.43.10 (qixhosting)
The domain-naming services are hosted on these machines:
ns1.marivanna.com. 41678 IN A 212.235.54.208 (netvision)
ns1.marivanna.com. 41678 IN A 221.162.35.178 (kornet)
ns1.marivanna.com. 41678 IN A 24.91.25.155 (comcast)
ns1.marivanna.com. 41678 IN A 24.155.135.157 (grandecom)
ns1.marivanna.com. 41678 IN A 66.159.174.240 (sbcglobal)
ns1.marivanna.com. 41678 IN A 70.136.103.192 (sbcglobal)
ns1.marivanna.com. 41678 IN A 83.10.199.248
(telekomunikacja)
ns1.marivanna.com. 41678 IN A 86.73.81.56 (gaoland)
ns1.marivanna.com. 41678 IN A 124.186.234.43 (telstra)
ns2.marivanna.com. 168631 IN A 86.73.81.56 (gaoland)
ns4.marivanna.com. 84554 IN A 212.235.54.208 (netvision)
Taking down a botnet is a lot of work, but I'm sure you guys and gals
will do a fantastic job of it. Botnets typically change the locations of
the various servers on a continuing basis. After several hours, some of
this information may have changed. Don't worry; taking down the old
botnet machines makes then unavailable to the crime gangs.
Qixhosting, it is critical that you take down the spammer's website at
www.14inch.com (66.102.43.10). That is the primary money-making website
for the crime gang; if you fail to take that site down, everything would
have been for nothing.
Time is important when evaluating botnets. This information was
collected around Fri Oct 20 01:25:02 UTC 2006 .
The spam message was sent to the debian-user mailing list of which I am
a member. Here is the spam message including full headers:
> Return-Path: <[EMAIL PROTECTED]>
> Received: from murphy.debian.org ([70.103.162.31])
> by mx-mcdonald.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id
1gAGkc2Io3Nl36F0
> for <[EMAIL PROTECTED]>; Thu, 19 Oct 2006 18:25:16 -0400 (EDT)
> Received: from localhost (localhost [127.0.0.1])
> by murphy.debian.org (Postfix) with QMQP
> id 2464E2E0E0; Thu, 19 Oct 2006 17:24:50 -0500 (CDT)
> Old-Return-Path: <[EMAIL PROTECTED]>
> X-Original-To: debian-user@lists.debian.org
> Received: from pool-71-111-0-143.ptldor.dsl-w.verizon.net
(pool-71-111-0-143.ptldor.dsl-w.verizon.net [71.111.0.143])
> by murphy.debian.org (Postfix) with SMTP id E36732E0BD
> for <debian-user@lists.debian.org>; Thu, 19 Oct 2006 17:05:17 -0500 (CDT)
> Received: from mh4dmz3b.bloomberg.net
> by pool-71-111-0-143.ptldor.dsl-w.verizon.net (8.9.3/8.9.3) with SMTP id
0000001ab673
> for <debian-user@lists.debian.org>; Thu, 19 Oct 2006 17:21:25 -0500
> Received: from [225.151.134.41]
> by mh4dmz3b.bloomberg.net with SMTP id ZP20JtilkGbd
> for <debian-user@lists.debian.org>; Thu, 19 Oct 2006 17:21:25 -0500
> Reply-To: "Candice Kiser" <[EMAIL PROTECTED]>
> From: "Candice" <[EMAIL PROTECTED]>
> Message-ID: <[EMAIL PROTECTED]>
> Date: Thu, 19 Oct 2006 17:21:25 -0500
> To: <debian-user@lists.debian.org>
> Subject: Horhny playboy teenie site
> MIME-Version: 1.0
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Rc-Spam: 2006-04-09_01
> X-Rc-Virus: 2005-11-10_01
> X-Rc-Spam: 2006-04-09_01
> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on murphy.debian.org
> X-Spam-Level: X-Spam-Status: No, score=-0.3 required=4.0
tests=ALL_TRUSTED,BAYES_99,
> UPPERCASE_25_50 autolearn=no version=3.0.3
> Resent-Message-ID: <[EMAIL PROTECTED]>
> Resent-From: debian-user@lists.debian.org
> X-Mailing-List: <debian-user@lists.debian.org> archive/latest/454964
> X-Loop: debian-user@lists.debian.org
> List-Id: <debian-user.lists.debian.org>
> List-Post: <mailto:debian-user@lists.debian.org>
> List-Help: <mailto:[EMAIL PROTECTED]>
> List-Subscribe: <mailto:[EMAIL PROTECTED]>
> List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
> Precedence: list
> Resent-Sender: [EMAIL PROTECTED]
> Resent-Date: Thu, 19 Oct 2006 17:24:50 -0500 (CDT)
> X-ELNK-AV: 0
> X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
>
> two THjESE TIiNY SLUlTS CAN'T STOP COMMIbNG ... .. ONjCE THjEY TAKeE ALL 14
INyCHES!! loose
> onlinecan: && > www. lemuwin .com < && (!!! del space's !!!)
>
>
> provide big used happy week online hot,
> self wish done all, always stats?
>
> bye
> Candice Kiser
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe".
Trouble? Contact [EMAIL PROTECTED]
>
>
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
