«

Hi All,

I've been reviewing the anitspam measures recommended reacently in this
group and on /., namely

Spampal
SAProxy (Spam Assassin) and
Trustic.

Seting up these services as taught me a lot about email message headers and
how to read them, but some of them get complicated when the spammers fake
the headers. I have copied below one of the more dastardly ones, with my
analysis. Can anyone confirm whether my analysis is correct?

01. Return-Path: <>
02. Received: from mta6-rme.xtra.co.nz ([210.86.15.141]) by
mta203-rme.xtra.co.nz
03. with ESMTP id
<20030727185653.DIEQ1938.mta203->;
04. Mon, 28 Jul 2003 06:56:53 +1200
05. Received: from [203.96.92.132] ([202.181.232.156]) by
mta6-rme.xtra.co.nz
06. with SMTP id
<20030727185649.GSAB22334.mta6-rme.xtra.co.nz@[203.96.92.132]>;
07. Mon, 28 Jul 2003 06:56:49 +1200
08. Received: from [182.72.99.61] by 203.96.92.132 id <5756415-04974>; Mon,
28
09. Jul 2003 00:54:50 +0500
10. Message-ID: <7$7vtzti$$111$qs7e-qt$-1e>
11. From: "Muriel Casey" <>
12. Reply-To: "Muriel Casey" <>
13. To:
14. Subject: RE: dkuxmhadw gfohy
15. Date: Mon, 28 Jul 2003 00:54:50 +0500

Analysis Legend
Line Number.
IP observed.
NSLookup Result.
My Comment.

Line 2.
210.86.15.141
mta102-rme.xtra.co.nz
Valid. Xtra mail transfer agent.
One of four at 210.86.15.140 .141 .142 or .143

Line 5.
203.96.92.132
pop3.xtra.co.nz
faked - added by spammer to attempt to disguise 202.181.232.156.
No valid reason for the pop3 server IP address to be in the message headers.

Line 5.
202.181.232.156
No reverse DNS (WSANO_DATA)
Spammers IP.

Line 8.
182.72.99.61 No reverse DNS (WSANO_DATA) & 203.96.92.132
pop3.xtra.co.nz
Entire line faked by spammer.

TIA.
-H

"Howard" <> wrote in message
newsE_Ua.94431$...
> Hi All,
>
> I've been reviewing the anitspam measures recommended reacently in this
> group and on /., namely
>
> Spampal
> SAProxy (Spam Assassin) and
> Trustic.
>
> Seting up these services as taught me a lot about email message headers
and
> how to read them, but some of them get complicated when the spammers fake
> the headers. I have copied below one of the more dastardly ones, with my
> analysis. Can anyone confirm whether my analysis is correct?

Remove the thinking, shove it into the free service http://www.spamcop.com
and their engine will do the work for you, and will send abuse reports to
the right places.

Cheers,
Nicholas Sherlock

Howard allegedly said:

> Hi All,
>
> I've been reviewing the anitspam measures recommended reacently in this
> group and on /., namely
>
> Spampal
> SAProxy (Spam Assassin) and
> Trustic.
>
> Seting up these services as taught me a lot about email message headers
> and how to read them, but some of them get complicated when the spammers
> fake the headers. I have copied below one of the more dastardly ones, with
> my analysis. Can anyone confirm whether my analysis is correct?
>
> 01. Return-Path: <>
> 02. Received: from mta6-rme.xtra.co.nz ([210.86.15.141]) by
> mta203-rme.xtra.co.nz
> 03. with ESMTP id
> <20030727185653.DIEQ1938.mta203->;
> 04. Mon, 28 Jul 2003 06:56:53 +1200
> 05. Received: from [203.96.92.132] ([202.181.232.156]) by
> mta6-rme.xtra.co.nz
> 06. with SMTP id
> <20030727185649.GSAB22334.mta6-rme.xtra.co.nz@[203.96.92.132]>;
> 07. Mon, 28 Jul 2003 06:56:49 +1200
> 08. Received: from [182.72.99.61] by 203.96.92.132 id <5756415-04974>;
> Mon, 28
> 09. Jul 2003 00:54:50 +0500
> 10. Message-ID: <7$7vtzti$$111$qs7e-qt$-1e>
> 11. From: "Muriel Casey" <>
> 12. Reply-To: "Muriel Casey" <>
> 13. To:
> 14. Subject: RE: dkuxmhadw gfohy
> 15. Date: Mon, 28 Jul 2003 00:54:50 +0500
>
> Analysis Legend
> Line Number.
> IP observed.
> NSLookup Result.
> My Comment.
>
> Line 2.
> 210.86.15.141
> mta102-rme.xtra.co.nz
> Valid. Xtra mail transfer agent.
> One of four at 210.86.15.140 .141 .142 or .143
>
> Line 5.
> 203.96.92.132
> pop3.xtra.co.nz
> faked - added by spammer to attempt to disguise 202.181.232.156.
> No valid reason for the pop3 server IP address to be in the message
> headers.
>
> Line 5.
> 202.181.232.156
> No reverse DNS (WSANO_DATA)
> Spammers IP.

inetnum: 202.181.224.0 - 202.181.255.255
netname: HKCIX
descr: - HKCIX -
descr: HongKong Commercial Internet Exchange
country: HK
admin-c: CW57-AP
tech-c: KY28-AP
mnt-by: MAINT-HKCIX-AP
changed: 19990416
status: ALLOCATED PORTABLE
source: APNIC

person: CM Wu
address: IXTech Limited
address: 7/F Ever Gain Plaza, Tower 2,
address: 88 Container Port Road,
address: Kwai Chung, N.T.
country: HK
phone: +852-2603-7955
fax-no: +852-2603-7952
e-mail:
nic-hdl: CW57-AP
mnt-by: MAINT-HKCIX-AP
changed: 20000313
source: APNIC

person: Katson Yeung
address: IXTech Limited
address: 7/F Ever Gain Plaza, Tower 2,
address: 88 Container Port Road,
address: Kwai Chung, N.T.
country: HK
phone: +852-2603-7955
fax-no: +852-2603-7952
e-mail:
nic-hdl: KY28-AP
mnt-by: MAINT-HKCIX-AP
changed: 20000313
source: APNIC



>
> Line 8.
> 182.72.99.61 No reverse DNS (WSANO_DATA) & 203.96.92.132
> pop3.xtra.co.nz
> Entire line faked by spammer.
>
> TIA.
> -H

--
Steve
--
"Naturally, the common people don't want war;
neither in Russia nor in England nor in America,
nor for that matter in Germany.
That is understood. But, after all, it is the leaders
of the country who determine the policy and
it is always a simple matter to drag the people
along, whether it is a democracy or a fascist
dictatorship or a Parliament or a Communist
dictatorship. Voice or no voice, the people can
always be brought to the bidding of the leaders.
That is easy. All you have to do is tell them
they are being attacked and denounce the
pacifists for lack of patriotism and exposing
the country to danger. It works the same way
in any country."
- Hermann Goering, Nazi Reichsmarshall

From http://www.trustic.com/:

"We regret to inform you that we are no longer taking registrations
and will soon be closing the service."

Very sad. Is anybody willing to take over the Trustic service?


"Howard" <> wrote in message news:<pE_Ua.94431$>...
> Hi All,
>
> I've been reviewing the anitspam measures recommended reacently in this
> group and on /., namely
>
> Spampal
> SAProxy (Spam Assassin) and
> Trustic.
>
> Seting up these services as taught me a lot about email message headers and
> how to read them, but some of them get complicated when the spammers fake
> the headers. I have copied below one of the more dastardly ones, with my
> analysis. Can anyone confirm whether my analysis is correct?
>
> 01. Return-Path: <>
> 02. Received: from mta6-rme.xtra.co.nz ([210.86.15.141]) by
> mta203-rme.xtra.co.nz
> 03. with ESMTP id
> <20030727185653.DIEQ1938.mta203->;
> 04. Mon, 28 Jul 2003 06:56:53 +1200
> 05. Received: from [203.96.92.132] ([202.181.232.156]) by
> mta6-rme.xtra.co.nz
> 06. with SMTP id
> <20030727185649.GSAB22334.mta6-rme.xtra.co.nz@[203.96.92.132]>;
> 07. Mon, 28 Jul 2003 06:56:49 +1200
> 08. Received: from [182.72.99.61] by 203.96.92.132 id <5756415-04974>; Mon,
> 28
> 09. Jul 2003 00:54:50 +0500
> 10. Message-ID: <7$7vtzti$$111$qs7e-qt$-1e>
> 11. From: "Muriel Casey" <>
> 12. Reply-To: "Muriel Casey" <>
> 13. To:
> 14. Subject: RE: dkuxmhadw gfohy
> 15. Date: Mon, 28 Jul 2003 00:54:50 +0500
>
> Analysis Legend
> Line Number.
> IP observed.
> NSLookup Result.
> My Comment.
>
> Line 2.
> 210.86.15.141
> mta102-rme.xtra.co.nz
> Valid. Xtra mail transfer agent.
> One of four at 210.86.15.140 .141 .142 or .143
>
> Line 5.
> 203.96.92.132
> pop3.xtra.co.nz
> faked - added by spammer to attempt to disguise 202.181.232.156.
> No valid reason for the pop3 server IP address to be in the message headers.
>
> Line 5.
> 202.181.232.156
> No reverse DNS (WSANO_DATA)
> Spammers IP.
>
> Line 8.
> 182.72.99.61 No reverse DNS (WSANO_DATA) & 203.96.92.132
> pop3.xtra.co.nz
> Entire line faked by spammer.
>
> TIA.
> -H

totojepast wrote:
> From http://www.trustic.com/:
>
> "We regret to inform you that we are no longer taking registrations
> and will soon be closing the service."
>
> Very sad. Is anybody willing to take over the Trustic service?

Further from their site " the system as it currently is designed will not
achieve the level of accuracy that we require, and an inaccurate system is
worse than no system".

And from their Yahoo group

"The issue of handling large ISPs that, for the most part,
deal with spam complaints is one of the main flaws in the Trustic system
for which we see no apparent solution."

"the key issues for trustic.com, or any successor, are
a) an appropriate weighting/reputation on recommendations; and
b) dealing with high volume servers with small % but detectable
quantity throughput of spam. I suspect this is compounded by a
natural huamn tendency to report negatives recommendations and not
positive."

Several offers to take it over have been made to Mark Fletcher to take over
the project code &/or data, with an indication that such offers may yet be
accepted.