***SPAM*** Re: [Mimedefang] Agressive spammers

dimon at intellinetinc.com dimon at intellinetinc.com
Tue Dec 2 00:18:37 EST 2003 

Quoting "David F. Skoll" <dfs at roaringpenguin.com>:

> Really?  I would think that most would at least contain the headers of the
> failing message.

Here is the typical bounce one of my users is getting.
I can see everything there (and yes, the SPAM HTML message itself!) except for 
headers of the original message!

Return-Path: <>
Received: from intellinet.ab.ca ([unix socket])
	by intellinet.ab.ca (Cyrus v2.2.2-BETA) with LMTP; Sun, 30 Nov 2003 
21:58:23 -0700
X-Sieve: CMU Sieve 2.2
Received: from snnyroch50.secarch.gblxint.com (mail01.globalcrossing.com 
[209.130.177.140])
	by intellinet.ab.ca (8.12.10/8.12.10) with ESMTP id hB14w43b017465
	for <ahmad at intellinet.ab.ca>; Sun, 30 Nov 2003 21:58:10 -0700 (MST)
Received: by snnyroch50.secarch.gblxint.com (Postfix)
	id A008477FAC; Sun, 30 Nov 2003 23:23:56 -0500 (EST)
Date: Sun, 30 Nov 2003 23:23:56 -0500 (EST)
From: MAILER-DAEMON at snnyroch50.secarch.gblxint.com (Mail Delivery System)
Subject: *****SPAM***** Undelivered Mail Returned to Sender
To: ahmad at intellinet.ab.ca
MIME-Version: 1.0
Content-Type: multipart/mixed; 
boundary="AA0A377D5C.1070252636/snnyroch50.secarch.gblxint.com"
Message-Id: <20031201042356.A008477FAC at snnyroch50.secarch.gblxint.com>
X-Spam-Level: *****
X-Spam-Status: Yes hits=5.587 required=4.0 
tests=BIZ_TLD,HTML_FONT_BIG,HTML_FONT_INVISIBLE,HTML_MESSAGE,HTTP_ESCAPED_HOST,H
TTP_EXCESSIVE_ESCAPES,NO_DNS_FOR_FROM
X-Scanned-By: MIMEDefang 2.38

This is a multi-part message in MIME format...

--AA0A377D5C.1070252636/snnyroch50.secarch.gblxint.com
Content-Description: Notification
Content-Type: text/plain
Content-Disposition: inline

This is the Postfix program at host snnyroch50.secarch.gblxint.com.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

			The Postfix program

<patrick_vitalone at globalcrossing.com>: host
    snusroc37.ams.gblxint.com[10.60.55.78] said: 550
    <patrick_vitalone at globalcrossing.com>: User unknown in local recipient
    table (in reply to RCPT TO command)

<paul_winkler at globalcrossing.com>: host snusroc37.ams.gblxint.com[10.60.55.78]
    said: 550 <paul_winkler at globalcrossing.com>: User unknown in local
    recipient table (in reply to RCPT TO command)

--AA0A377D5C.1070252636/snnyroch50.secarch.gblxint.com
Content-Description: Delivery error report
Content-Type: message/delivery-status
Content-Disposition: inline

Reporting-MTA: dns; snnyroch50.secarch.gblxint.com
Arrival-Date: Sun, 30 Nov 2003 23:22:57 -0500 (EST)

Final-Recipient: rfc822; patrick_vitalone at globalcrossing.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host snusroc37.ams.gblxint.com[10.60.55.78] said:
    550 <patrick_vitalone at globalcrossing.com>: User unknown in local recipient
    table (in reply to RCPT TO command)

Final-Recipient: rfc822; paul_winkler at globalcrossing.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host snusroc37.ams.gblxint.com[10.60.55.78] said:
    550 <paul_winkler at globalcrossing.com>: User unknown in local recipient
    table (in reply to RCPT TO command)

--AA0A377D5C.1070252636/snnyroch50.secarch.gblxint.com
Content-Type: multipart/mixed; boundary="----------=_1070254702-6883-11"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)

This is a multi-part message in MIME format...

------------=_1070254702-6883-11
Content-Type: multipart/alternative; boundary="----------=_1070254702-6883-12"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)

This is a multi-part message in MIME format...

------------=_1070254702-6883-12
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html>

<head>
<meta http-equiv=3D"Content-Language" content=3D"en-us">
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dwindows-1=
252">
<title>natkwksbw zygqyxxnko p r bermuda wherewith coil</title>
</head>

<body>

<div align=3D"left">
<table width=3D"765" border=3D"0" cellpadding=3D"0" cellspacing=3D"0" style=
=3D"border-collapse: collapse" bordercolor=3D"#111111">
  <tr>
    <td height=3D"277" valign=3D"bottom" background=3D"http://%77%77%77%2E%=
63%6F%6F%6C%73%74%75%6E%74%63%61%72%73%2E%62%69%7A/%72%63/%69%6D%67%73/%68%=
65%61%64%65%72%5F%62%67%2E%6A%70%67"><table width=3D"600" border=3D"0" cell=
spacing=3D"0" cellpadding=3D"4">
        <tr>
          <td height=3D"190" valign=3D"top"><p><font size=3D"2" face=3D"Ver=
dana, Arial, Helvetica, sans-serif">Fasten
              your seatbelt, Lunar Stunt Cars are about to take you<br>
              on one wild ride! The ultimate Lunar RC Stunt Cars rig for th=
e <br>
              wildest tricks. It can act like a vehicle with blazing speed =
for<br>
              sport gallop racing, 4 super wheels with awesome climbing<br>
              power can easily climb hills &bumpers, simulate the motio=
n<br>
              movement on the moon. Lunar Stunt Car does stunts no other<br>
              R/C car can do, Frenzied flips and screaming spins! 2 front <=
br>
              wheels can turbo 360 degree spins as car moving. flip over li=
ke<br>
              acrobat or make a 360 coiling turn when he run, but everythin=
g is
              under<br>
              your control. Practice and master your moves, it/'s fun and c=
hallenging!</font></p></td>
        </tr>
      </table></td>
  </tr>
</table>
</div>
<p><b><font face=3D"Verdana, Arial, Helvetica, sans-serif" size=3D"5">
<a href=3D"http://www.coolstuntcars.biz/rc/">MORE INFO</a></font></b></p>

<p><font size=3D"2" color=3D"#FFFFFF">greenberg composition %RANDOM_WORD ac=
quiesce
quagmire anticipate<br>
contravention nathaniel analgesic rood breve %RANDOM_WORD
<br>
decomposable injury alphabet capetown dial %RANDOM_WORD
<br>
quitting wive fragmentation beater caloric %RANDOM_WORD
</font></p>
<p><font size=3D"2" color=3D"#FFFFFF">dramatist bless %RANDOM_WORD kickback
lithology attract<br>
il allyl congregate strabismic archangel %RANDOM_WORD
<br>
gopher tablespoonful anaplasmosis marianne nv %RANDOM_WORD
<br>
conway chain bromley ignominious angeles %RANDOM_WORD
</font></p>
<p><font size=3D"2" color=3D"#FFFFFF">admix sentence %RANDOM_WORD columbine
transportation epithelium<br>
tilt dadaist abbott engage lesbian %RANDOM_WORD
<br>
hidalgo livermore produce iranian press %RANDOM_WORD
<br>
noodle sydney interdict copenhagen david %RANDOM_WORD
</font></p>

</body>

</html>pjea hp
  wxeyj jwes w

------------=_1070254702-6883-12--

------------=_1070254702-6883-11--

--AA0A377D5C.1070252636/snnyroch50.secarch.gblxint.com
Content-Type: text/plain; name="SpamFilterReport.txt"
Content-Disposition: inline; filename="SpamFilterReport.txt"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)

Spam detection software, running on the system "intellinet.ab.ca", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  This is a MIME-encapsulated message. This is the
  Postfix program at host snnyroch50.secarch.gblxint.com. I'm sorry to
  have to inform you that the message returned below could not be
  delivered to one or more destinations. [...] 

Content analysis details:   (5.6 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.4 HTML_FONT_INVISIBLE    BODY: HTML font color is same as background
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 HTML_FONT_BIG          BODY: HTML has a big font
 0.7 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside a URL
 0.8 BIZ_TLD                URI: Contains a URL in the BIZ top-level domain
 2.4 HTTP_ESCAPED_HOST      URI: Uses %-escapes inside a URL's hostname
 1.1 NO_DNS_FOR_FROM        Domain in From header has no MX or A DNS records



--AA0A377D5C.1070252636/snnyroch50.secarch.gblxint.com--


So, I think recording Message-IDs is not the method against this kind of SPAM 
attacks.

> 
> > And how about vacation replies? Or any other kind of auto-replies?
> 
> As long as they don't come from "<>", you let them through.

Yes, they don't come from "<>", but they come from spam victim to innocent 
user. I can imagine all of my users start asking me why they are getting those 
bounces and auto-replies. And actually one of them did exactly that today! 

I hope there is a solution for this problem. I don't think it would be simple, 
but I can't just ignore that.

Dmitry

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: SpamFilterReport.txt
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20031201/1c5ba190/attachment.txt>

More information about the MIMEDefang mailing list