![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List] Re: How to spam with impunity, in 5 easy steps.
John Malmberg
a at all.addresses.on.cdrom.are.invalid.aaa
Mon Jan 19 19:40:48 EST 2004
[H]omer wrote:
> This isn't new, but it is becoming more popular with spammers.
>
> 1) ... Collect a list of dead addresses [dead(x)] which bounce.
> 2) ... Collect/buy/harvest a list of confirmed live addresses [live(y)].
> 3) ... Set the "Reply-To:/Return-Path:" to victim #n in list #2.
> 4) ... Send spam To: dead(rand), From: live(n).
> 5) ... n=n+1, Goto 3
>
> No SpamCop reports, since you can't report bounces, and it's "mission
> accomplished" for the spammers, since their junk is delivered by all those
> nice mailer-daemons.
I manually lart any bounces that are from mail that I did not send, and
came from a mail server that did not originate the SMTP part of the e-mail.
It usually stops the spew and the worm poop. In the one case it did
not, the postmaster for the e-mail account took action and configured
their mail server to respond with 550 to all worm poop.
> If this tactic becomes more widespread, we (the victims) are going to be
> even more helpless than we are already, so I believe there is now an
> urgent need to adopt a more pro-active (and hopefully automated) method
> for dealing with it. It has escalated beyond the "it's only a Joe-Job -
> ride out the storm" level.
If you will look on news.admin.net-abuse.blocklisting there appears to
be a DNSbl that lists abusive hosts that may do what you are looking
for, the AHBL.
I do not think it presents the data in a format that I would think is
more useful.
127.x.0.z where z is encoded for the abuse that is coming from the I.P.
address.
x would be the number of days that the abuse had been occurring, a max
of 255 for infinity.
z & 1 = the I.P. address is sending direct to MX virms.
z & 2 = the I.P. address is a real mail server sending virms.
z & 4 = the mail server is bouncing virms.
z & 8 = the mail server is sending bogus virus notices.
z & 16 = the mail server is bouncing spam to new victims.
z & 32 = the mail server is bouncing complaints about it's abuse.
z & 64 = Mail server operator responding with cartooneys.
Maybe you can contact the operator of the AHBL on that n.a.n-a.b to see
if they can add this to their list.
-John
wb8tyw at qsl.network
Personal Opinion Only
More information about the SpamCop-List
mailing list