You've got Spam!

First let me say that I am blessed by having a really good spam system in place that removes 90% of the spam from my "Inbox". Right now I have over 4,000 peices of junk in a temp folder automatically created for me on the mail server that I don't have to look at unless I want to see what I am missing. And that is not counting the thousands of emails that are so horriffic they don't even get that far. As I say I am blessed.

Okay but I still get spam and it makes me angry because those few stupid time wasters are now annoying little gnats! So I have this morning revenge tactic. I don't just get mad - I get active.

So I thought I should blog a primer!

SPAM Boot Camp!
Throughout this page the links are to additional resources.
Many are to wikipedia an excellent resource!


First Rule:
Know Your Email Headers!

What are email headers?

Email headers are the bits that carry the routing information of emails required to get it from a works station - to a mail server - to another mail server, and then on to the recipient.

How to view headers:
Each flavor of email software is different - so use the help files! Do a search in help for "headers" and if that comes up black do a search for "view details".

What do email headers look like?

Here is an example of an email complete with headers:

The notes in GREEN are my notes to explain what things mean!

X-Persona:  (Only means is it coming to that organization)
Return-Path:  ("suppossedly" the sender - 
they are lying - this is forged)

Received: from 206.117.168.17 ([202.104.235.68])(FORGED IP address of the sender)

From sfxdbyzh@kendrakessel.com  Tue Nov 28 22:32:12 2006

("suppossedly" who it is from - but they are lying - this is forged) 
Return-Path:  
(this is forged too) 
X-Spam-Flag: YES (My SPAM filters add all the stuff in BLUE)
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on (I removed my mail server info here) 
X-Spam-Level: SSSSSSSSSSSSSSS (Oh yes - this is really SPAM see all those S's) 
X-Spam-Status: Yes, score=15.3 required=6.0 tests=BAYES_99,  (Above a score of 6 I don't see it in my INBOX)
(Next are the first tests that caught this bad boy)
     DATE_IN_FUTURE_12_24,EXTRA_MPART_TYPE,HTML_MESSAGE,RCVD_IN_DSBL, 
(About the tests above:
DATE_IN_FUTURE_12_24 means:
When spammers put the date in the future it stays at the top of you email folder until the date passes
EXTRA_MPART_TYPE means it had extra servings of crap in the headers
HTML_MESSAGE means - SPAMMERS like to hide behind bold and big fonts to try and get your attention fast before you hit the trash button
RCVD_IN_DSBL means  - well go here to see specifics on this email: http://dsbl.org/listing?59.92.60.221  OR go here to see the explaination of why this got flagged: http://dsbl.org/sender
)
     RCVD_IN_NJABL_PROXY,RCVD_IN_XBL autolearn=no version=3.1.0 
(Above means the sender machine is an open proxy  - either by design or a machine without a firewall that got hacked allowing it to spew this garbage - and the spam learning system is making notes or something)

The next report below is more of the same test and score information
X-Spam-Report:  
     *  1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 
     *  2.8 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date 
     *  0.5 HTML_MESSAGE BODY: HTML included in message 
     *  4.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% 
     *      [score: 1.0000] 
     *  1.0 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org 
     *      [<http://dsbl.org/listing?59.92.60.221>] 

     *  2.0 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy 
     *      [59.92.60.221 listed in combined.njabl.org] 
     *  3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL 
     *      [59.92.60.221 listed in sbl-xbl.spamhaus.org] 

Received: from Media1 ([59.92.60.221]) (***** WOO HOO AN IP ADDRESS! ***** )

  (I removed my mail server & ISP information here) with ESMTP id kAT6W2OY007001

  for <my_email@my_domian.com>; Tue, 28 Nov 2006 22:32:06 -0800

Message-ID: <000b01c713f2$93378090$0e01a8c0@media1>

From: "vas" 

To: "ellen" 

Subject: ****SPAM**** Re: i think it is finally time

Date: Wed, 29 Nov 2006 12:11:37 -0800

MIME-Version: 1.0

Content-Type: multipart/related;

  type="multipart/alternative";

  boundary="----=_NextPart_000_0007_01C713F2.93378090"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 5.50.4522.1200

X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200

X-Scanned-By: MIMEDefang 2.54 on 207.151.82.18

X-Spam-Prev-Subject: Re: i think it is finally time 

Content-Type: text/plain;

Low Cost Prescription Drugs - Without a Prescription

Vicodix, Sona, Hydroxodine, Levitna, Valtrix & more


http://www.megodsdepotes.biz/pharmexopexplace

OKAY LETS SLUETH!

59.92.60.221 
That is the ip address above that made me say  (***** WOO HOO AN IP ADDRESS! ***** ) 
Let's find out who owns that machine!

Go to: http://www.arin.net/whois/ 

copy and paste the number in the little search window and click the "Search WHOIS" button.

hmmm:

  Search results for: 59.92.60.221  
       

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

NetRange:   59.0.0.0 - 59.255.255.255
CIDR:       59.0.0.0/8
NetName:    APNIC-59
NetHandle:  NET-59-0-0-0-1
Parent: 
NetType:    Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
NameServer: NS-SEC.RIPE.NET
Comment:    This IP address range is not registered in the ARIN database.
Comment:    For details, refer to the APNIC Whois Database via
Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment:    for the Asia Pacific region. APNIC does not operate networks
Comment:    using this IP address range and is not able to investigate
Comment:    spam or abuse reports relating to these addresses. For more
Comment:    help, refer to http://www.apnic.net/info/faq/abuse
RegDate:    2004-05-04
Updated:    2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName:   APNIC Whois Contact
OrgTechPhone:  +61 7 3858 3100
OrgTechEmail:  search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2006-11-28 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

         

Okay - so we need to go to the next whois:
http://www.apnic.net/apnic-bin/whois.pl

And when we do the look-up here we get:

inetnum:      59.88.0.0 - 59.99.255.255
netname:      BSNLNET
descr:        NIB (National Internet Backbone)
descr:        Bharat Sanchar Nigam Limited
descr:        Sanchar Bhawan,20, Ashoka Road, New Delhi-110001
country:      IN
admin-c:      NC83-AP
tech-c:       CDN1-AP
status:       ALLOCATED PORTABLE
remarks:      Request for additional IP Addresses for NIB Phase-2
mnt-by:       APNIC-HM
mnt-lower:    MAINT-IN-DOT
mnt-routes:   MAINT-IN-DOT
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:      This object can only be updated by APNIC hostmasters.
remarks:      To update this object, please contact APNIC
remarks:      hostmasters and include your organisation's account
remarks:      name in the subject line.
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:      hm-changed@apnic.net 20040906
changed:      hm-changed@apnic.net 20040906
source:       APNIC

route:        59.92.48.0/20
descr:        BSNL Internet
country:      IN
origin:       AS9829
mnt-lower:    MAINT-IN-DOT
mnt-routes:   MAINT-IN-DOT
mnt-by:       MAINT-IN-AS9829
changed:      routemaster@sancharnet.in 20060404
source:       APNIC

role:         NS Cell
address:      Internet Cell
address:      Bharat Sanchar Nigam Limited
address:      8th Floor,148-B Statesman House
address:      Barakhamba Road, New Delhi - 110 001
country:      IN
phone:        +91-11-23734057
phone:        +91-11-23710183
fax-no:       +91-11-23372252
e-mail:       cgmdnw@sancharnet.in
e-mail:       nib_abuse@sancharnet.in  (**** THIS IS THE ABUSE EMAIL ADDRESS ****)
admin-c:      CGMD1-AP
tech-c:       DT197-AP
nic-hdl:      NC83-AP
mnt-by:       MAINT-IN-DOT
changed:      dnwplg@sancharnet.in 20030120
source:       APNIC

role:         CGM Data Networks
address:      Lobby 1 , 4th Floor
address:      Mahanagar Doorsanchar Sadan
address:      9 CGO Complex , Lodhi Road , New Delhi
country:      IN
phone:        +91-11-24326781
phone:        +91-11-23737571
fax-no:       +91-11-24326783
fax-no:       +91-11-23737573
e-mail:       cgmdnw@sancharnet.in
e-mail:       dnwplg@sancharnet.in
e-mail:       nib_abuse@sancharnet.in
admin-c:      CGMD1-AP
tech-c:       DT197-AP
tech-c:       BH155-AP
nic-hdl:      CDN1-AP
mnt-by:       MAINT-IN-DOT
changed:      dnwplg@sancharnet.in 20030120
source:       APNIC
**********************************************************

SO WHAT NOW?

The Good NEWS:
We got some email addresses:

e-mail:       cgmdnw@sancharnet.in
e-mail:       dnwplg@sancharnet.in
e-mail:       nib_abuse@sancharnet.in

So I send them email and get back:
Date: Thu, 30 Nov 2006 00:06:52 +0530 (IST)
From: Internet Mail Delivery
Subject: Delivery Notification: Delivery has failed
Your message cannot be delivered to the following recipients:

Recipient address: @nppa.sancharnet.in:cgmdnw@sancharnet.in
Original address: cgmdnw@sancharnet.in
Reason: "Possible Virus Detected HMlfCrQg6L.gif"
Recipient address: @nppa.sancharnet.in:dnwplg@sancharnet.in
Original address: dnwplg@sancharnet.in
Reason: "Possible Virus Detected HMlfCrQg6L.gif"
Recipient address: @nppa.sancharnet.in:nib_abuse@sancharnet.in
Original address: nib_abuse@sancharnet.in
Reason: "Possible Virus Detected HMlfCrQg6L.gif"

Message rejected: Conversion failure.



The BAD NEWS:
We got some email addresses IN INDIA - dang!
OKAY - I have friends from India and they are wonderful people, and mean no disrepect in my sorry exclamation.

The economic reality is that the people there are scrambling to make a living. Providing internet services as well as lame-ass call centers has provided jobs that pay well for those employed.
I can not blame them for this - but I do not have to like it!