Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://www.mccme.ru/computers/spam.html
Дата изменения: Unknown Дата индексирования: Mon Oct 1 22:34:54 2012 Кодировка: Поисковые слова: m 5 |
Spam is also known as Unsolicited Commercial Email (UCE). In the context of email communications this word means all those ads you are getting while you didn't ask for them. They split into several categories:
If you are not going to read further, just remember the golden rule of dealing with spam:
Never, never inform the spammer that you have received his message. (Don't ever send any REMOVE messages, don't click on any links, don't reply to addresses in the body of the message.) If you feel the urge to respond, complain instead.
This section should just give you some very basic understanding of the subject.
Some protection measures are on a per user basis; others are site-wide.
Any user can setup some filtering of incoming email for spam. Most spam can be identified by some formal rules (mostly some violation of RFC822 in the headers of the message). This filtering is most naturally done by procmail. (You can read "man procmail" for more information on this program; it is installed on mccme.ru as the default mail delivery agent.)
These measures can prevent spam from getting into your mailbox but the valuable bandwidth is still wasted.
The other approach is to refuse to take spam in the process of receiving mail via SMTP. Normal users cannot interfere with this process--it's out of their control.
First, get your mail user agent to display the UCE you're unlucky to have gotten with its full headers.
The body of the complain should be something standard you do not have to type each time you complain. In particular cases you might add something mentioning the names of the involved ISPs. In fact, I always complain about my spam, but never even read it.
An example of such text:
Recently, I have received an Unsolicited Commercial E-mail from you. I do not like UCE's and I would like to inform you that sending unsolicited messages to someone while he or she may have to pay for reading your message may be illegal. Anyway, it is highly annoying and not welcome by anyone. It is rude, after all. If you think that this is a good way to advertise your products or services you are mistaken. Spamming will only make people hate you, not buy from you. If you have any list of people you send unsolicited commercial emails to, REMOVE me from such list immediately. I suggest that you make this list just empty. ---------------------------------------------------- If you are not an administrator of any site and still have received this message then your email address is being abused by some spammer. They fake your address in From: or Reply-To: header. In this case, you might want to show this message to your system administrator, and ask him/her to investigate this matter. Note to the postmaster(s): I append the text of UCE in question to this message; I would like to hear from you about action(s) taken. This message has been sent to postmasters at the host that is mentioned as original sender's host (I do realize that it may be faked, but I think that if your domain name is being abused this way you might want to learn about it, and take actions) and to the postmaster whose host was used as mail relay for this message. If message was sent not by your user, could you please compare time when this message was sent (use time in Received: field of the envelope rather than Date: field) with your sendmail logs and see what host was using your sendmail at this moment of time. Thank you.
This text should be followed by the text of the message in question with full headers.
The next part is to find the list of addresses you want to send the complaint to. Here you will need to examine the headers yourself (and maybe do some additional research) for the list of ``involved foreign sites''. Then you add to the CC list all the addresses ``postmaster'' and ``abuse'' at all the involved foreign sites.
Let's do it on an example. Suppose you get some spam with these headers (real example):
Return-Path: <29111238@ix.netcom.com> Received: from main.mccme.rssi.ru (main.mccme.rssi.ru [193.232.215.1]) by mccme.ru (8.8.5/8.8.5) with ESMTP id KAA04007 for <webmaster@mccme.ru>; Thu, 5 Feb 1998 10:03:19 +0300 From: 29111238@ix.netcom.com Received: from mail.medford.net (mail.medford.net [208.151.225.131]) by main.mccme.rssi.ru (8.8.5/8.8.5) with SMTP id KAA23972 for <webmaster@mccme.ru>; Thu, 5 Feb 1998 10:01:38 +0300 Received: from mail.medford.net [153.37.69.90] by mail.medford.net (SMTPD32-4.02c) id A445900152; Wed, 04 Feb 1998 23:03:33 PST8PDT Received: from mailhost.ttjijjcjlf.com (alt1.ttjijjcjlf.com(203.9.98.25)) by 82723723@ix.netcom.com (8.8.5/8.6.5) with SMTP id GAA08071 for <82723723@ix.netcom.com>; Wed, 04 Feb 1998 23:55:07 -0600 (EST) Date: Wed, 04 Feb 98 23:55:07 EST To: 82723723@ix.netcom.com Subject: Email your AD to 57 MILLION People ONLY $99 Message-ID: <553728753719.GAA23515@ttjijjcjlf.com> Reply-To: 82723723@ix.netcom.com X-UIDL: 55296375829492153236187249751458 Comments: Authenticated sender is <82723723@ix.netcom.com>
We examine all the Received: lines, from the top to bottom. The first one (most recent) indicates that the message was transmitted from main.mccme.rssi.ru to mccme.ru. This is an internal transmission in MCCME. No interest for us. The next one,
Received: from mail.medford.net (mail.medford.net [208.151.225.131]) by main.mccme.rssi.ru (8.8.5/8.8.5) with SMTP id KAA23972 for <webmaster@mccme.ru>; Thu, 5 Feb 1998 10:01:38 +0300says that the message came to main.mccme.rssi.ru from the machine mail.medford.net with IP address 208.151.255.131. You can always trust the information in this line--it's written by our sendmail and spammers have no way of altering it. The only caveat is that you should use hostname from the parentheses. So, medford.net is an involved site. This piece of spam came to us from them.
But it didn't originate at medford.net. This site was merely used as a relay. Which means that the spammer was somewhere else and he has asked mail.medford.net to relay his message to a (probably very large) number of people. So, what you want from mail.medford.net is to close their open relay. They just send messages anywhere no matter who's asked for it.
OK, let's see how do I know it didn't come from medford.net. Let's examine the next Received: line:
Received: from mail.medford.net [153.37.69.90] by mail.medford.net (SMTPD32-4.02c) id A445900152; Wed, 04 Feb 1998 23:03:33 PST8PDT
This line says that they have gotten the message from some host that introduced itself to them as mail.medford.net (and was lying) and had IP address 153.37.69.90. Now we want to know what this IP address stands for. We need to do a reverse DNS lookup on it. We issue to the shell the command host 153.37.69.90 and see the following output:
$ host 153.37.69.90 Name: 1Cust90.tnt6.lax3.da.uu.net Address: 153.37.69.90 Aliases:
This means that the message really came from a dialup customer of uu.net. So, uu.net is involved, too.
We could stop at this point and send the complaint
To: abuse@medford.net CC: postmaster@medford.net, postmaster@uu.net, abuse@uu.net
Usually, however, one gets best results with complaints addressed to upstream providers of the involved sites. Uu.net itself is a huge ISP; it doesn't have any ``upstream providers,'' but rather neighbors. It would not make a lot of sense to complain to them. However, I've never heard about medford.net before I got this spam. So, (as the opposite isn't proven) I assume that it is a small organization with a single upstream provider. Now we need to figure out which one. To aid us, there is a program named traceroute. The supplied argument should be a valid hostname or IP address.
$ traceroute mail.medford.net traceroute to mail.medford.net (208.151.225.131), 30 hops max, 40 byte packets 1 router.mccme.ru (195.178.198.1) 2.476 ms 2.026 ms 1.997 ms 2 MSK-M9-1-S1-0-6.fr.iip.net (195.178.192.82) 81.733 ms 70.377 ms 78.770 ms 3 SOVAM.fr.iip.net (195.178.192.66) 52.939 ms 212.063 ms 158.894 ms 4 SOVAM.fr.iip.net (195.178.192.66) 67.837 ms 46.797 ms 103.888 ms 5 cisco0.Moscow.ST.NET (194.67.0.253) 75.956 ms amsterdam1.att-unisource.net (195.206.65.185) 191.053 ms 217.468 ms 6 * amsterdam5.att-unisource.net (195.206.64.85) 163.962 ms 305.007 ms 7 amsterdam3.att-unisource.net (195.206.64.209) 240.267 ms 252.317 ms * 8 newyork1.att-unisource.net (195.206.65.34) 274.748 ms 373 ms 265.914 ms 9 12.127.241.157 (12.127.241.157) 351.343 ms 291.609 ms * 10 12.127.241.157 (12.127.241.157) 571.973 ms * 702.636 ms 11 br2-a3110s1.n54ny.ip.att.net (12.127.0.10) 515.108 ms * * 12 * * * 13 2-sprint-nap.internetmci.net (192.157.69.48) 516.699 ms * 635.118 ms 14 core2-hssi2-0.WestOrange.mci.net (204.70.1.49) 446.775 ms 438.515 ms 621. 15 core2.Bloomington.mci.net (204.70.4.65) 720.881 ms 541.220 ms * 16 * * * 17 * border2-fddi-0.Sacramento.mci.net (204.70.164.34) 388.194 ms 527.629 ms 18 data-research-group.Sacramento.mci.net (204.70.166.46) 373.171 ms 19 * raven.willamette.net (206.100.174.253) 552.666 ms 449.798 ms 20 WIZZ.FC2.willamette.net (207.48.101.69) 692.083 ms * * 21 rt1.rb.wizzards.net (206.100.190.253) 762.350 ms 779.960 ms 22 fr2.s1.rt1.wizzards.net (208.151.229.3) 589.633 ms 821.780 ms 678.265 ms 23 mail.medford.net (208.151.225.131) 405.088 ms * *
Here we see that the site that is right before the first *.medford.net site is in wizzards.net domain. So, the guys at abuse@wizzards.net and postmaster@wizzards.net should be added to the CC list.
OK, what about the last Received: line in this message?
Received: from mailhost.ttjijjcjlf.com (alt1.ttjijjcjlf.com(203.9.98.25)) by 82723723@ix.netcom.com (8.8.5/8.6.5) with SMTP id GAA08071 for <82723723@ix.netcom.com>; Wed, 04 Feb 1998 23:55:07 -0600 (EST)
The answer is simple: the spammer has added it here to confuse you. It's a forged line, not added by any MTA. In fact one can see that the syntax in wrong here (IP address in parentheses rather than brackets, wrong spacing, ``by'' part includes username, etc.)
The previous section describes how to send a nice note to involved sysadmins. However, the people who administer the relay host might be clueless or just lazy. They might ignore your message. Here's a way to make sure they listen to you and fix their mail software.
There's a service called ORBS (Open Relays Blocking System). In short it contains a list of open relays and sites on the Internet may choose to consult this list before accepting messages. People who include ORBS lookups in their mail software won't ever accept mail from open relays reported to ORBS. When you are composing your complaint you should take into account that if you complain to ORBS as well as the involved system administrators they are more likely to listen to you; if they don't they'll end up in trouble!
Complaining to ORBS you cannot hurt the innocent. ORBS checks your complaint automatically and silently discards it if you get things wrong. You won't bother any human being--everything is done by a robot.
To complain to ORBS you need to do the following:
In the example above we would put the lines
Relay: 208.151.225.131 Relay: 153.37.69.90into the message body. (Where exactly it is included does not matter; for example you can put it on top of the message.) In this example, the first line is really necessary part (the real relay) while the second line reports the (possibly) originating IP. Most likely this second IP number is just a dialup dynamically assigned number and the check won't detect anything bad about it (it probably doesn't even run anything on SMTP port) but including a wrong number won't hurt if you aren't sure what to put there.
Mail sent to relays@dorkslayers.com is processed automatically. All lines not beginning with ``Relay:'' are ignored. All the reported relays will be checked; if they actually allow relaying they will added to the database.
In one message to ORBS you can report up to ten IP numbers as suspected open relays.
If you see any errors on this page, please write us <compwww (at) mccme.ru>