Mailing List Message #6410
From: Dave Martin <>
Subject: Re: (not so) Obvious spam address
Date: Thu, 6 Jul 2000 08:51:03 -0500
To: SIMS Discussions <>
X-Mailer: Claris Emailer 2.0v3, January 22, 1998
>I've received thousands of these, all through
>, but it's not practical to eliminate *all* of The
>spammer also sends from aol, msn, hotmail, etc. Can you think of an
>easier way to stop them?

I've been getting them, too. Mainly the forged and
fake addresses, and a few from yahoo. Some, however, are traceable to (the real source of many of these spams). I went ahead and
blocked all msn and hotbot through router error, and check the logs now
and then to make sure REAL things aren't being denied--no false positives
so far.

Key thing is to notify the postmaster/abuse at (or
whatever site DELIVERED to your SIMS machine--do a lookup on the IP to
verify if needed) that they have an open relay. Blocking that relay in
your blacklist probably won't help--too late, they've moved on to another
by then anyway.

I also pass the spam messages on to the host being slighted...some of
these big commercial sites have the resources and the PR interest in
ensuring nobody disses their reputation by sending forged spam with their
service implicated as an accomplice.

It might be nice if SIMS could do some "Received" backtracking, but that
would require accepting the connection to read headers, and would add to
overhead as each IP address/hostname in the Received path (part of which
may be forged, too) was DNS/revDNS inspected for possible blacklist or
RBL matches. I know when our university "forced" a secondary MX on us,
tons of spam which SIMS would have stopped came through, because the
secondary was a "trusted" host, and it was accepting the spam
unconditionally. If SIMS could have checked the received's (maybe even
just the previous one), and do checks on that, a lot of stuff would have
been blocked.


I would point out that the address on the first example you sent DOES NOT
match your multiple groups of numerics rule, though it would match an
"embedded" numerics. I'll also mention that accounts here at my
university typically use the student's initials and part of their ID
number as the default username--and if they have no middle initial (as
with many of our international students), a zero is put in that position
instead. Thus "ABC1234" or "A0C1234" are very common account names here,
and if the initials and ID segment are duplicated (more frequent than
you'd think), the last digit is replaced with a letter ("A0C123B").

I think you'd need a fuzzy logic algorithm for best filtering, and a
means for SIMS to sideline questionable items for admin inspection. While
some of it would be nice, there's obviously some limits to what a
computer program can reasonably be expected to do (especially for
free...). It just means we have to pay more attention as admins, and deal
with things as they happen, which is exactly why we are here in the first

One question regarding "proper" RFC formatting of messages and
headers...where does the requirement or responsibility for the Message-ID
field lie?

>>Message-ID: <IntmSCKG280o>

Most of the ones I've paid attention to have the @host, though perhaps
it's not a strict enough rule that SIMS could flag messages which either
do not have a Message-ID line, or have one like the above. Unfortunately
on some of these spams the @host has been provided by the open relay

Dave Martin (Microcomputer Specialist)
Texas A&M University English Department  *  (409) 845-8344  *  Blocker 218D

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster