Mailing List SIMS@mail.stalker.com Message #13812
From: David C King <dck@the-wire.com>
Subject: Re: Routing spam
Date: Sat, 4 Oct 2003 14:48:35 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
Thanks, Neil

My router now reads:

<admin*> = spamtrap
<admin@king-dom.org> = error

At the top of the other router entries.

Today's SIMS log reads:

13:02:19 2 SMTP-082([67.60.19.41]) {S.0000019249} received, 32484 bytes
13:02:20 5 SYSTEM Scanning {S.0000019249}
13:02:20 5 SYSTEM Line Read: P I 04-10-2003 17:01:48 0000 king-dom.org admin
13:02:20 5 SYSTEM Line Read: R W 04-10-2003 17:01:52 0000 king-dom.org karen
13:02:20 5 SYSTEM Line Read:
13:02:20 5 SYSTEM Line Read: Received: from [67.60.19.41] (HELO localhost) by king-dom.org (Stalker SMTP Server 1.8b8) with SMTP id S.0000019249 for <xxxxx@king-dom.org>; Sat, 04 Oct 2003 13:01:55 -0400
13:02:20 5 SYSTEM Line Read: From: admin@king-dom.org
13:02:20 5 SYSTEM Line Read: To: xxxxx <xxxxx@king-dom.org>
13:02:20 5 SYSTEM Line Read: Reply-To: admin@king-dom.org
13:02:20 5 SYSTEM Line Read: X-Mailer: The Bat! (v1.61)
13:02:20 5 SYSTEM Line Read: X-Priority: 2 (High)
13:02:20 5 SYSTEM Line Read: Subject: your account nbenafua
13:02:20 5 SYSTEM Line Read: MIME-Version: 1.0
13:02:20 5 SYSTEM Line Read: Content-Type: multipart/mixed; boundary="----------2B0B5A5E001B7C6"
13:02:20 5 SYSTEM Line Read:
13:02:20 2 SYSTEM [S.0000019249] S.0000019249 0+1 From:admin@king-dom.org
13:02:20 4 SYSTEM [S.0000019249] submitted
13:02:20 5 SYSTEM delivering to local accounts
13:02:20 5 SYSTEM [S.0000019249] OSOpen refNum=8274
13:02:20 5 SYSTEM [S.0000019249] reading: 448 bytes at 97
13:02:20 5 SYSTEM Writing 7428: 581 bytes at 0
13:02:20 5 SYSTEM [S.0000019249] reading: 31939 bytes at 545
13:02:20 5 SYSTEM Writing 7428: 31940 bytes at 581
13:02:20 4 SYSTEM [S.0000019249] stored in 'xxxxx' at 0(+0)
13:02:20 2 SYSTEM(POP) [S.0000019249] delivered to (xxxxx)
13:02:20 5 SYSTEM checking modified files
13:02:20 5 SYSTEM OSClose refNum=8274
13:02:20 2 SYSTEM [S.0000019249] deleted
13:02:20 5 SYSTEM delivering to local accounts
13:02:20 5 SYSTEM checking modified files
13:29:19 0 SYSTEM The current date is Saturday, October 4, 2003

In other words, my router entry didn't stop the spam msg (it was delivered to a user account - name xxxxx'd out above).

Is there anything else that I can try? Am I doing something wrong ... or is this spam/weasel just unstoppable??

Thanks again, for everyone's help.

David


Your words of wisdom on 10/3/03:


David

It looks to me like a spammer or other weasel is simply forging the RETURN-PATH, FROM, and REPLY-TO headers on his mail using the bogus address "admin@king-dom.org". I presume since you have x-ed out the local part of the TP address that it is a real account on your system.

If you replace your "admin" router entries with the following, it should stop the weasel:

<admin*> = spamtrap

This tells the router to take any local address that starts with "admin" and spam trap it.

The ERROR routing is usually used for the domain portion of an address, as in:

*.cn = error   ; chinese mail is always spam to me


--
Neil

--
"Minds, like parachutes, work only when open."  -- Blue Wave
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster