Great Circle Associates List-Managers
(April 1997)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Mailing Lists Are Under Attack Again
From: Alexander Verbraeck <A . Verbraeck @ IS . TWI . TUDelft . NL>
Date: Sun, 13 Apr 1997 20:55:47 +0200 (MET DST)
To: orionsoft @ telephonet . com, wavelet @ colossus . arl . mil
Cc: list-managers @ greatcircle . com
In-reply-to: <v03007807af76cd20be48 @ [207 . 254 . 96 . 49]> from "Vince Sabio" at Apr 13, 97 02:01:56 pm

> Chuq, if you collate the targeted addresses at some point, could you
> please post them? I know I'd like to scrub my list, and I'm sure that
> several others would like to, as well.

Here's my current list. It contains everything I got after the second or
third day or so; after the filters took hold. The number in front tells
how many e-mails I got for those users.

   1 From: 71112 .
 1620 @
 compuserve .
 com
   1 From: Anderson_ajax @
 msn .
 com
   1 From: JohnChen00 @
 aol .
 com
   1 From: RICKMAC @
 swbell .
 net
   1 From: Scott .
 Weiser @
 worldnet .
 att .
 net
   1 From: abc46 @
 juno .
 com
   1 From: bobafett @
 hunter .
 ca
   1 From: bolsa @
 flop .
 engr .
 orst .
 edu
   1 From: dividual @
 hotmail .
 com
   1 From: eblackwe @
 med .
 wayne .
 edu
   1 From: ecurb @
 intercom .
 it
   1 From: elee2 @
 aries .
 ee .
 mcgill .
 ca
   1 From: gioconda @
 ctrade .
 ctrade .
 it
   1 From: hattrick @
 laplaza .
 org
   1 From: htran1 @
 erols .
 com
   1 From: jimh @
 mail2 .
 quicknet .
 com
   1 From: lpeterson @
 sushiking .
 com
   1 From: lutnik @
 cartabianca .
 com
   1 From: lynnsgould @
 scomm2000 .
 it
   1 From: marc_bernardini @
 rcm .
 inet .
 it
   1 From: mark @
 galactica .
 it
   1 From: matteo_aletti @
 rcm .
 inet .
 it
   1 From: mbail @
 flash .
 net
   1 From: melgibbo @
 aol .
 com
   1 From: melissa @
 series2000 .
 com
   1 From: mlc777 @
 fullmkt .
 com
   1 From: noreply @
 feefifofe .
 com
   1 From: quynhle @
 erols .
 com
   1 From: rckhrd_69 @
 hotmail .
 com
   1 From: rein777 @
 flash .
 net
   1 From: robrota @
 texnet .
 it
   1 From: sales @
 quantcom .
 com
   1 From: speed @
 paperuzz .
 net
   1 From: sweetjan @
 ix .
 netcom .
 com
   1 From: trangle @
 msuvx2 .
 memphis .
 edu
   1 From: trdchau @
 erols .
 com
   1 From: unk @
 mindspring .
 com
   1 From: vayman @
 eden .
 rutgers .
 edu
   1 From: wskjr @
 swbell .
 net
   2 From: 110077 .
 0253 @
 compuserve .
 com
   2 From: Ewek @
 msn .
 com
   2 From: Gryphon @
 skylord .
 com
   2 From: IM4BUFFALO @
 postoffice .
 worldnet .
 att .
 net
   2 From: PPereira @
 usa .
 net
   2 From: Skidout @
 aol .
 com
   2 From: aljber @
 kuwait .
 net
   2 From: bed8226 @
 megahertz .
 njit .
 edu
   2 From: cookie @
 cyberjunkie .
 com
   2 From: dung73 @
 chollian .
 dacom .
 co .
 kr
   2 From: gbryan @
 devry-phx .
 edu
   2 From: johnkar @
 cris .
 com
   2 From: junecho @
 idt .
 net
   2 From: juseok @
 white .
 xtel .
 com
   2 From: jwchoi @
 geocities .
 com
   2 From: keast @
 soback4 .
 kornet .
 nm .
 kr
   2 From: lachico @
 aol .
 com
   2 From: landfall @
 soback .
 kornet .
 nm .
 kr
   2 From: ljsuk @
 hyundai .
 hdec .
 co .
 kr
   2 From: mario @
 Baskerville .
 it
   2 From: postmaster @
 rcm .
 inet .
 it
   2 From: qluu @
 polaris .
 umuc .
 edu
   2 From: sillyslut @
 hotmail .
 com
   2 From: tildeath @
 nuri .
 net
   2 From: tradelaw @
 onramp .
 net
   2 From: wshaw @
 wantree .
 com .
 au
   2 From: zybrgoat @
 ix .
 netcom .
 com
   3 From: charles1 @
 netcom .
 com
   3 From: hotline @
 usit .
 net
   3 From: sys21 @
 nuri .
 net
   4 From: MPETER @
 AOL .
 COM
   4 From: caravita @
 public .
 iunet .
 it
   4 From: simmons @
 pacbell .
 net
   5 From: dblack @
 devry-phx .
 edu
   6 From: scott .
 weiser @
 worldnet .
 att .
 net
   6 From: tran @
 addis .
 net
  20 From: phant @
 rpi .
 edu
 
> I wish I had access to the Unix shell on the server; it appears to be
> pretty easy to trap the suspect subscriptions with procmail, since they
> are using a rather consistent format for the subscribes. Unfortunately,
> all I have are Eudora filters, which are not as robust.

For Unix listprocessor users, the fastest way is to patch the Catmail
script. Listprocessor uses "Catmail" to determine what to do with the
e-mails the listprocessor and the lists receive. I patched Catmail so
it firsts checks the ENTIRE e-mail message against a file with strings it
should NOT contain. On a UNIX system, this took me less than an hour or so.
In this file are the domains that the spammer uses to distribute the
forged e-mails, like nlights.net, goofy.gte.net, and others. Furthermore,
I included strings in that file that usually point at spamming, like a
sentence of the Krazy Kevin spam, the string "1-900", typical strings from
every other spam I have received, etc. The e-mails are routed to me instead
of to the list or the listprocessor. I receive them as regular mail in my
mailbox, and I can then determine what to do about them. This has proven to
save dozens and dozens of hours of work.

> However, a *minor* pattern has become evident, and has allowed me to
> write an effective filter to catch many of the illicit subs: apparently,
> a good portion of these attacks are directed against Italian addresses.
> Filtering on the subject of the "Welcome" message (on which I'm CCed)
> *and* ".ir\r\r" (i.e., ".ir<cr><cr>") in the body of the message has
> enabled me to trap the Italian addresses on ListProc.

Beware: .ir is IRAN, .it is ITALY. For European users this would be tedious;
on one of my lists I have 34 users from Italy, who regularly post.

Hope this can be of use,
Kind regards,
Alexander Verbraeck

-----------------------------------------------------------------
Dr. Alexander Verbraeck            Delft University of Technology
Department of Systems Engineering, Policy Analysis and Management
Jaffalaan 5        P.O. Box 5015, 2600 GA  Delft  The Netherlands
Tel: +31 15 2783805    Secr: +31 15 2788380   Fax: +31 15 2783429
e-mail: A .
 Verbraeck @
 sepa .
 tudelft .
 nl  List manager BPR-L, DYNMOD-L
http://www.sepa.tudelft.nl/~alexandv/    See also ..../bpr-l.html
-----------------------------------------------------------------



Follow-Ups:
References:
Indexed By Date Previous: Introduction
From: "Gary K. Foote" <gkfoote @ webbers . com>
Next: Re: Mailing Lists Are Under Attack Again
From: Vince Sabio <wavelet @ colossus . arl . mil>
Indexed By Thread Previous: Re: Mailing Lists Are Under Attack Again
From: Vince Sabio <wavelet @ colossus . arl . mil>
Next: Re: Mailing Lists Are Under Attack Again
From: Vince Sabio <wavelet @ colossus . arl . mil>

Google
 
Search Internet Search www.greatcircle.com