Viewing Message Headers in Hotmail
For Hotmail email accounts, I've posted the steps for viewing
an email message's headers, which can provide information
about the true orgination point, for an email message
here.
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Mon 11/16/2009 0 McFadden Associates E-mail Blacklist 70 Spamhaus Block List 4687 Passive Spam Block List (PSBL) 2496 Spam and Open Relay Blocking System (SORBS) 50 Swinog DNSRBL 14 Not Just Another Bogus List (NJABL) 7317 Total
The McFadden blacklist hasn't been working for quite some time; I should
have removed it from sendmail's /etc/mail/sendmail.mc file
previously. I removed it today and added the
SpamCop Blocking List (SCBL).
I decided to add that list after reading a comment at Blocking Spam That Are In A Foreign Language by Low Jeremy about its usefulness in blocking messages in a foreign language. I've been getting a lot of messages that appear to be in Russian. Since I can't read Russian, such messages are of no avail to the spammers and are exceedingly annoying to me, since they clutter my inbox every day.
I'm using sendmail on the server, so I replaced the reference to the
defunct McFadden Associates E-mail Blacklist in
/etc/mail/sendmail.mc with
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see:
http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl.
There are instructions for incorporating an SCBL check into various email server programs at How do I configure my mailserver to reject mail based on the blocklist? Specific instructions for sendmail are at SpamCop FAQ: Sendmail.
I followed the suggestion of using enhdnsbl, an enhanced
version of DNSBL, rather than
dnsbl as I'm using in /etc/mail/sendmail.mc for other
blacklists on
the system, because I have a recent version of sendmail and because the
SpamCop site had the following information:
Some problems have been found with later versions of Sendmail.
The easiest fix may be to use the second method above, enhdnsblk instead of dnsbl.
SpamCop uses 'rbldns' to serve it's blacklist information. Rbldns does not yet have support for IPv6, but newer versions of sendmail (8.12.0 and greater) try IPv6 before IPv4. Sendmail asks for an AAAA record instead of an A record and SpamCop rejectes the query - resulting in spam slipping through the filters.
There are instructions for disabling AAAA (IPv6) queries from sendmail at
Disable AAAA (IPv6) lookups without recompiling Sendmail, and
the sendmail.org site states the
following, but I decided to just use the enhdnsbl approach.
Some DNS based rejection lists cause failures if asked for AAAA records. If your sendmail version is compiled with IPv6 support (NETINET6) and you experience this problem, add
define(`DNSBL_MAP', `dns -R A')
before the first use of this feature. Alternatively you can use enhdnsbl instead (see below).
I deleted the McFadden blacklist entry and added the SCBL entry to the end
of the list of blacklists I check. I now have the following in
/etc/mail/sendmail.mc:
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl', `sbl.spamhaus.org', `550 Spam Block: mail from $&{client_addr} refused - See http://www.spamhaus.org/sbl/')dnl
FEATURE(`dnsbl', `psbl.surriel.com', `550 Spam Block: mail from $&{client_addr} refused - see http://psbl.surriel.com/')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`550 Spam Block: mail from $&{client_addr} refused - see http://dnsbl.sorbs.net/')dnl
FEATURE(`dnsbl',`dnsrbl.swinog.ch',`550 Spam Block: mail from $&{client_addr} refused - see http://antispam.imp.ch/spamikaze/remove.php')dnl
FEATURE(`dnsbl',`dnsbl.njabl.org',`550 Spam Block: mail from $&{client_addr} refused - see http://njabl.org/lookup?$&{client_addr}')dnl
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl
I regenerated sendmail.cf with m4 /etc/mail/sendmail.mc >
/etc/mail/sendmail.cf and then restarted sendmail with
/etc/init.d/sendmail restart.
A few minutes after I restarted sendmail, I checked
/var/log/maillog to see whether the SCBL had blocked any spam
and found it had already blocked 21 messages.
# grep spamcop /var/log/maillog | wc -l 21
References:
The service might not be suitable for someone who receives large attachments to messages, because of the 10 MB limit on the size of a message.
Michael Jackson died on June 25. Spammers are already trying to capitalize on his death by referencing it in their spam messages. Mcafee's TrustedSource site reports the following at Michael Jackson News Affects Web Traffic
The announcement of Michael Jackson.s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett.s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing.
Within hours the percentage of “long-tail” URL traffic associated with Michael Jackson was growing. It peaked around 1 p.m. Eastern time today and now seems to be dropping. These URLs contained mostly generic information about Jackson-blogs, posts, tributes, photos, and collections of his entertainment past. And, yes, some even contained links to malware or rogue anti-virus software.
How do people find these URLs? We.ve seen spam, tweets, blog postings, group postings, and even mobile phone alerts. In addition, as predicted by Avert Labs, we.ve seen search-engine optimization (SEO) in action. There were several attempts to capitalize on redirecting users to known malware-serving sites associated with other SEO campaigns. We found it interesting during our research to see how fast some of the search engines seemed to respond to this. One popular keyword search done around 9 p.m. yesterday showed seven of the top 10 links going to some of these well-known malicious servers. That same search done an hour later showed only one of the top 10 involved.
As the entertainment industry continues to pay tribute and homage to Jackson, we expect that spam and SEO efforts will grow over the weekend. Eventually a new piece of news will replace this event, and there will be a new story-with much the same results.
My wife got email this morning with a subject of "Michael Jackson dead? NO!!!". Withing the message was the following text:
Michael Jackson dead? NO!!!
Open attached file and read!!!
There was an attachment with the message, Michael Jackson Live!.html
. I saved the attachment to the hard drive and opened it with a text
editor. There was only one line in it, which is shown below:
<meta http-equiv='Refresh' content='0; url=http://addfamous.com/' />
If you opened the file in a web browser, that line would cause your
browser to "refresh" the webpage you opened, but using the
URL addfamous.com
.
The spam message my wife received was listed at Michael Jackson dead? NO!!! on Spam me! Send me your spam messages!, a site which states "In a normal situation you should definitelly not want such thing in your e-mail inbox, however, this website is meant to do exactly the opposite: get as many spam messages as possible, clean them of any harmful stuff (adult images, links to dubious websites and others) and present them to you to research or whatever you want them for."
I didn't visit the addfamous.com site, but out of curiosity, checked its reputation at various web reputation sites.
TrustedSource
I issued a
query for addfamous.com at TrustedSource. Unfortunately, that site
was experiencing difficulties when I checked and simply returned
"Service currently not available (3), please try again later!"
McAfee SiteAdvisor®
I issued a query
for addfamous.com at the McAfee SiteAdvisor® site.
It returned "Our analysis found that this site may be promoted through spammy
e-mail." It also reported "This site has been queued for testing. Please come
back soon for automated results."
Norton Safe Web
I issued a
query for addfamous.com at Symantec's
Norton Safe Web site. It reported "This site has not been tested yet."
Barracuda Central
I also checked the reputation of the site using
Barracuda Central's
IP / Domain Lookups tools. Barracuda Networks sells antspam appliances.
I clicked on the Domain Reputation tab and put in addfamous.com
. Barracuda Central reported "This domain name addfamous.com is listed
on Barracuda's Intent Block List."
Trend Micro Web
Reputation Query
I issued a query on http://addfamous.com.
The Trend Micro Web
Reputation Query site reported "This URL is not currently listed as
malicious."
BorderWare ReputationAuthority
I issued a
query on addfamous.com. The site reported the domain had a "good"
reputation.
References:
[ More Info ]
FEATURE(`dnsbl',`dnsrbl.swinog.ch',`550 Spam Block: mail from
$&{client_addr} refused - see
http://antispam.imp.ch/spamikaze/remove.php')dnl to
/etc/mail/sendmail.mc. I now have the following DNSBLs listed in
that file:
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl', `bl.csma.biz', `550 Spam Block: mail from $&{client_addr} refused - See http://bl.csma.biz/')dnl
FEATURE(`dnsbl', `sbl.spamhaus.org', `550 Spam Block: mail from $&{client_addr} refused - See http://www.spamhaus.org/sbl/')dnl
FEATURE(`dnsbl', `psbl.surriel.com', `550 Spam Block: mail from $&{client_addr} refused - see http://psbl.surriel.com/')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`550 Spam Block: mail from $&{client_addr} refused - see http://dnsbl.sorbs.net/')dnl
FEATURE(`dnsbl',`dnsrbl.swinog.ch',`550 Spam Block: mail from $&{client_addr} refused - see http://antispam.imp.ch/spamikaze/remove.php')dnl
After adding the entry for the Swinog RBL, I generated a
sendmail.cf file from sendmail.mc and restarted
sendmail.
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf # /etc/init.d/sendmail restart
I checked /var/log/maillog just moments after adding that
blacklist and found it had blocked spam:
# grep 'antispam.imp.ch' /var/log/maillog Apr 8 21:16:57 frostdragon sendmail[15676]: n391GuGi015676: ruleset=check_rcpt, arg1=<broderbundxxxxxx@moonpoint.com>, relay=65-75-229-245.dsl.ctcn.net [65.75. 229.245] (may be forged), reject=550 5.7.1 <broderbundxxxxxx@moonpoint.com>... S pam Block:mail from 65.75.229.245 refused - see http://antispam.imp.ch/spamikaze /remove.php
The Swinog DNSBL blocked email to an email address that I used on December 8, 2004 when I registered software with Brøderbund Software. I never used the email for any other purpose. Usually, when I'm providing an email address to any company, I don't use my primary email address, but instead create an alias for that address that points to my primary email address. So, if I start getting a lot of spam addressed to the alias, I can just invalidate the alias. And, since the aliases I create are not ones a spammer would use if the spammer was employing a name dictionary attack, i.e. guessing likekly names, I know that the company has provided the email address I gave them to a spammer. So I know the spammer got the address above, which I've changed for any spam spiders that may crawl across this page, from Brøderbund Software or one of the companies that subsequently owned Brøderbund Software.
The Wikipedia article on the company at Brøderbund lists the following history of corporate ownership for Brøderbund.
Brøderbund was purchased by The Learning Company in 1998 for about USD$420 million in stock. Ironically, Brøderbund had initially attempted to purchase the original The Learning Company in 1995, but was outbid by Softkey, who purchased The Learning Company for $606 million in cash and then adopted its name. In a move to rationalize costs, The Learning Company promptly terminated 500 employees at Brøderbund the same year, representing 42% of the company's workforce. Then in 1999 the combined company was bought by Mattel for $3.6 billion. Mattel reeled from the financial impact of this transaction, and Jill Barad, the CEO, ended up being forced out in a climate of investor outrage. Mattel then gave away The Learning Company in September 2000 to Gores Technology Group, a private acquisitions firm, for a share of whatever Gores could obtain by selling the company. In 2001, Gores sold The Learning Company's entertainment holdings to Ubisoft, and most of the other holdings, including the Brøderbund name, to Irish company Riverdeep. Currently, all of Brøderbund's games, such as the Myst series, are published by Ubisoft.
I suspect that it wasn't just my email address that was sold to spammers. Probably Brøderbund's entire mailing list was sold by either Brøderbund or one of the companies that acquired it, though, of course there is a possibility it could just have been an employee of one of the companies trying to make some easy cash or one who was losing a job as his or her company was acquired by another company, who could have been looking to compensate for lost wages.
The address is still being used by spammers over four years later, even though the address has probably not been valid for over a year. Unfortunately, I don't remember when I first started getting spam addressed to that email address.
After having a hernia operation recently, I noticed I've been getting spam on a fairly regular basis suggesting I might want to use the legal services mentioned in the spam if I wanted to sue for any problems related to the patch used in the surgery. I don't remember seeing any of this type of message previously, though it's possible that I might have received such messages, but they never registered in my consciousness then as I deleted spam. But I'm wondering now if someone at the office of the doctor who performed the surgery sold my email address. I believe I did put my primary email address on a form I filled out at the doctor's office. If I had used an alias, I would know for certain, if that was the case.
checking size of unsigned long int... configure: error: cannot compute
sizeof (unsigned long int), 77 error message at the
configure stage or seeing ld: fatal: Symbol referencing
errors at the make stage, try running
configure with CFLAGS=-gstabs+, i.e. try
./configure CFLAGS=-gstabs+. Since Solaris uses shadow
passwords, you should also use the --enable-specialauth option
as well, i.e. use the following configure command:
./configure --enable-specialauth CFLAGS=-gstabs+
configure step
allowed me to resolve issues I was having installing Qpopper 4.0.16 on a
Solaris 5.7 system.
[ More Info ]
