Header analysis [Was: Re: How to avoid s p lit up wor ds?]

Tue Jan 21 21:21:09 CET 2003

At 06:08 AM 2003-01-21 -0800, Zack Brown wrote:
>A single-key-press complaint to the ISP and/or whatever authority there
>may be out there, would be cool. Has anyone implemented something that
>automatically analyzes the headers and determines the proper email
>addresses to complain to?

I believe that the best out there is SpamCop.  It is also being tuned all 
the time, depends on a number of external sources for information, 
etc.  For example, if a piece of mail is traced to a open proxy, it stops 
doing further analysis, but that requires that it trust an external proxy 
database.

>Actually, my understanding has been that sophisticated header munging is
>too difficult to detect automatically. Is that actually the case?

There are a number of things you can do.  The real question is, "is it 
possible to construct a header that makes it look like you are an open 
relay as opposed to the spam origin?  Yes, certainly, but then you have the 
question of why and how, two open relays were used.  The flip side of this 
is that people will make a proxy look like an open relay.  You really 
cannot make the machine address of the proxy go away, because that is 
applied by the next machine in sequence.  So the best you can do is to try 
and make the proxy look like it is running the ratware, or, alternatively, 
like it is just an SMTP open proxy with a valid chain to someone you are 
joe-jobbing.  The only reason to do that is because you have a good proxy 
you do not want to lose, or because you have someone you dislike who you 
want the complaints to go to.

I have been using SpamCop for quite a while.  It was seriously slow for a 
while, then it improved.  Someone joe-jobbed me once, and the reality was 
that between 1 in 5 and 1 in 10 complaints do not use SpamCop. That is, by 
far, most spam complaints do use SpamCop.

--
SPAM: Trademark for spiced, chopped ham manufactured by Hormel.
spam: Unsolicited, Bulk E-mail, where e-mail can be interpreted generally
to mean electronic messages designed to be read by an individual, and it
can include Usenet, SMS, AIM, etc.  But if it is not all three of Unsolicited,
Bulk, and E-mail, it simply is not spam. Misusing the term plays into the
hands of the spammers, since it causes confusion, and spammers thrive on
confusion.  If you were not confused, would you patronize a spammer?
Nick Simicich - njs at scifi.squawk.com - http://scifi.squawk.com/njs.html
Stop by and light up the world!