From: "Bob Frazier" Newsgroups: alt.hackers Subject: "no spam" obhack Date: Thu, 11 Dec 1997 15:32:32 -0800 Organization: Disorganization Lines: 16 Approved: HELL YES! Message-ID: <66psnh$b88$1@prefetch.san.rr.com> Reply-To: "Bob Frazier" NNTP-Posting-Host: dt092n27.san.rr.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Keywords: no keywords X-Newsreader: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!news-xfer.siscom.net!news.voicenet.com!news-peer.gip.net!news.gsl.net!gip.net!news.idt.net!nntp2.cerf.net!nntp3.cerf.net!newsfeed.san.rr.com!not-for-mail I've come up with a way of combatting SPAM, an 'obhack' for posting here. I am the net administrator of the 'mrp3.com' domain. My e-mail address (in the header) is now . Any mail sent to THIS address will receive a file insisting that the entire 'mrp3.com' domain be REMOVED from mailing lists (among other stuff). If you want to try it, g'head and see. The file also contains the text 'REMOVE' so 'bots' will auto-remove it (hopefully). And, the process DELETES the offending SPAM, but leaves a log entry in the server logs. THAT is probably enough in most cases. My real "reply to" address has text inserted. Do the obvious to reply by email. ###### From: seebs@plethora.net (Peter Seebach) Newsgroups: alt.hackers Subject: Re: "no spam" obhack Date: 12 Dec 1997 05:58:14 GMT Organization: Plethora Internet Lines: 31 Approved: seebs@plethora.net Message-ID: <66qjpm$lr3$1@darla.visi.com> References: <66psnh$b88$1@prefetch.san.rr.com> NNTP-Posting-Host: herd.plethora.net NNTP-Posting-Date: 11 Dec 1997 23:58:14 CST Keywords: no keywords X-Newsreader: trn 4.0-test60 (5 October 1997) Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!news-xfer.siscom.net!streamer1.cleveland.iagnet.net!iagnet.net!news-peer.gip.net!news.gsl.net!gip.net!cpk-news-hub1.bbnplanet.com!cam-news-hub1.bbnplanet.com!news.bbnplanet.com!visi.com!not-for-mail In article <66psnh$b88$1@prefetch.san.rr.com>, Bob Frazier wrote: >I am the net administrator of the 'mrp3.com' domain. My e-mail address (in >the header) is now . Any mail sent to THIS address will >receive a file insisting that the entire 'mrp3.com' domain be REMOVED from >mailing lists (among other stuff). If you want to try it, g'head and see. Wouldn't it be easier to parse the headers and throw them in filters? Maybe with some logic to mark relay domains for unbanning in three days, or something. >The file also contains the text 'REMOVE' so 'bots' will auto-remove it >(hopefully). Nope. All known spamware will immediately treat this as a 'confirm'. >And, the process DELETES the offending SPAM, but leaves a log >entry in the server logs. THAT is probably enough in most cases. That will help. We currently block by IP, domain name, and suspicious header text. It gets rid of a lot of spam... But the absolute best is still refusing mail from sites with bad DNS. -s -- seebs@plethora.net -- I am not speaking for my employer. Copyright '97 All rights reserved. This was not sent by my cat. C and Unix wizard - send mail for help, or send money for a consultation. Visit my new ISP --- More Net, Less Spam! Plethora . Net ###### From: stock@dirac.infomagic.nl (Robert M. Stockmann) Newsgroups: alt.hackers Subject: Re: "no spam" obhack Date: 14 Dec 1997 04:36:05 GMT Organization: Infomagic Nederland VOF Sender: usenet@infomagic.nl (Usenet News) Approved: stock@fermi.infomagic.nl Message-ID: NNTP-Posting-Host: i000.gor.euronet.nl X-Newsreader: TIN [version 1.2 PL2] X-Nntp-Posting-Host: dirac.infomagic.nl Lines: 49 Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!leto.ou.edu!news.ecn.uoknor.edu!news.ysu.edu!usenet.INS.CWRU.Edu!vncnews!HSNX.wco.com!nntp.csuchico.edu!newshub.csu.net!zdc!super.zippo.com!lotsanews.com!su-news-hub1.bbnplanet.com!cam-news-hub1.bbnplanet.com!news.bbnplanet.com!news.maxwell.syr.edu!dispose.news.demon.net!demon!bullseye.news.demon.net!demon!news2.euro.net!news.euro.net!fermi.infomagic.nl!stock Peter Seebach <66qjpm$lr3$1@darla.visi.com> wrote: > In article <66psnh$b88$1@prefetch.san.rr.com>, > Bob Frazier wrote: > >I am the net administrator of the 'mrp3.com' domain. My e-mail address (in > >the header) is now . Any mail sent to THIS address will > >receive a file insisting that the entire 'mrp3.com' domain be REMOVED from > >mailing lists (among other stuff). If you want to try it, g'head and see. > > Wouldn't it be easier to parse the headers and throw them in filters? > Maybe with some logic to mark relay domains for unbanning in three days, > or something. > > >The file also contains the text 'REMOVE' so 'bots' will auto-remove it > >(hopefully). > > Nope. All known spamware will immediately treat this as a 'confirm'. > > >And, the process DELETES the offending SPAM, but leaves a log > >entry in the server logs. THAT is probably enough in most cases. > > That will help. > > We currently block by IP, domain name, and suspicious header text. It > gets rid of a lot of spam... But the absolute best is still refusing mail > from sites with bad DNS. The best thing to do is to only allow registered MX sites, and block the bad domains from that. The goodies can be found on http://www.sendmail.org . I like the anti-SPAM m4 kit best : http://www.informatik.uni-kiel.de/%7Eca/email/check.html Robert -- ++---------------------------++----------------------------------------++ || R.M. Stockmann || InfoMagic Nederland VOF || || stock@infomagic.nl || Unix administration & support || || http://www.infomagic.nl || The Netherlands || ++---------------------------++----------------------------------------++ 250-Linux: A copylefted Unix-like operating system for 80[3456]86, 250- DEC Alpha, Sun SPARC, Sun UltraSPARC, Motorola 68k, 250- PowerPC/PowerMac, ARM, Mips R[3,4]x00, Fujitsu AP/1000+ 250- and more to come. ###### From: fenris@ulfheim.frob.ml.org (Michael Driscoll) Newsgroups: alt.hackers Subject: Re: "no spam" obhack Date: 14 Dec 1997 09:17:35 GMT Organization: FFW/CA Lines: 31 Approved: yes Message-ID: References: Reply-To: fenris@nospam.frob.ml.org NNTP-Posting-Host: morgan009-reshalls.mines.edu Old-NNTP-Posting-Host: morgan009-reshalls.mines.edu X-Newsreader: slrn (0.9.3.2 UNIX) Old-Xref: ulfheim.frob.ml.org alt.hackers:251 Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!news-xfer.siscom.net!204.186.0.13.MISMATCH!ptdnetP!newsgate.ptd.net!fastnet!howland.erols.net!cpk-news-hub1.bbnplanet.com!su-news-hub1.bbnplanet.com!news.bbnplanet.com!csn!nntp-xfer-1.csn.net!herald.Mines.EDU!ulfheim.frob.ml.org!fenris In article , Robert M. Stockmann wrote: >I like the anti-SPAM m4 kit best : > >http://www.informatik.uni-kiel.de/%7Eca/email/check.html One word: Teergrube. See http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html for details on a very cool SMTP anti-spam hack. BTW, has anyone else noticed the translation facilities now available at altavista? (http://babelfish.altavista.digital.com/) I tried piping a few sites of mine into languages I knew and the translation seemed very good! A few months ago somebody sent me some mail in German (which I don't know) and I finally got it translated using babelfish :-) ObCheesySocialHack: "Reserved" a terminal in the library by turning on the key-click function of the terminal. Was still usable, just made people using it feel self- conscious. Since I seem to be the only person who knows how to get into the configuration of these ADMs the terminal will pretty much stay empty until I return to it, turn off the key-click, and use it. Thanks to mendel on EFNet #unix for the idea. Mike -- ---.-- Thinking of Maud you forget everything else.--More-- |{.... Michael Driscoll |.d.@| ------ sXe ###### From: Eli the Bearded Newsgroups: alt.hackers,alt.fan.e-t-b Subject: Re: "no spam" obhack Date: 16 Dec 1997 21:11:47 GMT Organization: Some absurd concept Lines: 75 Approved: Message-ID: References: X-Files: Used for sharpening claws and teeth on your hawk and hacksaw X-From-Notes: This is sent from a valid but tagged return address. Failure to include an "Re:" in the subject will get you ignored. X-US-Congress: Moronic Fucks. X-Attribution: EtB X-Face: meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow meow X-Usenet-II: Because it is time for October. Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!leto.ou.edu!news.ecn.uoknor.edu!news.eng.convex.com!cs.utexas.edu!news.maxwell.syr.edu!news.alt.net!qz!not-for-mail Robert M. Stockmann wrote: > Peter Seebach <66qjpm$lr3$1@darla.visi.com> wrote: > > Bob Frazier wrote: > > >I am the net administrator of the 'mrp3.com' domain. My e-mail address (in > > >the header) is now . Any mail sent to THIS address will > > >receive a file insisting that the entire 'mrp3.com' domain be REMOVED from > > >mailing lists (among other stuff). If you want to try it, g'head and see. Man, what a broken smtpd you have got. I tried to VRFY that address and got "500 Command not recognized". "252 Cannot VRFY" is one thing, but not even knowing the command is another. What are you using there? So I tried "mail from: " and got "501 syntax error". I did a "rset" which gave me an "250 ok" and tried varying the case but I could not get it to begin to take mail from me. For fun I typed "help" and noticed that you list a topic "REST". Maybe you ran a spellchecker over "RSET"? > > Wouldn't it be easier to parse the headers and throw them in filters? > > Maybe with some logic to mark relay domains for unbanning in three days, > > or something. Headers are forged so often that you'd have to have a parser with "horse sense" which seems very unlikely. > > >The file also contains the text 'REMOVE' so 'bots' will auto-remove it > > >(hopefully). > > Nope. All known spamware will immediately treat this as a 'confirm'. A valid address is all the spam middlemen promise their customers. If you get replies, you know it is valid. > > >And, the process DELETES the offending SPAM, but leaves a log > > >entry in the server logs. THAT is probably enough in most cases. > > That will help. Makes diagnosing errors so much more fun! > > We currently block by IP, domain name, and suspicious header text. It > > gets rid of a lot of spam... But the absolute best is still refusing mail > > from sites with bad DNS. > The best thing to do is to only allow registered MX sites, and block > the bad domains from that. Uh, isn't thre a fall back in there? If no MX, use the A record or some such? > 250-Linux: A copylefted Unix-like operating system for 80[3456]86, > 250- DEC Alpha, Sun SPARC, Sun UltraSPARC, Motorola 68k, > 250- PowerPC/PowerMac, ARM, Mips R[3,4]x00, Fujitsu AP/1000+ > 250- and more to come. Uh, the last line line of a multiline response is not supposed to have a "-" after the number. Small ObHack1: Added a line: HX-QZ-To: $u To my sendmail.cf in the header format section. This allows me to know the envelope recipient of a message reliably (the "for" clause in the Received header is not reliable). I deleiberatly did not use the semi- standard "X-Envelope-To:" so as not to have "^TO" in procmail catch it. Small ObHack2: Installed the 'discard' service on port 119 of my new box so open newsserver probers get hung up on it. I consider chargen, but decided I'd rather not waste the bandwidth. (I limited my choices to inetd "internal" services so as not to use up too much resources on this.) Elijah ------ is having fun with sendmail ###### From: fenris@ulfheim.frob.ml.org (Michael Driscoll) Newsgroups: alt.hackers,alt.fan.e-t-b Subject: Re: "no spam" obhack Date: 16 Dec 1997 22:27:08 GMT Organization: FFW/CA Lines: 34 Approved: yes Message-ID: References: Reply-To: fenris@nospam.frob.ml.org NNTP-Posting-Host: morgan009-reshalls.mines.edu Old-NNTP-Posting-Host: morgan009-reshalls.mines.edu X-Newsreader: slrn (0.9.3.2 UNIX) Old-Xref: ulfheim.frob.ml.org alt.hackers:255 Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!atl-news-feed1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.internetmci.com!199.117.161.1!csn!nntp-xfer-1.csn.net!herald.Mines.EDU!ulfheim.frob.ml.org!fenris In article , Eli the Bearded wrote: >Small ObHack2: > >Installed the 'discard' service on port 119 of my new box so open >newsserver probers get hung up on it. I consider chargen, but decided >I'd rather not waste the bandwidth. (I limited my choices to inetd >"internal" services so as not to use up too much resources on this.) For this to work well you need to start inserting your hostname into the Path: header of your outgoing posts. This is how a lot of nntp scum finds new servers to exploit, and doing this will be a nntp probe magnet. For example, only a few hours after my personal newsserver exported its first post, I got a connection from an external host on 119. I was surprised to say the least at how fast it showed up, but by now I'm used to it. ObHack: My kludgy NNTP setup. I get my news from the campus server but of course it doesn't recognize the computer in my dorm as one of its feeds :-) So I used suck and rpost to kludge two-way communication. Yes, I know there are howtos and docs that tell one how to do this but I actually arrived at this solution independently (having already had suck/rpost installed on the system). NextHack: finagling a bofh.* feed out of someone :-) Mike -- ---.-- Thinking of Maud you forget everything else.--More-- |{.... Michael Driscoll |.d.@| ------ sXe ###### From: set-usenet-882320006@reality.samiam.org (Sam Trenholme) Newsgroups: alt.hackers,alt.fan.e-t-b Subject: Re: "no spam" obhack Date: 17 Dec 1997 00:53:40 GMT Organization: Linux reality.samiam.org 2.0.32 #1 Sun Nov 16 1997 i686 unknown Lines: 27 Approved: By the regents of the University of California, Santa Cruz Message-ID: <6777qk$rpb@news9.noc.netcom.net> References: NNTP-Posting-Host: reality.samiam.org X-NETCOM-Date: Tue Dec 16 6:53:40 PM CST 1997 Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!atl-news-feed1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!howland.erols.net!ix.netcom.com!reality.samiam.org!set >For example, only a few hours after my personal newsserver exported >its first post, I got a connection from an external host on 119. I was >surprised to say the least at how fast it showed up, but by now I'm used >to it. Oh boy, tell me about it: Dec 14 13:22:40 reality abacus_sentry[2073]: attackalert: Connect from host: 194.162.167.136 to TCP port: 119 Dec 14 13:27:48 reality abacus_sentry[2073]: attackalert: Connect from host: 194.162.167.132 to TCP port: 119 Dec 14 13:32:19 reality abacus_sentry[2073]: attackalert: Connect from host: 194.162.167.132 to TCP port: 119 Dec 15 05:07:39 reality abacus_sentry[2073]: attackalert: Connect from host: 208.254.142.245 to TCP port: 119 This is just from the last two days. Why are people so much more eager to look for an open NNTP port than they used to be? OK, now I need an ObHack: Using qmail dash expansions to spam filter my email address, while making it one where people can easily reply to my postings. - Sam -- "You can...turn sadness into laughter" -- Sunscreem, _Love_U_More_