[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: Why can't I blacklist this?

Godwin Stewart gstewart at loopback.sgms-centre.com
Mon Jan 26 12:05:13 EST 2004 

On Sun, 25 Jan 2004 22:44:02 -0800, Bud wrote:

> After processing and reporting, I go back into MW to blacklist and I'm
> told that can't be done for lack of a 'from'. I've been getting a few of
> these lately. I see a 'from'. No?  SC had no problem finding someone to
> report to. Somebody gimme a gentle hand here.

First of all, *NEVER* post to usenet using an unmunged e-mail address.
Remember that spammers also can follow these newsgroups and will pick up
the address with which you post. Not to mention viruses which trawl
through newsgroups looking for addresses, which is why I munged an e-mail
address which appears in one of the "Received:" headers.

The "From:" header is trivial to forge and spammers routinely do so.
Therefore, building a blocking rule on a header abused in such a way
doesn't make sense, and this is why SC doesn't even bother looking for one.

SC determines the reporting address from the "Received:" headers in the
spam since, up to a certain point, they cannot be forged trivially.
Looking in the example you submitted (and cleaning them up...):

Received: from r1b8p38.ppp.smu.edu ([129.119.252.143]) by
          priv-edtnes53.telusplanet.net
          (InterMail vM.6.00.05.02 201-2115-109-103-20031105) with SMTP id
          <20040126052100.YZQH9713.priv-edtnes53.telusplanet.net at r1b8p38.ppp.smu.edu>;
          Sun, 25 Jan 2004 22:21:00 -0700
Received: from [82.201.242.104] by r1b8p38.ppp.smu.edu with ESMTP id
          97678566 for <munged#telus,net>; Mon, 26 Jan 2004 12:10:00 -0400

The topmost header (which is the last in the chain, they are read from the
bottom upwards) suggests that a machine called r1b8p38.ppp.smu.edu at IP
address 129.119.252.143 delivered the message to your ISP.

The next one down (i.e. the one added earlier to the headers) suggests
that a machine at IP address 82.201.242.104 handed it off to
r1b8p38.ppp.smu.edu. This one is a forgery added by the spammer to throw
non-clued-up parsers of the scent.

Look at the dates. The topmost header, the real one, was added at 22:21:00
-0700 on Sunday, 25 Jan 2004. Converting that to UTC, that's 05:21:00 on
Monday, 26 Jan 2004. The forged header was "added" at 12:10:00 -0400 on
Monday, 26 Jan 2004. In UTC that's 16:10:00 the same day. Although not
impossible, it's highly doubtful that a legitimate server in a mail
delivery chain would hang onto a piece of mail for nearly 11 hours before
forwarding it or that an ISP's clock is that far out of whack.

Secondly, the host which delivered the mail to your ISP gave a hostname of
r1b8p38.ppp.smu.edu. The "ppp" in it immediately brings to mins "Point to
Point Protocol", which suggests that it's a dialup connection. Unless
someone has a misconfigured box, they shouldn't be running an open mail
relay on a dialup connection.

DNS tallies in both directions, so no forgery took place there:

$ host r1b8p38.ppp.smu.edu
r1b8p38.ppp.smu.edu has address 129.119.252.143

$ host 129.119.252.143
143.252.119.129.in-addr.arpa domain name pointer r1b8p38.ppp.smu.edu.

So, we have to find out who to complain to about this machine.
abuse.net says this:

$ whois -h whois.abuse.net r1b8p38.ppp.smu.edu | sed '#@#_at_#'
postmaster_at_r1b8p38.ppp.smu.edu (default, no info)
postmaster_at_ppp.smu.edu (default, no info)
postmaster_at_smu.edu (default, no info)

Not alot of help. It would appear that they have no records. So, who is
smu.edu?

Domain Name: SMU.EDU

Registrant:
   Southern Methodist University
   6185 Airline Drive
   Dallas, TX 75275-0262
   UNITED STATES

Contacts:

   Administrative Contact:
   R. Bruce Meikle
   Southern Methodist University
   6185 Airline Dr.
   Dallas, TX 75275
   UNITED STATES
   (214) 768-3471
   rbm#smu,edu


   Technical Contact:
   Same as above

Name Servers:
   PONY.CIS.SMU.EDU     129.119.64.10
   SEAS.SMU.EDU         129.119.3.2
   XPONY.SMU.EDU                129.119.64.8

Domain record activated:    31-Aug-1987
Domain record last updated: 12-Jan-2004


I'd write to Rev. Bruce Meikle at rbm#smu,edu to let him know that his
machine has been 0wn3d and is being used to spray spam all over the world.

http://www.spamcop.net/sc?track=129.119.252.143

SC sticks with the postmaster@ approach, and indeed a quick telnet session
confirms that the address does exist (as it should) but it doesn't confirm
that it's read.

-- 
G. Stewart  --  s/loopback\.// to reply  --  Remember: TINLC
---------------------------------------------------------------
Light travels faster than sound. That is why some people appear
bright until you hear them speak.

More information about the SpamCop-List mailing list