[Mimedefang] On pinheaded ISP's that insist on a copy of Spam

[Jan-Pieter Cornet]

On Mon, Jan 29, 2007 at 02:58:53PM -0500, David F. Skoll wrote:
> Philip Prindeville wrote:
> > Simply saying, "One of your customers tried to spam me,
> > but I rejected it... here are the logs" isn't enough.  They
> > insist that I give them a copy of the message
> 
> I think that's perfectly reasonable.  If you are initiating a
> complaint against someone, it's up to you to preserve and present all
> of the evidence.

Just another note to underline the importance of this. You have to look
at this from the viewpoint of the abuse department. Especially, from the
viewpoint of the employee who's explaining to the disgruntled subscriber
who suddenly finds his internet gone and is told to extinguish viruses
from their machine (or network) and secure his setup. (This is assuming
the customers' machine is a zombie, which it usually is. You don't
find many real spammers these days, certainly not among our subscribers)

At that moment, you need all the evidence that can you can possibly
get. Just getting a single line log messages saying "I rejected this
spammer at IP #.#.#.#" isn't nearly good enough. It _might_ serve as a
statistic on the overall case if it's properly timestamped, but nothing
more than that.

On that matter, listings on even usually very reliable DNS blacklists
are not enough reason to disable a subscribers' internet connection.

If you truely want to help reduce the amount of spam sent by spamming
zombies, the best thing to do is setup a feedback loop with as many warm
bodies at big ISP's abuse departments as you can find. You might have to
send stuff like ARF (See http://arf.wordtothewise.com/ ). But do
establish that contact with the abuse department first. If you have
a positive attitude, cooperative ISPs will usually value your
input, and you can ask for agreements like no passing of unmunged
headers to end-users, for example (to protect your spamtraps, if
any).

> Our commercial software, for example, collects all the envelope
> information, all of the headers, and the first 8kB of the message body
> and generates a complaint mail.  It also uses WHOIS to figure out who
> the best person to complain to is.  You then go in and edit the
> generated mail and recipient list as required, and hit "send".
> (Although we reject unwanted messages with a 5xx code, we do keep some
> info about them in a database, partly for the purpose of sending
> well-formed complaints.)

That sounds useful, especially keeping the first chunk of the body.
I might want to borrow that idea :)

Oh, on the subject of abuse contact addresses: it might be better to use
the abuse.net contacts database to determine the proper abuse contact,
it usually has a better contact address (and more easily parsable) than
WHOIS. If you have a domain, like, example.com, to contact in abuse
cases (eg as learned from reverse DNS), just do a DNS query for
"example.com.contacts.abuse.net": TXT records are contact addresses, A
records list the number of contacts, and HINFO tells you if the contact
is actually listed ("lookup") or if it just returns you the default
record ("default"). If you get the default it's likely best to fall
back to WHOIS info.

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!