On Sat, Mar 30, 2002 at 08:43:47AM -0700, Richard Erlacher wrote:
> If enough folks simply block all emails from the Yahoo.com domain, a lot of
> SPAM will go away. It's the same for mindspring, Hotmail, MSN, AOL, etc.
I get a fair amount of spam, and I can't remember the last time I got
any that was actually sent to my machine from Yahoo, Hotmail, MSN, or
AOL. Sure, I get *LOTS* of spam that claims to come from one of them,
but most of the time these days it actually came from a middle school
in Korea. (Whoever put Korea schools in the internet left open relays
at every one.)
The key is reading e-mail headers. For example, here are the complete
headers from a recent spam I received:
From adultdvdr3324m53_at_yahoo.com Wed Mar 06 09:27:00 2002
Return-Path: <adultdvdr3324m53_at_yahoo.com>
Delivered-To: kentborg_at_borg.org
Received: (qmail 6080 invoked from network); 6 Mar 2002 09:26:57 -0000
Received: from unknown (HELO yahoo.com) (211.114.161.1)
by borg.org with SMTP; 6 Mar 2002 09:26:57 -0000
Reply-To: <adultdvdr3324m53_at_yahoo.com>
Message-ID: <001c47c48bdc$6178b2d1$2eb87db3_at_thdlsp>
From: <adultdvdr3324m53_at_yahoo.com>
To: adultdvd_at_yahoo.com
Subject: Discount Erotic DVD's, TOYS & VHS --- Over 7,000 ITEMS!!!
MiME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Importance: Normal
Status: RO
Content-Length: 1275
Lines: 23
It is the "Received:" lines that are most interesting. In this case I
look at the one that says "HELO yahoo.com". The yahoo.com part is
what the sending machine was programmed to say, and it could be lying.
But the 211.114.161.1 was the IP address that actually made a
connection to borg.org. Let's look at where 211.114.161.1 lives, on
my Linux machine:
$ whois -h whois.arin.net 211.114.161.1
And a lot of stuff spits back, most notably that this is an
Asia-Pacific address. So:
$ whois -h whois.apnic.net 211.114.161.1
And more stuff spits out, notably that block 211.114.161.0 -
211.114.161.63 is held by KOORONG ELEMETARY SCHOOL, 144 KUCHONRI
YONGSANMYUN YOUNGDONGKUN, CHUNGBUK, 370-910, KR.
Nothing to do with Yahoo.
Looking at the body of the e-mail and it promotes the IP address
209.203.170.146, which, doing a similar backtrace, is held by
giantweb.com. Again, nothing to do with Yahoo.
So I blocked the Korean school that doesn't know what it is doing and
I sent a complaint to abuse_at_giantweb.com that their customer is
possibly responsible for the spam. Then I grumble and move on.
But Yahoo had nothing to do with it.
-kb
Received on Sat Mar 30 2002 - 19:00:38 GMT