hsc message board > SpamX Version 1.2.4 Enhancements

Full Version: SpamX Version 1.2.4 Enhancements

hsc message board > Main > hsc Software Support

Jeff Hendrickson

Apr 27 2004, 01:39 AM

SpamX supports enhanced forgery detection.

The changes were put on the Web site on Monday April 26th, 2004 at 9:30pm EST.

You can download the updates at -

Full installation package:
http://www.hendricom.com/Downloads/spamxii.zip
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip

Bazz

Apr 27 2004, 09:24 AM

erm..

It appears to be stopping after the first IP address...

In the tracking window, I get:

QUOTE

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 172.16.0.0 - 172.31.255.255
CIDR: 172.16.0.0/12
NetName: IANA-BBLK-RESERVED
NetHandle: NET-172-16-0-0-1
Parent: NET-172-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-12

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2004-04-26 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

172.16.x.x is our internal private IP..

Bazz

Jeff Hendrickson

Apr 27 2004, 10:43 AM

Hi BaZz, could you please send one or two headers to me so I can process them here?

The lookup strategy that I have in 1.2.4 works very well on my email (I know that doesn't help you), and I'm getting GREAT results comparing the output with VisualRoute, SC, and lookup by hand.

I'd like to see what the difference is, and get you taken care of....

Bazz

Apr 27 2004, 10:52 AM

Coming right up...

QUOTE

Microsoft Mail Internet Headers Version 2.0
Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 27 Apr 2004 11:25:29 +0100
Received: from mx1.exponential-e.com ([62.244.177.19]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Tue, 27 Apr 2004 11:25:27 +0100
Received: from [80.138.227.20] (port=3976 helo=p508AE314.dip.t-dialin.net)
by mx1.exponential-e.com with smtp (Exim 4.24)
id 1BIPls-0004e2-NR
for b.freeman@sdgworld.net; Tue, 27 Apr 2004 10:25:02 +0000
Received: from 209.156.2.12 by 80.138.227.20; Wed, 28 Apr 2004 04:10:59 +0200
Message-ID: <NAISPUSPHEBBAIDJDMFJK@x9media.de>
From: "Mrs Takes" <Kurt97736@sanriotown.com>
Reply-To: "Mrs Takes" <Justin604@glay.org>
To: b.freeman@sdgworld.net
Subject: male organ size
Date: Tue, 27 Apr 2004 19:06:59 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--671695415209100"
X-Priority: 3
X-IP: 156.244.226.68
Return-Path: Clyde980@gate99.nl
X-OriginalArrivalTime: 27 Apr 2004 10:25:27.0942 (UTC) FILETIME=[F5AC4260:01C42C41]

----671695415209100
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

----671695415209100--

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>


The best solution to male enlargement: 
 - <A HREF="http://www.puddle2.us/b/?vcrx">http://www.puddle2.us/b/?vcrx</A> 
 
 
 
 
Happy with your current size? 
- <A HREF="http://puddle2.us/1v3.html">http://puddle2.us/1v3.html</A> 
 
 
 
-----Original Message----- 
From: b.freeman@sdgworld.net 
Sent: Friday, 18 April 2004 1:14 PM 
To: Kurt5@s-one.net.sg 
Subject: FW: how to get a bigger cock (herbal) 
> 
> The only solution to male enlargement: 
> - <A HREF="http://www.puddle2.us/b/?vcrx">http://www.puddle2.us/b/?vcrx</A> 
> 
> 



</BODY>
</HTML>

Bazz

Apr 27 2004, 10:54 AM

And another just for luck

QUOTE

Microsoft Mail Internet Headers Version 2.0
Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 27 Apr 2004 11:21:00 +0100
Received: from primemail.com ([218.81.182.248]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Tue, 27 Apr 2004 11:20:57 +0100
Message-ID: <1E8BC534.FAAC754@primemail.com>
Date: Tue, 27 Apr 2004 03:28:13 -0500
From: "antonia lee" <karyllesh@primemail.com>
User-Agent: SquirrelMail/1.4.2-0.1.7.x
MIME-Version: 1.0
To: "Torri Peters" <b.freeman@sdgworld.net>
Subject: Medical Breathrough
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-Path: karyllesh@primemail.com
X-OriginalArrivalTime: 27 Apr 2004 10:20:58.0491 (UTC) FILETIME=[55114CB0:01C42C41]

<HTML>
Let's face it, Age should be nothing more than a number 
It's okay to want to hold on to your young body as long as you can 
 <a href="http://www.catchclassyproduct.com/6/">View more about a new
lifespan enhancement press here</a> 
 
"With increasing longevity for an increasing segment of the
population, this is THE frontier for the new millennium" 
-Dr Virgil Howard 
 
 
 they are now open
not now then next the post office address is listed in link 
 
 
Fatality was not significantly different Failures were significantly more
common with combination therapy Among all trials we found no evidence for
any potential prevention of infection by resistant isolates with combination
therapy
It can be debated which design appropriately examines the clinical
interpretation of synergism studies comparing same or different lactams
Synergism has been defined as a 2 log10 or greater reduction in bacterial
count with the combination versus that with each of the agents alone 86 In
studies comparing the same lactam this is directly tested but the effect of
increasing the antibiotic spectrum cannot be separated from a synergistic
effect 
 But suppose, said Rob, that something important should happen while I'm
asleep, or not looking at the box? I have called this a Record, replied the
Demon, and such it really is, although I have shown you only such events as
are in process of being recorded
</HTML>

Jeff Hendrickson

Apr 27 2004, 10:58 AM

Thanks bAZz, we'll get this taken care of....

Jeff Hendrickson

Apr 27 2004, 11:39 AM

bAzZ, I put some changes on the Web site at 10:08am today, Tuesday, April 27th, can you take a look at them, and tell me if they work for you??

I tested them on the headers you were nice enough to take the time to post, and it worked on them.

Full installation package:
http://www.hendricom.com/Downloads/spamxii.zip
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip

Thanks!

Bazz

Apr 27 2004, 04:17 PM

Well, that worked a lot better..

What's "Listed in CBL" mean?

BAzz

Jeff Hendrickson

Apr 27 2004, 07:51 PM

That's great!

'listed in CBL' means that the IP address that I'm evaluating showed up in one or more sites that maintain information regarding Open Relays, etc...., so I don't use this address in my lookup.

Thanks again for providing me with feedback to keep the debug effort on track!

Bazz

Apr 28 2004, 10:42 AM

Problems

don't you just love 'em.

This spam results in Spamx getting into a loop.

Seems all the IP addresses are "listed in CBL" and we get a continuous round of "Receiving 439 bytes ARIN Repsonse" which never ends.

QUOTE

Microsoft Mail Internet Headers Version 2.0
Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Wed, 28 Apr 2004 10:56:04 +0100
Received: from mx1.exponential-e.com ([62.244.177.19]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Wed, 28 Apr 2004 10:56:04 +0100
Received: from [198.68.133.166] (port=4734 helo=62.244.177.193)
by mx1.exponential-e.com with smtp (Exim 4.24)
id 1BIlmy-0003hy-CU
for b.freeman@sdgworld.net; Wed, 28 Apr 2004 09:55:37 +0000
X-Message-Info: z784U2GCA5ZNQd7dyzUXnUNZ37SH07yvcSupgYCN2
Received: from 89.140.140.240 by doric596-abz22.utter17.mimiryden@winrz.com with DAV;
Wed, 14 Apr 2004 12:51:22 +0200
Message-ID: <51387889906994819940.18906@florenekreisman@findmemail.com>
X-Originating-IP: [28.173.224.0]
X-Originating-Email: [athenaferron@andyclara.com]
X-Sender: tommyetegtme@llandudno.com
Reply-To: "Scot Good" <barbiefrilot@gippsland.every1.net>
From: "Scot Good" <maecoldren@baseballdad.net>
To: "B.freeman" <b.freeman@sdgworld.net>
Subject: b.freeman@sdgworld.net g;et all y;our p;recsr1ptions l;ega||y s;hipped to y;our d;00r mine
Date: Wed, 14 Apr 2004 09:51:22 -0100
MIME-Version: 1.0 (produced by euphoricchosen 26.33)
Content-Type: multipart/alternative;
boundary="--3841628454156704"
Return-Path: alyshasteen@swu.dk
X-OriginalArrivalTime: 28 Apr 2004 09:56:04.0729 (UTC) FILETIME=[05210E90:01C42D07]

----3841628454156704
Content-Type: text/html;
charset="iso-0356-1"
Content-Transfer-Encoding: 7Bit
Content-Description: whitetail repelling0.hypotenuse

----3841628454156704--

Hello b.freeman@sdgworld.net, 

<a href="http://www.inforacing.biz/qog345/14/">Buy Xanax,
Valiuam,
Vicodin, Hydrocodene
online </a>
 N0 pri0r prescript. required
 Shipped to your home or
0ffice, confidential  inadvisable    
kidnap 
  
irredeemable  
 
please stop <a href="http://www.inforacing.biz/qog345/14/rf.html">offers</a>
 
refection contain advisable tight foamflower
albeit depend 
 brackish 
cinnabar credulous solidify sandy chromosphere     morton 
 
bard brink crocus potboil squalid chart nearby chief 
neurotic puffery jim prothonotary pyrolysis gestapo eyewitness 
 
octile entry bourgeoisie arragon    mccarthy
petty
 omen,
Thanks!

Bazz

Apr 28 2004, 10:49 AM

A bit more info..
I looked at the log file...

QUOTE

Evaluating answer for 172.16.10.6
Received answer
Evaluating answer for 172.16.10.6
Received answer
Evaluating answer for 172.16.10.6
Received answer
Evaluating answer for 172.16.10.6
Received answer
Evaluating answer for 172.16.10.6
Received answer
Evaluating answer for 172.16.10.6
Received answer
Evaluating answer for 172.16.10.6
Received answer
Evaluating answer for 172.16.10.6
Received answer

This is the IP of our internal mail server..

BAzz

Codger

Apr 28 2004, 08:37 PM

I'm having a similar problem with getting into a loop. The only way out is to close SpamX.
First, the headers from the offending message:

QUOTE

Processing spam: Tomrrow night
36.244.60.178 is listed in CBL
225.240.8.91 is listed in CBL
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer
Received answer
Evaluating answer for Netwave Shikoku Co., Inc.
Received answer
Evaluating answer for 219.109.119.150
Received answer
Evaluating answer for 219.109.119.150
Referred to Asia Pacific Network Information Centre
Received answer
Evaluating answer for 219.109.119.150
Received Network Block answer

Now the headers:

QUOTE

Received: from cm150.cavy40.catvnet.ne.jp ([219.109.119.150])
by rwcrmxc13.comcast.net (rwcrmxc13) with SMTP
id <20040427093050r13001479fe>; Tue, 27 Apr 2004 09:31:02 +0000
X-Originating-IP: [219.109.119.150]
Return-Path: <HOMDKVQLVUQRQ@veryfast.biz>
Received: from insufferable.mail.vivacious.com ([225.240.8.91])
by jejune (algerian SMTP Server) with SMTP id ATEOBKF-0001[10
for <madmonk@attbi.com>; Tue, 27 Apr 2004 16:23:37 +0600
Received: from [36.244.60.178] by infertile.mail.pinscher.com via HTTP; Tue, 27 Apr 2004 06:23:37 -0400
Date: Tue, 27 Apr 2004 14:26:37 +0400
From: "Roxanne Contreras" <HOMDKVQLVUQRQ@veryfast.biz>
Subject: spam: Tomrrow night
To: madmonk@attbi.com
Cc: madmonteostrem@attbi.com
MIME-Version: 1.0
X-Mailer: miPOP WebMail 3.29
Message-Id: <YTLARBN-0000062756489@enquiry>
Content-Type: multipart/alternative; boundary="710855152957723013"
X-tis-spam: score=8.90900 (112417,190067,112218,141011)

I hope it's an easy fix ;>)

Jeff Hendrickson

Apr 28 2004, 10:25 PM

Thanks for taking the time to report these, and posting the headers!!

I was able to figure out what was going on, and have posted a fix on:

Full installation package:
http://www.hendricom.com/Downloads/spamxii.zip
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip

The fix works on the headers you've posted, and doesn't seem to have broken anything (

fingers crossed

).

I'm anxious to see if this corrected your problem without introducing any unwanted side-effects.....

Bazz

Apr 29 2004, 09:54 AM

This one still causes the loop.

QUOTE

Microsoft Mail Internet Headers Version 2.0
Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Thu, 29 Apr 2004 09:49:31 +0100
Received: from cantillon.demon.co.uk ([213.46.4.204]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Thu, 29 Apr 2004 09:49:30 +0100
Message-ID: <FBPOLLCOLJACOJJJBLKBHMNEOBAA.farr_bc@adlon.se>
From: "Erika R. Farr" <farr_bc@adlon.se>
To: b.freeman@sdgworld.net
Subject: Yours Will Be Thicker And Fuller for the New Year
Date: Thu, 29 Apr 2004 00:44:45 +0000
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: base64
Return-Path: farr_bc@adlon.se
X-OriginalArrivalTime: 29 Apr 2004 08:49:30.0908 (UTC) FILETIME=[E30A15C0:01C42DC6]

<html>
<body>
Its N<kr60ddfqunx8w1>ew, Its S<k1xhy3gvbqqmb4v>afe! 
Its The Most Advanced Peni<ka71nx4j9p8ch3o>le <k712xjy3u3npdsz>Enlarg<kyv6cpdgedqa53p>ement So<kovqhaw3z8k0r>lution! 
I<kdkdx2gztcz7q1>t's 100% G<kysuiba4605c>uara<kkbb50m2fry2d>nteed To En<knwjzys3jh5h>la<kiu9jwu32su>rge Y<k7v46v01v9a8cc7>our Pe<kl9efp530mks>nis. 3+ I<k2m790op8kq>NCHES 
MAGNA-RX PATCH - <a href="shredd-1.us/e/?order">CLICK HERE</a> 
 
The amazi<k0pi3xz2mwf22>ng, new Magn<kk7jg5q14iudp>a RX Pa<kag0n0l1rzn6f>tch is not avai<ksvmrw817suqmt>la<kaqfjqd1buk1>ble in any sto<kc1vmfy1jpnzfr>res or on other
web<khky3xk1ditrmd2>sites. Acc<kui9kms7n7b7>ept no imita<k4nwbw52rdz6e>tions! Orde<kadf3u51kowqosh>r your male enh<kq6x5vi3zstc>ancement pa<krvd644hydj>tch now through
this excl<kfmxfdb1pij>usive webs<kvpm2il1zd9>ite offer and get a 1-month sup<kzabc9a27tmxp>ply FREE! One sm<knoy8hf3pdfbbg3>all inve<kroshbg2e7ebrd>stment
in yourself will last a lifetime! 
 
 
<a
href="http://ztb.shredd-1.us/e/?order">READ
MORE INFO HERE</a> 




<a href="cjl.shredd-1.us/1v3.html">no
more emailz</a></center>
 
</body>
</html>

This is the logfile..

QUOTE

Processing Yours Will Be Thicker And Fuller for the New Year
213.46.4.204 is listed in CBL
172.16.10.6 is listed in CBL
Received answer
Evaluating answer for 172.16.10.6
ABUSE@IANA.ORG is in do not send list
ABUSE@IANA.ORG is in do not send list
Received answer
Evaluating answer for 172.16.10.6
ABUSE@IANA.ORG is in do not send list
ABUSE@IANA.ORG is in do not send list
Received answer
Evaluating answer for 172.16.10.6
ABUSE@IANA.ORG is in do not send list
ABUSE@IANA.ORG is in do not send list
Received answer
Evaluating answer for 172.16.10.6
ABUSE@IANA.ORG is in do not send list
ABUSE@IANA.ORG is in do not send list
Received answer
Evaluating answer for 172.16.10.6
ABUSE@IANA.ORG is in do not send list
ABUSE@IANA.ORG is in do not send list
Processing Yours Will Be Thicker And Fuller for the New Year
213.46.4.204 is listed in CBL
172.16.10.6 is listed in CBL
Received answer
Evaluating answer for 172.16.10.6
ABUSE@IANA.ORG is in do not send list
ABUSE@IANA.ORG is in do not send list
Received answer
Evaluating answer for 172.16.10.6
ABUSE@IANA.ORG is in do not send list
ABUSE@IANA.ORG is in do not send list
Received answer
Evaluating answer for 172.16.10.6
ABUSE@IANA.ORG is in do not send list
ABUSE@IANA.ORG is in do not send list
Received answer

Seems to get confused if it can't find at least one domain.
BAzz

Bazz

Apr 29 2004, 11:07 AM

Batch mode seems to be broken as well..

The report Spam button gets disabled, the message gets processed but noting is sent.

BAzz

Jeff Hendrickson

Apr 29 2004, 02:04 PM

Thanks for reporting this.

I'm in a bit of a quandary what to do about the 'no abuse addresses found'. This means that for one reason or another the IP address that I've checked has come back as questionable to use for a spam report.

So if I don't find a 24k address, what do I do?? Right now, as you know, SpamX will spin trying to find a good address.

Do I give up, and advise the user, or use the questionable address anyway????

HELP!

Guest

Apr 29 2004, 02:09 PM

Hmm at a first guess, I'd say stop batch if it's in that mode and report the lack of address.

If it's not in batch then just report no reportable address.

It's a bit odd, since there must be at least some track before the forgeries.

Bazz

Bazz

Apr 29 2004, 05:12 PM

Interesting, don't know if this will help you:

Had another spam that Spamx looped on.

QUOTE

Microsoft Mail Internet Headers Version 2.0
Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Thu, 29 Apr 2004 17:59:49 +0100
Received: from slugs.exponential-e.com ([62.244.176.6]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Thu, 29 Apr 2004 17:59:49 +0100
Received: from [200.199.125.68] (port=2456 helo=RJ199125068.user.veloxzone.com.br)
by slugs.exponential-e.com with smtp (Exim 4.22)
id 1BJEsy-0001af-IC
for b.freeman@sdgworld.net; Thu, 29 Apr 2004 16:59:47 +0000
Received: from 216.64.48.136 by 200.199.125.68; Thu, 29 Apr 2004 19:57:09 +0200
Message-ID: <AHDCYCXTFOLQCSNVSHACWFW@hotmail.com>
From: "Esteban Kemp" <LVOCJSUY@hotmail.com>
Reply-To: "Esteban Kemp" <LVOCJSUY@hotmail.com>
To: b.freeman@sdgworld.net
Subject: Fwd: Fwd: Save On Term Life ins.
Date: Thu, 29 Apr 2004 12:58:09 -0500
X-Mailer: AOL 9.0 for Windows US sub 246
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--98994600582983167"
X-Priority: 3
X-MSMail-Priority: Normal
X-IP:218.134.72.28
Return-Path: LVOCJSUY@hotmail.com
X-OriginalArrivalTime: 29 Apr 2004 16:59:49.0876 (UTC) FILETIME=[621C5B40:01C42E0B]

----98994600582983167
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

----98994600582983167--

<html>
<body>
 Join .America’s newest
Insu`rance referral network. We offer te.rm Li.fe cove'rage at up to 7'0% off.We survey the top Life Ins,urance companies and provide the 
bes.t rat'es available tod'ay. 
 Smokers may qua,lify for sp`ecial rates.
 

 
<li>Provide cash and in.come needs on and immediately following dea'th such
as un'paid bill.s and taxes and other obligat.ions.</li>
<li>Prevent a family's sudden'ly dropping from its a.ccustomed standard of
living after the d'eath of the breadwinner.</li>
<li>P.rovide continuous flow of funds for the living spouse.</li>
<li>Allocate in.come fund's for the children's education.</li>
<li>P.rovide a retirement in.come throughout old age.</li>
<li>P.rovide a reliable savings plan for the future</li>
<li>Supplement' income when earning power is destroyed by 'illness _of_ accidents,
such as covering medi'cal e.xpenses.</li> 
<a href="http://yahoo.com-yahoo.com.ph/click.php?id=leneyei&ID=9797">Get Your Ins.urance Qu.ote Tod'ay
</a> 
luxury axolotl aegis flashy matson ductwork seventeenth cryptanalytic farley perch deem ut respiratory herself bugaboo calumniate cafeteria kensington oily wichita bash deferent digitalis atmosphere insolvent centrifugate anomalous acknowledge diathesis aspire fragmentary creaky eloise
 
If you do not wish to rece'ive these of`fers in the future, 
<a href="http://yahoo.com-yahoo.com.ph/click.php?id=leneyei">Go He're</a> to un-list now 

rome burn vienna brigadier xavier threat cur foundling flash psalter backpack purine argonne structure traversable three worst nitrate polygynous quadrangular falstaff monomial diorama hog mcleod bandstand elysian heat cheryl fan olga guyana

 
</body>
</html>

the status bar says al lthe addresses are listed in CBL, although how our internal one can be is a bit of a mystery.

I decided to run it through SpamCop jsut to see what it would pick up:

QUOTE

0: Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713); Thu, 29 Apr 2004 17:59:49 +0100
Internal handoff at sdgworld.net

1: Received: from slugs.exponential-e.com ([62.244.176.6]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0); Thu, 29 Apr 2004 17:59:49 +0100
sdgworld.net received mail from sdgworld.net ( 62.244.176.6 )
Hostname verified: sugar.exponential-e.net

2: Received: from [200.199.125.68] (port=2456 helo=RJ199125068.user.veloxzone.com.br) by slugs.exponential-e.com with smtp (Exim 4.22) id 1BJEsy-0001af-IC for x; Thu, 29 Apr 2004 16:59:47 +0000
sdgworld.net received mail from 200.199.125.68

3: Received: from 216.64.48.136 by 200.199.125.68; Thu, 29 Apr 2004 19:57:09 +0200
Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust anything beyond this header
Trivial forgery

Tracking message source: 200.199.125.68:
Routing details for 200.199.125.68
[refresh/show] Cached whois for 200.199.125.68 : abuse@telemar.net.br mail-abuse@nic.br
Using abuse net on abuse@telemar.net.br
abuse net telemar.net.br = postmaster@telemar.net.br, admin@telemar.net.br, abuse@telemar.net.br, mail-abuse@nic.br, antispambr@abuse.net
Using abuse net on mail-abuse@nic.br
abuse net nic.br = postmaster@nic.br, mail-abuse@nic.br, antispambr@abuse.net
Using best contacts postmaster@nic.br postmaster@telemar.net.br admin@telemar.net.br abuse@telemar.net.br mail-abuse@nic.br antispambr@abuse.net
I refuse to bother postmaster@nic.br
admin@telemar.net.br bounces (11 sent : 7 bounces)
Using admin#telemar.net.br@devnull.spamcop.net for statistical tracking.
antispambr@abuse.net redirects to spambr@admin.spamcop.net
Yum, this spam is fresh!
200.199.125.68 listed in dnsbl.njabl.org ( 127.0.0.9 )
200.199.125.68 listed in dnsbl.njabl.org ( 127.0.0.9 )
200.199.125.68 is an open proxy
200.199.125.68 not listed in query.bondedsender.org
200.199.125.68 not listed in iadb.isipp.com

Finding links in message body
Parsing HTML part

Resolving link obfuscation
http://yahoo.com-yahoo.com.ph/click.php?id=leneyei
host 218.30.29.43 (getting name) no name
http://yahoo.com-yahoo.com.ph/click.php?id=leneyei&id=9797
host 218.30.29.43 (getting name) no name

Tracking link: http://yahoo.com-yahoo.com.ph/click.php?id=leneyei&id=9797
Resolves to 218.30.29.43

Tracking ip 218.30.29.43
Routing details for 218.30.29.43
[refresh/show] Cached whois for 218.30.29.43 : bjnic@bjtelecom.net
Using last resort contacts bjnic@bjtelecom.net

Tracking link: http://yahoo.com-yahoo.com.ph/click.php?id=leneyei
Resolves to 218.30.29.43

Tracking ip 218.30.29.43
Cached masters for 218.30.29.43: bjnic@bjtelecom.net

Please make sure this email IS spam:
From: "Esteban Kemp" <x> (Fwd: Fwd: Save On Term Life ins.)
Join .America’s newest
Insu`rance referral network.We offer te.rm Li.fe cove'rage at up to 7'0% off.We
View full message

Report Spam to:

Re: 200.199.125.68 (Administrator of network where email originates)
To: mail-abuse@nic.br (Notes)
To: abuse@telemar.net.br (Notes)
To: Internal spamcop handling: (spambr) (Notes)
To: postmaster@telemar.net.br (Notes)
To: admin#telemar.net.br@devnull.spamcop.net (Notes)

Re: 200.199.125.68 (Third party interested in email source)
To: Cyveillance spam collection (Notes)

Re: http://yahoo.com-yahoo.com.ph/click.php?id=leneyei (Administrator of network hosting website referenced in spam)
To: bjnic@bjtelecom.net (Notes)

Re: http://yahoo.com-yahoo.com.ph/click.php?id=lene... (Administrator of network hosting website referenced in spam)
To: bjnic@bjtelecom.net (Notes)

So spamcop picks up the open proxy and reports it to the upline ISP.
It also picks up the links in the message body.

Will Spamx be able to do that as well soon? (at all?) it's often useful to be able to report the pestering web sites being spamvertised.
(notice the Last Resort posting when Spamcop can't find as specific abuse address)

oh yes, Iwas going to make another suggestion.
Can we have the subject of the complaint NOT say "Spam Complaint" but "Email Abuse Complaint".
The word "spam" is picked up by a lot of filters and I get the replies to the reports dumped in my spam box at the moment

.

BAzz

Jeff Hendrickson

Apr 29 2004, 11:16 PM

Hi BaZZ,

SpamX Version 1.2.4 was going into a loop looking for a 24k abuse address to use to send the spam report. It went into a loop if it did not find one.

To correct this, SpamX Version 1.2.5 will look at the list once for a 24k address, if it does not find one, it will make another pass with less stringent lookup criteria. If it does not find one on this pass, it will make a note in the log file, and if you are in 'automated processing' it will continue on with the next email.

I've also changed the subject of the spam complaint from 'Spam Complaint' to 'Email Abuse Complaint'.

You can download the latest fixes at:
Full installation package:
http://www.hendricom.com/Downloads/spamxii.zip
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip

Thank you for taking the time to report this bug, and post the support headers.

I'm working on the URL detection in the email bodies. It should be ready soon.

I'm anxious to get your feedback

Thanks!

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.