Discussion:
Where's this coming from
(too old to reply)
Conster
2004-10-10 01:13:52 UTC
Permalink
I don't know if anyone has this problem. I don't use Dave's newsgroup at
all and this is the second time I've gotten this similar email. I'm
using Agent and this is really new. I need to block all email, plus I
don't like the looks of them.

Below shows and example

To: ***@hanmail.net
Subject: (±¤°í)12.46.91.205IP@
From: 10100941<***@yahhh.com>
Date:


Connie
Dave Laird
2004-10-10 05:45:34 UTC
Permalink
Good evening, Connie...
Post by Conster
I don't know if anyone has this problem. I don't use Dave's newsgroup at
all and this is the second time I've gotten this similar email. I'm
using Agent and this is really new. I need to block all email, plus I
don't like the looks of them.
Well, let's start with the identification of where this message originated:

Registrant:
yahhh (YAHHH-COM-DOM)
Adel Nour El Din Zaki
P O Box 76 Haram Giza Egypt
Giza
Giza, Giza 11211
Egypt
2012 212 9772
202 740 4343
***@yahoo.com

Domain Name: YAHHH.COM

This type of message would be blocked already inside *any* network that
James or I maintain, as it is covered under a policy that governs access
to American networks by foreign domains attempting to foist themselves off
as "American" domains. Since they are in the 209 network, they already are
trashed on every system I maintain, although I cannot speak for James.
Post by Conster
Below shows and example
Now as to hanmail.net, they, too, are "banned" by my firewall, since they
*repeatedly* have refused to answer mail sent to ***@hanmail.net or to
their network NOC.

It is the price you pay for having a cable Internet provider who doesn't
really care what is allowed on their network, AND because you do not run a
tight firewall protecting yourself from these kinds of attacks and frauds.
By the way, the IP 12.46.91.205 is how they ended up in your network link.
It is probably a forgery, and simply gets by your ISP's security, if any,
and thus ends up in your mailbox. Not good. Not good at all.

Dave
--
Dave Laird (***@kharma.net)
The Used Kharma Lot / The Phoenix Project
Web Page: http://www.kharma.net updated 10/08/2004
Usenet News server: news.kharma.net

An automatic & random thought For the Minute:
Every cloud has a silver lining; you should have sold it, and bought
titanium.
Conster
2004-10-10 07:55:23 UTC
Permalink
Hello Dave,
Post by Dave Laird
It is the price you pay for having a cable Internet provider who doesn't
really care what is allowed on their network, AND because you do not run a
tight firewall protecting yourself from these kinds of attacks and frauds.
By the way, the IP 12.46.91.205 is how they ended up in your network link.
It is probably a forgery, and simply gets by your ISP's security, if any,
and thus ends up in your mailbox. Not good. Not good at all.
Dave
I don't know about my network provider... well actually I know quite a
bit since you told me, but I don't get this on outlook.. I've been
getting it on the email here on Used-Kharma and I never use my
Used_kharma for any emails - incoming or outgoing... So did it sneak
through your firewalls and all. The reason I ask, is I don't know how
the email that comes through your server works.

Connie.
Dave Laird
2004-10-10 11:53:33 UTC
Permalink
Good morning, Connie...
Post by Conster
I don't know about my network provider... well actually I know quite a
bit since you told me, but I don't get this on outlook.. I've been
getting it on the email here on Used-Kharma and I never use my
You do not receive e-mail from Kharma, and there is no user account for
you on Kharma, past or present, since the mail server for Kharma exists on
an entirely different server than the Usenet news server to which you are
a subscribed member. Mail and news are two entirely different network
services, Connie, and never the twain shall meet. Since I retain copies
of all mail logs of *all* transactions between my mail server and the
world mail servers for 30 days, and having just completed a thorough
search of the mail logs for the last 30 days this morning, subsequent to
your complaint, I find your statement very questionable.

Since I flat-out ban all connections from the 209 network, which by your
own information, is the source of this message in question, any packet
which came from the 209 network would be dropped summarily, as if it never
existed at all.

There are many other services, other than Usenet news, offered by The Used
Kharma Lot to a very limited number of persons. Most, if not all, of them
require the strenuous use of digital signatures over Secure Socket Layers
connections and I encourage the use of cryptography.

Currently, there are twenty-three persons who have e-mail access through
The Used Kharma Lot mail server, and many of them receive a high volume of
mail traffic. If even *one* of them had reported a instance similar to
what you just described, I would be concerned. However, *no one* with a
current Kharma mail account has received either SPAM, virus or other
questionable bit of traffic that has not been closely and aggressively
investigated in over five years.
Post by Conster
Used_kharma for any emails - incoming or outgoing... So did it sneak
through your firewalls and all. The reason I ask, is I don't know how
the email that comes through your server works.
*Nothing* "sneaks through" my firewall, Connie. Even the most tentative
connections, regardless of how small, are logged. The only services which
Kharma offers, to which you have access, are the news server, which does
not allow mail access by any means. I will not and cannot discuss the true
nature of my mail server in public, although I will send you a message
shortly which explains the network topology in better detail than you are
apparently aware.

Dave
--
Dave Laird (***@kharma.net)
The Used Kharma Lot / The Phoenix Project
Web Page: http://www.kharma.net updated 10/08/2004
Usenet News server: news.kharma.net

An automatic & random thought For the Minute:
HUGH BEAUMONT died in 1982!!
Jay P Hailey
2004-10-10 14:49:18 UTC
Permalink
Post by Dave Laird
*Nothing* "sneaks through" my firewall, Connie.
That's right! Dave's Firewall is Big! it's Hairy! it's Manly! it drips
with testosterone. It rapes any spammer that catches it's attention
*BECAUSE IT JUST CAN'T STOP ITSELF!*

It's just like that.
--
Jay P Hailey ~Meow!~
MSNIM - jayphailey ;
AIM -jayphailey03;
ICQ - 37959005
HTTP://jayphailey.8m.com

"It cellular peptide cake...with mint frosting." - Worf
Dave Laird
2004-10-10 18:41:12 UTC
Permalink
Good afternoon, Jay...
Post by Jay P Hailey
Post by Dave Laird
*Nothing* "sneaks through" my firewall, Connie.
That's right! Dave's Firewall is Big! it's Hairy! it's Manly! it drips
with testosterone. It rapes any spammer that catches it's attention
*BECAUSE IT JUST CAN'T STOP ITSELF!*
Well, it's not really all that outrageous, although upon occasion, it has
been known to stand upright in the middle of my network and demand more
memory chips for breakfast, and on other occasions, eavesdropping on
messages between Suzie and myself, it often has pithy, rather terse little
side comments about *anything* I have to say.

Then, later, it drops by for coffee and gets really pissy if I don't have
a clean coffee cup for it to use.
Post by Jay P Hailey
It's just like that.
Well, yeah. 8-)

Dave
--
Dave Laird (***@kharma.net)
The Used Kharma Lot / The Phoenix Project
Web Page: http://www.kharma.net updated 10/08/2004
Usenet News server: news.kharma.net

An automatic & random thought For the Minute:
Rocky's Lemma of Innovation Prevention:
Unless the results are known in advance, funding agencies will
reject the proposal.
James Vahn
2004-10-10 15:48:04 UTC
Permalink
Post by Conster
I don't know if anyone has this problem. I don't use Dave's newsgroup at
all and this is the second time I've gotten this similar email. I'm
using Agent and this is really new. I need to block all email, plus I
don't like the looks of them.
You've made some bad assumptions... You DO use Dave's newsgroup(s), I've
seen you post in them (like just now), and Usenet news is not a source of
email. Not directly.

The connection between news and spam is that spammers will connect to news
servers and suck in the headers -- which reveal your email address. They do
not generally suck in the body of the message, it would take too long. This
is why people use fake email addresses in their news postings.

Btw, if you haven't noticed, the public news and email system is being
destroyed. Because of the poor security in Windows, Microsoft has even gone
so far as to allow spam networks to exist. Try to find a good online
"port scanner" to periodically check to see that you are not part of one.

http://www.pcflank.com/scanner1.htm

Be very suspicious of "open" ports.
Post by Conster
Below shows and example
I wouldn't bother even looking any of that up -- it's almost certainly
faked. Instead, take a look at the hidden headers which indicate who
connected to your ISP's mail server.

Fo example, this message claims to be from bellsouth.net ::

Return-Path: <***@bellsouth.net>
From: gladdy <***@bellsouth.net>
Subject: TH0UGHT YOU MlGHT BE |NTERESTED...
<.....>
Received: from rosesite.rose-net.co.ir ([80.191.16.254])
by gonzo.circuit.com (8.13.1/8.13.1/Debian-14) with ESMTP id

But you can clearly see that rosesite.rose-net.co.ir is the actual sender.
Gonzo is mine. Blocking bellsouth would be a mistake, they had nothing to
do with this.

Looking a little further into the header is this gem:

Received: from craggy (218.80.99.246 [218.80.99.246]) by ns.rose-net.co.ir
with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)

That looks to me like rose-net is letting "craggy" send his garbage through.

Now, what can you do about it? Can you set Agent to discard/reject email
based on info in the "Received:" lines? Can you logon to your ISP's mail
server (an MDA like procmail is user configurable) and set it to discard
them? Can you locate the spammers and wring their necks?


--
Conster
2004-10-11 04:59:20 UTC
Permalink
Hello Dave,

On Sun, 10 Oct 2004 15:48:04 +0000 (UTC), James Vahn
Post by James Vahn
Post by Conster
I don't know if anyone has this problem. I don't use Dave's newsgroup at
all and this is the second time I've gotten this similar email. I'm
using Agent and this is really new. I need to block all email, plus I
don't like the looks of them.
You've made some bad assumptions... You DO use Dave's newsgroup(s), I've
seen you post in them (like just now), and Usenet news is not a source of
email. Not directly.
It was called a typo of sorts, I meant to type used_kharma email, not
newsgroups.

Connie
James Vahn
2004-10-11 13:30:42 UTC
Permalink
Post by Conster
It was called a typo of sorts, I meant to type used_kharma email, not
newsgroups.
What?! For pete's sake, it's going to take days to get this mess
sorted out. Holy cow, lady! ;-)



--

Continue reading on narkive:
Loading...