Great Circle Associates List-Managers
(April 1997)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Malicious mass subscriptions
From: Chuq Von Rospach <chuqui @ plaidworks . com>
Date: Wed, 2 Apr 1997 11:08:19 -0800
To: Morna Findlay <Morna . Findlay @ newcastle . ac . uk>, Brent Chapman <Brent @ GreatCircle . COM>, list-managers-digest @ GreatCircle . COM
In-reply-to: <v03007813af67c35a69f2@[]>
References: <v03020904af66ed46468c@[]><v03007808af66809ea3a7@[]>

At 12:05 AM -0800 4/2/97, Morna Findlay wrote:

>>We've had some success using a front-end filter for Majordomo that blocks
>>incoming requess containing certain known-problem domains in the
>>"Received:" lines.

>That of corse would affect the valid users from those domains.
>Has anyone done this?

I've done this using procmail. Anything suspicious gets sent to my
account instead of to the daemon. I can monitor, and correct requests
can be forwarded back for processing.

In reality, the domains used for spamming seem don't seem to have
legitimate users of my systems -- your mileage may well vary here, so
study the requests before making assumptions.

It's *really* cut down my spam problems until I can get subscription
confirmation finished. I *also* generate daily subscriber change
reports, so I can quickly scan the new names every morning, and once I
got my system in place, while the spammers are still at it, no spam
account's made it onto one of my lists in three days (unless they're
hiding well). Prior to that, ti was only a couple instead of (on bad
days) a dozen or more.

Fortunately, the spammers have patterns you can use to your benefit.
Unfortunately, they sometimes change them slightly, so you have to keep
watching. More unfortunately, the patterns make it obvious what most of
the spam is, but they don't lend themselves to programmatic testing
very easily, except in broad ways (if someone is signed up with a name
of "lamer" or "remal", for instance, you can bet it's a spam. Certain
other keywords can trip a warning, too, as can certain headers such as
"peer crosschecked" showing up in the mail. I've yet to see a
subscription request with a "peer crosschecked" line that was
legitimate.... Now, to get EVERYONE to do peer crosschecking... grin...

         Chuq Von Rospach ( Apple IS&T Mail List Gnome

 Plaidworks Consulting ( <>
   (<> +-+ The home for Hockey on the net)

Indexed By Date Previous: Re: Blocking domains
From: Mike Nolan <>
Next: Re: Malicious mass subscriptions
From: Mike Nolan <>
Indexed By Thread Previous: Re: Malicious mass subscriptions
From: Morna Findlay <>
Next: Malicious mass subscriptions
From: "Lazlo Nibble" <>

Search Internet Search