Conference gyro::internet_toolss

[
Interesting that they don't include an email address.
"From:" says product-link@usa.net.

PJDM
]

*If you want to be removed from our mailing list, please respond to this
email and put "Remove" in the subject line.


We will send out your bulk E Mail.  Period.  No qualifiers, no conditions,
no nonsense...and we'll do it at the best prices.

Call us as (805) 654-4042.

We are Product Link.  We are a business partner with a marketing 
company which develops buyers for its clients' products through electronic 
marketing; primarily broadcast fax.  Together, we have over a hundred clients, 
almost 10% of which are Fortune 500 companies.   We have numerous staff, 
and have just begun, at client request, to send high volumes of E Mail.

If you're new to bulk E Mail marketing, as we were a short time ago, I can
confirm that all the E Mails you've been getting from E Mail software
companies about how great E Mail marketing is; well, they're true.  However,
as those of you who have already purchased software and have tried bulk
E mail know, nothing good ever comes easy.

Our staff has spent millions of advertising dollars on our clients' behalf;
everything from commercials on the Superbowl to ads in the New York Times,
to full page spreads in Scientific American.; not to mention the sending
of over 1,000,000 marketing faxes a year for major corporations.

Bulk E mail has been quite an eye opener.

The Internet, the on line services and ISP providers are full of shrill,
self appointed "net cops," whose mission in life seems to be dumping on those
who have the audacity to sell product via E Mail.   I don't wish nor intend
to debate the issue here, except to say that if you've purchased bulk E Mail
software (or intend to), you've already found out that when you attempt to
use it, your ISP provider will shut you down, your E Mail account will be
bombed, and electronic flames will become a way of life.

Since we have a low tolerance for allowing small groups of vocal fanatics
to dictate our business life, we set up our own system to send out Bulk
E Mail.  This system will be greatly expanded in 30 days or so (we're
installing more T lines), but we currently have room on our system to send
out Bulk E Mail for a limited number of companies or individuals other
than ourselves.

We'll send out your order, large or small.  We'll do it quickly, and
we'll do it at a really great price.  You can supply the list, or we'll
supply the list.  Place an order with us, and we'll give you advice on
how to set up your E Mail so your on line service won't shut you down, how
to write your material, and much more.  We will also write your marketing
material, if you so desire. If you supply a list, we can run it through
our computer program to sort out all duplicates and bad AOL or CompuServe
addresses.  If you buy a list from us, we will guarantee that the exact
number of names you order will go out; if we send a list for you and a
number of addresses are not delivered, we will send out more E Mails until
you get delivered exactly what you ordered. We can even tell you how to
confirm that your list was sent.

We also have programs that can filter out E Mail "bombs" and other
irritating toys played with at your expense by people who don't
have a life.

When we first began exploring bulk E mail, we contacted numerous firms
advertising that they would send out bulk E mail.  What we got was
answering machines, disconnected numbers, and no call backs.  The one firm
that did contract us would only send limited numbers of E mails for
us, and then only if we had already sent the list out once and taken off all
the removes (go figure...if we could send out the list once, what did we
need them for?).  We finally got so exasperated, we set up our own system.
And are we glad we did.  Speaking as a marketing man with over 30 years
experience in major advertising, E Mail marketing will change the face of
advertising and cost of sale forever.  I do not believe that has ever been
a vehicle like it in history to allow anyone of any size and any budget to
advertise and sell their products literally overnight.  We employ 18 people,
and I guarantee you that when you contact us as (805) 654-4042, you'll get a 
call back.
Right away.  And the office phone number we give you, will have a live
person at the other end.

Following is a price list to give you an idea of the 
quality of our company.  Please bear in mind that Bulk E Mail is 
effective in large numbers; i.e., 25,000 and above.

Price List To Send Bulk E Mail:

Amount			Cost		Set Up (One Time Fee)

25,000			$150.00		$50.00		

50,000			$275.00		$50.00

75,000			$400.00		$50.00

100,000			$550.00		$50.00		


Bulk E Mail amounts above 100,000 per sending will be bid on a 
case by case basis.  If  you wish to modem us a list, there may be a 
small charge for down load depending on list size.  If you wish us to 
"clean" your list (remove all duplicates and bad addresses), we will  supply a 
bid on a case by case basis as with writing your marketing materials and 
other services.

If we may be of service to you, please call us directly at 
(805) 654-4042.  Thank you.

[From the current RCFoC; PJDM]

March 17 -- A Day That Might Live In Infamy...

You may know the word "spam," Internet slang for unsolicited Email sent out to 
many victims, er, recipients. And you may well associate "spamming" with a 
company called Cyber Promotions, which has made a name for itself by going 
legally head-to-head with AOL and CompuServe for its 4 million junk Emails per 
day, and by being evicted from more than one online service. 

Well, in the spirit of "If you can't beat 'em, join 'em," the Feb. 20 New York 
Times reports that on that fateful day in March, Cyber Promotions will itself 
become an Internet Service Provider, and one that doesn't just tolerate, but 
lives for -- spamming. However, according to CPI's founder, "Our goal is to 
legitimize the bulk e-mail industry and not abuse it," insisting that every bulk 
Email contain a mechanism allowing users to remove themselves from that (but not 
all) mailing lists.

Your Email box may never again be quite the same. 

The way that SMTP/RFC822 work is wonderful for spammers.

You want to send mail to a million addresses that might be about 80% valid
and avoid the overhead of handling the bounced mail, PLUS avoid the overhead
of the mail from irate users.

So you create the RFC822 headers so that they say the mail is from
bobpalmer@digital.com and then you connect to the some unsuspecting SMTP
server say at ibm.com and send your mail.  IBM gets hit with the load of
transferring your mail to all the addresses on the list and then after
3 days has to handle the overhead of returning it to the sender, which in
this case appears to be Bob Palmer.

And the users who hate to get junk mail reply to Bob Palmer saying
"I'm never going to deal with DEC because your ad for hot girls is offensive".

Note that this is intentional.  In 1980, people were thinking in terms of
lots of people using computers, but often using different computers.  It
was considered useful to create the appearance of mail originating from a
generic host computer.  And SMTP was, after all, Simple, with the expectation
that it would be replaced when required.  In the following decade, a replacement
was developed, but the replacement wasn't embraced because it was note developed
in the US by the internet engineering community.  Because someone thought that
it would be a good idea to have a standards group involved in developing a
standard, the NBS was given a major role, and they in turn looked to other
standards groups, with it ultimately ending up under ISO.

(Something similar happened to the character standard which is why ISO-Latin-1
is MIME encoded; the last good (American, of course) character standard was
ASCII.)

I got one today from, I am not making this up, ISPAM.COM - they are getting
positively cheeky about this. liesl

From Vogon News:

Internet - New ads may be more effective and obnoxious
        {The Wall Street Journal, 24-Apr-97, p. B6}
  Now a slew of more advanced - and some say more obnoxious - advertising
 methods are either in the works or already being tested, from "robot" programs
 designed to deliver animated sales pitches in chat rooms to full-screen ads
 that must be downloaded before visitors can see the content they came for.
 The next time you enter a chat room, beware: A robot may be listening in.
 Type in a phrase like "My house is dirty," for example, and you might just get
 a response like: "Hi. I'm Dusty.  Would you like to learn more about Black &
 Decker's Dustbuster?"  Ad "robots" - as Dusty and his kin are called - are
 made possible by a server developed by Black Sun Interactive Inc. of San
 Francisco.  You probably won't run across these robots any time soon: Only
 sites that pay to use Black Sun's server can offer the robots, and so far, the
 lone taker is Planet Direct Corp. of Wilmington, Mass.  (CMG Information
 Services Inc., the parent company of Planet Direct, also owns a stake in Black
 Sun.)  Planet Direct, which launch free chat service on the Web last month,
 says more than 10,000 people have registered to use its service, though it
 admits that its chat rooms are still relatively quiet on a daily basis.  The
 robots are to be formally introduced next week along with Planet Direct's 3-D
 chat rooms, where chatters get to pick a cartoon character, or "avatar," that
 represents them in the digital environment.  The lone advertiser so far is
 Black & Decker, with its Dusty avatar, which looks like a big Dustbuster with
 eyeballs.  Dusty approaches users who enter a phrase that closely matches one
 in the avatar's memory; then the avatar identifies itself as a pitchman and
 offers users tips on how, for example, a Dustbuster can help them clean their
 house.

PJDM

    This might be of use to some of you (also posted in HUMANE::DIGITAL).

    If you're running sendmail V8.8.0 or later, you can add the following
    ruleset and classes to refuse mail from nonexistant domains and from
    explicitly listed junk mailers. It's crude, but it seems to cover about
    80% of what we're currently getting. Remember to separate left-hand-side,
    right-hand-side, and comments in rules with tabs.

    Sorry. This won't work with the off-the-shelf sendmail on Ultrix or
    Digital UNIX.


In the options section of sendmail.cf (or in LOCAL_CONFIG in the .M4 files):

# database of known spammers
# One user@domain or domain per line
F{abusers}-o /var/adm/sendmailv8/sendmail.abusers

# Domains that won't resolve but that we let in anyway
F{OKdomains}-o /var/adm/sendmailv8/sendmail.OKdomains

# SMTP/DECnet gateway relays
C{decnetgateways}us1rmc.enet.dec.com us2rmc.enet.dec.com us3rmc.enet.dec.com us4rmc.enet.dec.com us5rmc.enet.dec.com us6rmc.enet.dec.com


Just before your mailer definitions (or in LOCAL_RULESETS in the .M4 files)

Scheck_mail

# check for valid domain name (incompatible with DeliveryMode=defer)
R$*			$: $>3 $1		make domain canonical
R$* < @ $=w . >		$>3 $1			...@here -> ... (remove local domains)
R$* < @ $={decnetgateways} . >	$>3 $1		remove other known intermediate relays
R$-			$: $>3 $(dequote $1 $)	dequote "foo"@here
R$*			$: <?> $1		tag all as unprocessed
R<?> $* < @ $+ . > $*	$: <OK> $1 <@$2.> $3	tag resolved names
R<?> $* < @ $={OKdomains} > $*	$: <OK> $1 <@$2> $3	tag unresolved names that are OK
R<?> $* < @ $+ . $={OKdomains} > $*	$: <OK> $1 <@$2.$3> $4	tag unresolved names that are OK
R<?> $* < @ [ $- . $- . $- .$- ] > $*	$: <OK> $1 <@[$2.$3.$4.$5]> $6	Let IP addresses through
# Note that the following (451) causes the message to be deferred
# and retried until the timeout period expires
R<?> $* < @ $+ > $*	$#error $: 451 Sender domain unresolvable
# 571 is a permanent "Delivery not authorized, message refused"
# error instead (see RFC 1893), but may reject legitimate messages if
# your nameserver is temporarily sick.
#R<?> $* < @ $+ > $*	$#error $@ 5.7.1 $: 571 Sender domain unresolvable

# Now check for real domains we do not want
R<OK> $* < @ $={abusers} . > $*		$#error $@ 5.7.1 $: 571 Mail from $2 refused here
R<OK> $* < @ $+ . $={abusers} . > $*	$#error $@ 5.7.1 $: 571 Mail from $3 refused here
# convert back to u@domain (remove the trailing dot)
R<OK> $+		$:$>4 $1
# check for full addresses
R$={abusers}		$#error $@ 5.7.1 $: 571 Mail from $1 refused here
R$* <$={abusers}> $*	$#error $@ 5.7.1 $: 571 Mail from $2 refused here

    
    	Now I feel I belong ... I got my first spam message [savetrees.com].
    
    	But it has nothing to do with saving trees.  8^)
    

If I get myself an Exchange mailbox, can I set it up so that spam from
selected domains gets automatically deleted and all other mail gets forwarded
to my zko.dec.com address?  

				Steve

Yes.

Set up an Inbox Assistant which looks for messages from that domain 
[savetrees.com covers anything ending in savetrees.com, IE there is 
an implied wildcard] and perform action "Delete".

A second Inbox Assistant can be set up such that Advanced Options 
look for the same sender address and anything NOT matching that 
condition is forwarded elsewhere.

Obviously this is a pain in the butt if you are trying to avoid mail 
from several known spam addresses, since a separate Assistant is 
needed for each domain.

	Sure.. But forwarded mail will look like it comes
	from your Exchange account and not from the original
	sender. This is fixed in Exchange 5.0


							mike

Time to look into this...

		Steve

>Obviously this is a pain in the butt if you are trying to avoid mail 
>from several known spam addresses, since a separate Assistant is 
>needed for each domain.

You can add multiple From addresses separated by ;, so one rule
should be all you need

    I was fiddling with this earlier and couldn't get this to work, hence
    my statements earlier in another thread in this conference.
    
    How do you actually set the Microsoft Exchange Inbox Assistant "From"
    field up so there's an "implied wildcard"? The help is less than
    helpful on this. Do you simply leave out the "@"? That doesn't seem to
    work with my experiments with aliasing my from address in Netscape.

Can't Office Filter on OpenVMS do this also?  Or perhaps it can just check for a
string in the sender's address and doesn't know about the parts of the address
like a domain name.

Paul

    re: Exchange filters and forwarding
    
    As an alternative to struggling with the peculiarities and weaknesses
    of Exchange, you might consider installing sendmail V8 on a friendly
    UNIX server (or even on NT) and filtering all your mail through it.
    Even procmail filtering with an older sendmail might give you better
    results.
    
    If you'd like pre-compiled binaries and sources for sendmail V8.8.5
    with mail11v3 support and sendmail.cf M4 files that can be relatively
    easily adapted to other sites, see
    ftp://ftp.see.mro.dec.com/pub/sendmail/
    
    -Tom    

    I thought this might be interesting. We don't have very many users in
    our domain now (maybe 10 active and another 60 or so who've moved on),
    but the sender addresses below were blocked over the past 7 days. Each
    represents a message sent to an average of 3 or more recipients. The
    "451" errors are non-existant domains. The remaining "571" errors are
    explicitly blocked spammer addresses and domains.
    
    There are some very good pages about anti-spamming techniques and
    "black-listed" addresses, including
    
    Claus Assmann's pages:
    	http://www.informatik.uni-kiel.de/%7Eca/email/misc.html
    Paul Vixie's pages:
    	http://spam.abuse.net/spam/
    The WSRCC pages:
    	http://www.wsrcc.com/spam/
    
    As somebody else noted, if you're going to blacklist explicit sites you
    have to be ready to keep your list up to date, including removing
    domains that have changed hands or cleaned up their acts.
    
Ruleset check_mail (<07984764@07119.com>) rejection: 451 <07984764@07119.com>... Sender domain unresolvable
Ruleset check_mail (<41413144@21616.com>) rejection: 451 <41413144@21616.com>... Sender domain unresolvable
Ruleset check_mail (<61983328@14822.com>) rejection: 451 <61983328@14822.com>... Sender domain unresolvable
Ruleset check_mail (<665@podigy.net>) rejection: 451 <665@podigy.net>... Sender domain unresolvable
Ruleset check_mail (<73592346@92153.unknown>) rejection: 451 <73592346@92153.unknown>... Sender domain unresolvable
Ruleset check_mail (<84102656@03538.com>) rejection: 451 <84102656@03538.com>... Sender domain unresolvable
Ruleset check_mail (<MARKETING@MASS.NET>) rejection: 451 <MARKETING@MASS.NET>... Sender domain unresolvable
Ruleset check_mail (<TheGood@Phonepeople.com>) rejection: 451 <TheGood@Phonepeople.com>... Sender domain unresolvable
Ruleset check_mail (<US6RMC::"Co-OpAds@nowwhereelse.org"@local:.cfsctc.dnet>) rejection: 451 <US6RMC::"Co-OpAds@nowwhereelse.org"@local:.cfsctc.dnet>... Sender domain unresolvable
Ruleset check_mail (<US6RMC::"Fast_Legal_Cash@_._"@local:.cfsctc.dnet>) rejection: 451 <US6RMC::"Fast_Legal_Cash@_._"@local:.cfsctc.dnet>... Sender domain unresolvable
Ruleset check_mail (<US6RMC::"bocaz@bocaz.org"@local:.cfsctc.dnet>) rejection: 451 <US6RMC::"bocaz@bocaz.org"@local:.cfsctc.dnet>... Sender domain unresolvable
Ruleset check_mail (<US6RMC::"emailblaster@allvip.com"@local:.cfsctc.dnet>) rejection: 571 <US6RMC::"emailblaster@allvip.com"@local:.cfsctc.dnet>... Mail from allvip.com refused here
Ruleset check_mail (<US6RMC::"showme@savetrees.com"@local:.cfsctc.dnet>) rejection: 571 <US6RMC::"showme@savetrees.com"@local:.cfsctc.dnet>... Mail from savetrees.com refused here
Ruleset check_mail (<bambi@[207.247.16.217]>) rejection: 451 <bambi@[207.247.16.217]>... Sender domain unresolvable
Ruleset check_mail (<conserve@savetrees.com>) rejection: 571 <conserve@savetrees.com>... Mail from savetrees.com refused here
Ruleset check_mail (<discover@earthsuccess.com>) rejection: 451 <discover@earthsuccess.com>... Sender domain unresolvable
Ruleset check_mail (<newsletter@shoppingplanet.com>) rejection: 571 <newsletter@shoppingplanet.com>... Mail from shoppingplanet.com refused here
Ruleset check_mail (<nycfood@quantcom.com>) rejection: 571 <nycfood@quantcom.com>... Mail from quantcom.com refused here
Ruleset check_mail (<offer@savetrees.com>) rejection: 571 <offer@savetrees.com>... Mail from savetrees.com refused here
Ruleset check_mail (<plat2@mapston.com>) rejection: 451 <plat2@mapston.com>... Sender domain unresolvable
Ruleset check_mail (<starmaker@savetrees.com>) rejection: 571 <starmaker@savetrees.com>... Mail from savetrees.com refused here
Ruleset check_mail (<telecom@savetrees.com>) rejection: 571 <telecom@savetrees.com>... Mail from savetrees.com refused here
Ruleset check_mail (<willie@clock.com>) rejection: 451 <willie@clock.com>... Sender domain unresolvable
Ruleset check_mail (<yu8873@27420.com>) rejection: 451 <yu8873@27420.com>... Sender domain unresolvable

>    How do you actually set the Microsoft Exchange Inbox Assistant "From"
>    field up so there's an "implied wildcard"? The help is less than

Just leave out the username@ 

	from: [savetrees.com  ]
	
	[X] delete

RE: .156

>The way that SMTP/RFC822 work is wonderful for spammers.
>
>You want to send mail to a million addresses that might be about 80% valid
>and avoid the overhead of handling the bounced mail, PLUS avoid the overhead
>of the mail from irate users.
>
>So you create the RFC822 headers so that they say the mail is from
>bobpalmer@digital.com and then you connect to the some unsuspecting SMTP
>server say at ibm.com and send your mail.  IBM gets hit with the load of
>transferring your mail to all the addresses on the list and then after
>3 days has to handle the overhead of returning it to the sender, which in
>this case appears to be Bob Palmer.
>
>And the users who hate to get junk mail reply to Bob Palmer saying
>"I'm never going to deal with DEC because your ad for hot girls is offensive".

The "unsuspecting SMTP server" could protect itself, if it wished to,
by only accepting messages from a set of known, trusted IP addresses.  It
wouls also be possible for it to analyze the SMTP return-path and the various
RFC822 headers to detect forgery (e.g., domain in From: name doesn't match
IP address of the poster) and to reject such messages.  But this does of
course require extra work.

--PSW

So has anyone else received the "mother of all sands" spam? I laughed until I 
stopped.

PJDM

>wouls also be possible for it to analyze the SMTP return-path and the various
>RFC822 headers to detect forgery (e.g., domain in From: name doesn't match
>IP address of the poster) and to reject such messages.  But this does of

If you mean that you analyze the From path to see if the TLD (top level domain)
matches, ie., that port1.server5.fx4.dec.com matches the dec.com in
palmer@mail.dec.com, then yes you could do that much.  That would presumably
prevent someone other than a DEC employee or contractor from impersonating him.
It would still provide no information on who sent the mail.

What is really required is an architecture where the mail user agent deals
only with a postoffice over an authenticated connection and then the mail
transfer agents deal only with known agents.  It is certainly possible to
violate the assumptions that people would have with such a system, but now
you would be able to identify the break in the trust relationship and if
nothing else remove the trust relationship, ie., not transfer mail to/from
the untrustworthy party.

Of course, this is not an acceptable solution to many people because it would
effectively remove control of the system from the hands of most people.
The problem is how to eliminate trouble makers when you chose anarchy.

>If you mean that you analyze the From path to see if the TLD (top level domain)
>matches, ie., that port1.server5.fx4.dec.com matches the dec.com in
>palmer@mail.dec.com, then yes you could do that much.  That would presumably
>prevent someone other than a DEC employee or contractor from impersonating him.
>It would still provide no information on who sent the mail.

I said something a bit stronger than that.  I said check that the machine making 
the SMTP connection has an IP address matching the domain name in the From: 
field.  In other words, only accept a message for initial delivery that says
"From: palmer@mail.dec.com" if it comes from the IP address of mail.dec.com.

The second part of the plan is to only accept forwarded messages from a list of 
known and trusted IP addresses.


This isn't quite as strong as your idea of using only authenticated connections, 
but it's roughly the same.

--PSW

>  In other words, only accept a message for initial delivery that says
> "From: palmer@mail.dec.com" if it comes from the IP address of mail.dec.com.

Presumably you mean "...if it comes from one of the IP addresses that the MX 
record for mail.dec.com points to", since there is no IP address for 
mail.dec.com.

This gets a bit more complicated when you consider mail systems with multiple 
NICs/addresses/names. Then there's DNS spoofing.

The second part of your plan comes apart when someone who isn't yet a customer 
of ours, but wants to be, tries to send us mail and can't because we don't trust  
them.

PJDM

>The second part of your plan comes apart when someone who isn't yet a customer 
>of ours, but wants to be, tries to send us mail and can't because we don't 
>trust them.

Only if that potential customer's mail is being routed through a SMTP server 
that we don't trust.  Any scheme for solving these problems is going to depend 
on a web of mutually-trusted mail servers that forward to each other.

--PSW

Which is the point of Microsoft and Digital working together to make Exchange
the most widely used mail system.

Exchange is at least similar to, if not based on, the ISO messaging model
(X.400 1992, et al).  In this model, PCs don't get to send messages except
via a server where they have been authenticated, and the mail is routed based
on a global, replicated, directory.

Now, depending on your point of view, the ISO X.400 message model is the
response to the quest for the needed replacement for SMTP, et al, or is the
vampire dog created when SMTP fell under the evil spell of ISO, and was brought
across in the early 80s.

RE: .178

SMTP mail today is routed based on a global, replicated directory (DNS MX 
records).  [Yes, one can theoretically use source routing but in practice nobody 
does.]  And nothing prevents one from implementing a X.400 server on a PC.  If 
X.400 security is any better than exists in the SMTP world, it's only because 
X.400 administrators give it more attention.  There's nothing inherently more 
secure about the X.400 protocol suite.

--PSW

How did this thing reach me?  Here are the headers; my name is never
mentioned anywhere.

From andrewr@earthfriends.com Thu May 22 14:29:36 1997
Received: from quarry.zk3.dec.com by kamlia.zk3.dec.com; (5.65v3.2/1.1.8.2/05Mar
96-0145PM)
        id AA23431; Thu, 22 May 1997 14:29:34 -0400
Received: from mail11.digital.com by quarry.zk3.dec.com; (5.65v3.2/1.1.8.2/16Jan
95-0946AM)
        id AA17809; Thu, 22 May 1997 14:29:30 -0400
Received: from sweden.it.earthlink.net by mail11.digital.com (8.7.5/UNX 1.5/1.0/
WV)
        id NAA17188; Thu, 22 May 1997 13:50:42 -0400 (EDT)
Received: from SunshineBellAnd (hdn105-023.hil.compuserve.com [206.175.106.23])
        by sweden.it.earthlink.net (8.8.5/8.8.5) with SMTP id KAA03998;
        Thu, 22 May 1997 10:00:21 -0700 (PDT)
Date: Thu, 22 May 1997 10:00:21 -0700 (PDT)
Message-Id: <199705221700.KAA03998@sweden.it.earthlink.net>
Comments: Authenticated sender is <andrewr@earthfriends.com>
From: "Long Distance" <longdistance@earthfriends.com>
To: you@sweden.it.earthlink.net
Subject: $0.10 a minute day rate
X-Mailer: Floodgate Pro 5.0

you@sweden.it.earthlink.net is probably a distribution list service.

sweden.it.earthlink.net is the first SMTP server that one can definitely say was 
involved in delivering this message (I'm assuming here that we can trust 
mail11.digital.com not to have forged any headers).  If we assume that the next 
prior received header is also not forged, then the message seems to have 
originated from a machine called SunshineBellAnd, through what looks like a 
temporary IP address assigned by CompuServe.


Bottom line:  your email address is on a list that the spammer either put 
together himself or bought from some spamming service.  I like the name of his 
mailer:  "Floodgate Pro".

--PSW

I get tonne of junk mail on my other address but this was the first one
which showed up at this address.

    re: .180
    
    Unfortunately, you can't trust any postmark that precedes the one
    received _from_ the "digital.com" relay. All of it can be forged.
    Digital's gateway relays don't authenticate the originating host name
    (by showing the IP address that actually made the connection), so the
    "xxx" in "Received: from xxx by mail11.digital.com" can potentially be
    anything you want it to be.
    
    For example, the sender in .180 could have been running a program that
    makes an SMTP connection directly to mail11.digital.com, identifies
    itself as "sweden.it.earthlink.net" and sends a text body that includes
    the remaining headers and the message. Spammers now seek out
    non-authenticating relays for their origination points so they can
    better hide their true identity.
    
    If it did actually travel through earthlink.net, it came from a
    Compuserve account connecting directly to an earthlink relay. However,
    "earthfriends.com" is a Cyberpromo domain, and earthlink.com just
    filed suit against them, so draw your own conclusions.
    
    In any case, it was sent to a mailing list (and a very big one).
    
    If you want to learn more than you ever wanted to know about these
    slime balls' methods and the latest spam scams, see the
    news.admin.net-abuse.email newsgroup.
    
    -Tom 
                    

Even if it was a part of very big mailing list, the mail forwarder within
the DEC domain has to know that one of the recepiant was me 
(i.e. sontakke@zk3.dec.com)

Why is that not anywhere in the header?  How about "Apparently to: " or
something like that?

- Vikas

For personal mail use, instead of trying to filter spam, how
about a mail system that only allows in mail from addresses
I've allowed.

For example, suppose I meet you at the beach, and I ask you
for your email address.  When I get home, I take the slip of
paper out of my pocket and (if the ink hasn't smeared due to the water),
I type your email adr from that paper into my mail system.

Obviously, this method isn't for the business use where we want
unsolicited email from prospective customers.

Actually, the above system could be made a bit more flexible with
the option of query-rcv which would query me when unknown mail is
trying to arrive, with something like:

	attempt to mail you from unknown address makemoney@yourconvenience

	Would you like this mail ?

	[]	yes, this time

	[]	yes, don't ask me next time

	[]	no, not this time

	[]	no, don't ask me next time


That way, even if I forgot to enter my new friend's email adr, or the
ink smeared because I swam again after putting the paper in my pocket,
I'd get an oppurtunity to receive their mail.

/Eric

    re: .184
    
>    Even if it was a part of very big mailing list, the mail forwarder
>    within
>    the DEC domain has to know that one of the recepiant was me
>    (i.e. sontakke@zk3.dec.com)
>
>    Why is that not anywhere in the header?  How about "Apparently to: " or
>    something like that?
    
    In SMTP, there are "envelope" addresses for the sender and recipient(s)
    and there are "header" addresses that you see at the beginning of the
    message text. The addresses that are used to route a message for
    delivery are the "envelope" addresses, and those do not appear in the
    headers (although, except for lists, they are often the same). The
    headers generally contain what the sender originally put there, but
    they, like the envelope addresses, may be re-written and translated at
    various relays and gateways along the way (for example, NODE::USER ->
    user@node.enet.dec.com).
    
    In this case, your address and a few thousand others were in the
    envelope recipient list as a result of an SMTP agent expanding a list
    (as opposed to a mailer expanding it before passing the message to an
    SMTP agent).
    
    -Tom        

> For personal mail use, instead of trying to filter spam, how
> about a mail system that only allows in mail from addresses
> I've allowed.
> 

there are folks doing this sort of thing already... see for example 
http://www.cs.helsinki.fi/~wirzeniu/mailfilter.html for a creative 
solution. 

RE: .183

It's probably time to start using an authenticating relay at our firewall.

--PSW

    re: .-1 (re: .183)
    
    Here's an example I just sent from the relative comfort of my cube in
    ZKO. Have a great weekend! :-)
    
From:	SMTP%"president@whitehouse.gov" 23-MAY-1997 17:13:42.75
To:	smith
CC:	
Subj:	Hey Bubba

Return-Path: president@whitehouse.gov
Received: by vaxsim.mro.dec.com (UCX V4.1-12, OpenVMS V6.2 VAX);
	Fri, 23 May 1997 17:13:40 -0400
Received: from mail11.digital.com (mail11.digital.com [192.208.46.10])
	by seeaxp.see.mro.dec.com (8.8.5a+mail11/8.8.5a/V2.3) with ESMTP id RAA25884
	for <smith@see.mro.dec.com>; Fri, 23 May 1997 17:13:37 -0400 (EDT)
Received: from storm.eop.gov by mail11.digital.com (8.7.5/UNX 1.5/1.0/WV)
	id RAA19235; Fri, 23 May 1997 17:05:14 -0400 (EDT)
Date: Fri, 23 May 1997 17:00:00 -0500 (EDT)
From: Bill Clinton <president@whitehouse.gov>
Message-Id: <199705231234.IAA10475@storm.eop.gov>
Subject: Hey Bubba

Hey Tom!

Have a great weekend!

Your pal, Bill
    

I responded to the "security memo" a few weeks ago which discussed spam
pointing out that they failed to admonish everyone to avoid replying to
spam, and also pointing out that DEC's external SMTP servers can be used
to generate bogus messages just like the previous one (I tested it by
using the AOL Winsock feature and IE, but I used "whitehorse.gov" just
in case I screwed up the destination address; I suspect that if the FBI was
hassling AOL, they would spend the man years of effort required to find out
which subscriber was logged into a given dialup line at a specified time).

I got mail this week saying that someone will be looking at what can be
done.

As someone pointed out, sendmail V8.something, has an option to prevent
mail from being relayed between domains via that server instead of being
sent either into, or out of, the server's domain.  However, if we're not
running a version with that feature, it will require some heroic efforts
to qualify it, or a period of months, or we find out how go the distributed
code is by putting thousands of user's mail at risk.

...but it could have unless there's something about our external mailers
that I'm missing.

------------------------------

Date: Thu, 15 May 1997 20:01:52 -0400
From: Jim Youll <jim@newmediagroup.com>
Subject: newmediagroup.com headers were forged in junk e-mailing;
         retaliation against my public anti-SPAM activities

We are a very small company.  We are being attacked electronically, because
of my public anti-spam stance:

(A) Our server was subjected to an inbound bombing from the hijacked
servers into our mailserver last night (14 May 1997).

(B) Thousands of messages were sent OUT today (15 May) from the same
hijacked servers, resulting in a torrent of complaining, hostile, violent
mail to our mailboxes.  Some people began to mailbomb us with large
documents.

I have 99.9% confidence that the hostile messages were injected into the net
from a computer dialed into enterprise.net, a UK ISP, and have the
corroborating records to prove it, at least everything I can get without
cooperation from enterprise.net.  I am unable to reach anyone at
enterprise.net who will assist in this investigation.

The messages were relayed off nevwest.com and freenet.carleton.ca SMTP servers.

The administrators at these sites have not been terribly supportive, though
they claim to be working on it.  They have also received quite a bit of
inbound mail, but appear somewhat unsure about what to do or ``how that
happened''.  They've asked me if *I* sent the messages.

Complete details of the attack and my anti-junkmail posting which started
all this appear here:
        http://www.agentzero.com/junkmail

The message I have sent out follows.  I need support from the UK.  I am
prepared to do whatever it takes to get a prosecution.

-- quoted message follows --

My domain newmediagroup.com is under attack by someone who doesn't like my
MILITANT, PUBLIC ANTI-SPAM stance.  To date, their actions have included
sending apparently several thousand e-mail messages, forged showing my name
as the sender.  In addition, this same party or someone working with them
conducted a denial-of-service attack on our system last night, 14 May.  See
http://www.agentzero.com/junkmail, including system logs clearly showing the
terrorists' use of third-party unsecured SMTP servers as relays (which you
will also see by looking at the headers of the messages that were sent).

Their attack has also included threats of harm against me.

PLEASE let people know this did not originate at newmediagroup.com.  It is a
complete forgery.  We are TRYING to investigate and at the moment have a
number of backbone carriers and MCI security, involved.  I am doing all I
can.  PLEASE tell people to stop writing to complain.  This did not come
from us.  We don't spam.  I am FIGHTING spam and that is why I was targeted
in this manner.  When you see their mail-bomb messages to me, you will
understand.

I am seeking cooperation from the sites that were used as relays.  Sheila,
apparently an administrator at freenet.carleton.ca. (office@ is their e-mail
address; if you have received junk that bounced off their mailer, I STRONGLY
suggest you contact them and demand the holes be closed.)  Carleton Freenet
has notified me (15 May 1997, 1600 EDT by e-mail) that they will not release
their SMTP logs, which would show the origin of the message injected into
their mailer.  A man reached at nevwest.com said he had ``one technician
working on it'' but really didn't understand the specifics, and was not very
excited about helping.  This is all very exciting for electronic terrorists,
I am sure.

New Media Group (and I in particular!) do not send or generate commercial
e-mail.  Ever.  We are a small Internet presence provider working closely
and on-site with clients in the Midwestern US.  Only.  We do not seek,
service, or advertise to anyone outside that area, and we do not use e-mail
for advertising.

Copies of all logs and the threatening messages which came here have been
forwarded to security officers at all ISPs we could identify, and at the
security offices of backbone providers involved in this.  We're trying, but
it will be difficult to identify who did this.  We're trying.  I fully
intend to press criminal and civil charges at the very moment an indictment
becomes feasible.

The reason we have been targeted is that I (personally, not this company)
have been leading a campaign AGAINST junk e-mail.  Please help me find out
who did this.

If you look at the headers, you will see that the messages did not come from
here.  The incoming messages threatened more attacks unless I stop my
campaign to free people from unwanted junk e-mail.  This is terrorism, plain
and simple and I call on the entire Internet community to help track down
the responsible parties.  I will appreciate any assistance you can provide.

I am offering a reward of $1,000 for information leading to the arrest and
conviction of the perpetrators of this crime.

NOTE ADDED 16 May 1997:

We were hit again overnight 15 to 16 May.  This time messages were sent to
many addresses in the U.S.  Primarily the incoming has been bouncing due to
bogus or no-longer-in-use names at these locations.  The nature of the
addressing suggests that the names were culled from newsgroups and other
public sources, and that the system doing the gathering went back some
distance in time to get them, as many were expired.

... It's been a busy couple of days.  We have received approximately 2,500
undeliverable messages in the last few hours.  (Normal is 20-50 per day.)
The incoming complaints and attacks are slowing, because I think people are
learning that jim@newmediagroup.com is ANTI-junk.  Word is getting out, and
hopefully that will help in the future.

How many innocent bystanders will be zapped by the attempts by ISPs
to fix the problems with SMTP (remember the S is supposed to mean simple).

------------------------------

Date:   17 May 1997 22:51:46 +0200
From: Arnt Gulbrandsen <agulbra@troll.no>
Subject: Re: newmediagroup.com headers were forged ... (Youll, RISKS-19.16)

Jim Youll <jim@newmediagroup.com> writes in RISKS-19.16 about forged spam.
I saw another side of the same incident.

The spam Jim refers to was done via enterprise.net, a UK ISP.  As a result
of this (or another?) spam, enterprise.net recently stopped relaying mail to
domains other than enterprise.net.  I discovered this when mail to one of
Enterprises' company customers (lfix.co.uk, a small consultancy) started
bouncing.

I reported it to postmaster@enterprise.net, but the reply I got was
clearly from a low-level support person who did not understand the
problem.  The problem wasn't fixed, and after a week or two I gave up.

The risks of an overly strict configuration and incompetent staffing
hopefully include a loss of customers.

--Arnt

------------------------------

My take on this is that someone tried to update someone's DNS server
so that all back translations would have returned "samie.rules" as
the address.  If I'm correct, then someone could find some DNS servers
with the security hole and update them so that his IP address would
appear to be whitehouse.gov or digital.com.  This is why newer versions
of sendmail support reporting the "received by" with both the domain name
and the IP address (in square brackets).


Subject:    juicy, security related tidbits from a BIND-8.1 log file
Date:       Wed, 21 May 1997 09:54:33 -0700
From:       Paul A Vixie <paul@vix.com>
Newsgroups: comp.protocols.dns.std


There's a DNS dynamic update tool running around out there, that doesn't use
the new UPDATE opcode but rather depends on some stupid behaviour of older
versions of BIND.  Newer versions of BIND respond as follows:

May 20 17:52:56 gw named[14994]: invalid RR type 'PTR' in authority section
        (name = '155.8.206.207.in-addr.arpa') from [206.105.188.2].53
May 20 17:52:56 gw named[14994]: unrelated additional info 'jamie.rules'
        type A from [206.105.188.2].53
May 20 17:52:57 gw named[14994]: invalid RR type 'PTR' in authority section
        (name = '155.8.206.207.in-addr.arpa') from [206.105.188.2].53
May 20 17:52:57 gw named[14994]: unrelated additional info 'jamie.rules'
        type A from [206.105.188.2].53

You will pretty much want to upgrade to BIND 8.1 or 4.9.5-P1 right about now.
(Note that BIND 8.1.1 is now in private beta testing, as is 4.9.5-P2, but the
above behaviour is in 8.1 and 4.9.5-P1.)

http://www.isc.org/isc/ is your path to salvation, or glory, or whatever.

If CERT is going to make a recommendation here, I'd like it to be for the
versions we're about to release, since there are even more, though more subtle,
security bugs fixed in the latest patches (now being tested by bind-workers.)

I received this, is it another way of getting a SPAM mail list, or is 
it useful?

GET RID OF THE UNWANTED E-MAIL!!!


"Internet Spam Control Center"

http://drsvcs.com/nospam/
	    			
      -or-

"No Junk E-mail"
 
http://pages.ripco.com:8080/~glr/nojunk.html

Just saw this at the bottom of a posting, don't know if they have ever
collected though:


Dan McCabe
McCabe Engineering
zmccabe@voicenetz.com
NOTE: To e-mail me, remove the z's in the address.

LEGAL WARNING: Anyone sending me unsolicited/commercial/junk/spam e-mail
WILL be charged a US$500 proof-reading fee.  Do NOT send unsolicited
advertisements and do NOT add my e-mail address to your list(s):

"By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets
the definition of a telephone fax machine.  By Sec.227(b)(1)(C), it is
unlawful to send any unsolicited advertisement to such equipment.  By
Sec. 227(b)(3)(C), a violation of the aforementioned Section is
punishable by action to recover actual monetary loss, or $500, whichever
is greater, for each violation."

    >> don't know if they have ever collected though:
    
    I read an interesting article in a newspaper the other day about a
    husband and wife business enterprise that was raking in $5000/week
    through the US small claims courts.
    
    The wife runs around the stores, catalogues, mail-order companies and so
    getting herself added to their mailing lists.  After some time, she
    then writes to them and asks to be removed.  She had a technique of
    modifying ever so slightly a part of her name/address with a "flag" so
    that she could recognise which companies were the origin of her list
    entry, and which others had purchased her details through list sales.
    
    The husband tracks the incoming junk mail, matches the "flag" info in
    the address to recorded delivery mail which had asked the company to
    desist and - Voila!!  instant $500 settlement for unquestionable
    infringement.  They were averaging about 10 successful settlements per
    week.  Many of them were settled out of court as the husband has
    developed a sort of standard legal template that is presented to the
    company and they just sign it and return it with a "sorry letter" and a
    cheque.
    
    They were sure collecting...
    
    Now this was for surface mail.  It sure seems that there are legal
    precedents to try and apply the principle to e-mail.

    See also the following site: http://www.vix.com/spam