But there's a problem (note the first sentence of this
post): the software sends a complain about every URL
it finds in body and headers of the original spam.
*Including* the text added by eg SpamAssassin --
  X-Spam: listed in dsbl, http://dsbl.org/listing?127.0.0.2

So, now dsbl.org, cbl.abuseat.org, spamhaus.org, sorbs.net,
spamcop.net and so on and the like are all spamvertisied
sites, snd the software complains to both the "site owner"
and its upstream, using the whois information.  Voila,
go figure, all great spammer.

For example, dsbl.org got several 100s of complaints that
way from all over the world in a single day.  CBL is getting
those too.  Etc.

But that's not all the story obviously, or else the Subject
will be different.  Simply fix the bug and be done with it,
not a big deal really.  But the author isn't that "simple".

Several people notified him using email.  Several posts has
been made on the support forum.  Guess what?

He just deletes the "bad" posts in the support forum, continues
making new versions without fixing the problem, and leaves
only "thank you" messags on his forum.  There where several
posts by me, by Rik van Riel (several attemts), by others --
all gone in a few minutes...

There are several other probs with the software obviously
(look closely at the sample report below -- some characters
are missing -- eg right after the ===SMTP START== (what's
SMTP here, btw?), you'll find "evel: ***" header which
probably was "spam-level:"; and at the very end, there's
a spamX version number -- supposed to be full name of the
software with version and the url...)

So just ask yourself: is such behaviour a good one?  Do you
want to use such a software from SUCH an author?  I for one
don't want to deal with him...

/mjt

Sample report follows, with some @'s replaced with [X]'s.

Subject: EMail Abuse Complaint 8/01/05 13:24:28
From: ako...@newsguy.com
Date: Sat, 8 Jan 2005 13:28:38 -0600
To: ADMIN[X]DSBL.ORG, ABUSE[X]TACONIC.NET, SSRADMIN[X]TELMEX.COM, IPS-ADM[X]UNINET.NET.MX, LEGAL[X]NIC.MX, DOMINIOS[X]TELMEX.COM, ABUSE[X]UNINET.NET.MX, POSTMASTER[X]UNINET.NET.MX, ABUSE[X]NIC.MX

I believe this email either originated from your domain, your domain was involved in it's delivery, or you are the victim of a spammer abusing your domain.  All of the information is included for you to take action.

Here is the SMTP information.

IP Address(es) traced through 201.128.81.77 - 248.104.212.196 -

Spamvertized Domain(s) DSBL.ORG -

Domain(s) traced through UNINET.NET.MX -

Abuse address(es) traced to ADMIN[X]DSBL.ORG - ABUSE[X]TACONIC.NET - SSRADMIN[X]TELMEX.COM - IPS-ADM[X]UNINET.NET.MX - LEGAL[X]NIC.MX - DOMINIOS[X]TELMEX.COM - ABUSE[X]UNINET.NET.MX - POSTMASTER[X]UNINET.NET.MX - ABUSE[X]NIC.MX -

== SMTP Start ==========
evel: ********************
X-Spam-Status: Yes, score=20.3 required=7.0 tests=BAYES_99,HELO_DYNAMIC_DHCP,
        HELO_DYNAMIC_IPADDR,HTML_40_50,HTML_MESSAGE,RCVD_ILLEGAL_IP,
        RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_SORBS_HTTP,
        RCVD_IN_SORBS_MISC,RCVD_IN_XBL,URIBL_SBL,URIBL_WS_SURBL
        autolearn=spam version=3.0.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_41DEEB14.3691D71D"
X-MailScanner-Information: This email message has been scanned for viruses
X-MailScanner-HostGo: Found to be clean

  Payyless fOr Wnd0ws 2ooo Server
Sender: "Elisabeth Lam" <ygemdtrc...@sofcom.com.au>
Message-ID: <364459645216.EBN69...@lucrative.goodgirlz.com>
MIME-Version: 1.0
Content-Type: multipart/related;
          boundary="Java.FBWWO.57978303078977925"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <1797928@MPQMG>
X-Mailer: Microsoft Outlook Express  6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
X-MailScanner-Information: This email message has been scanned for viruses
X-MailScanner-HostGo: Found to be clean
X-Spam-Exim: pCWyj5_c7Tvvutm9wqHEleW6

This is a multi-part message in MIME format.

--Java.FBWWO.57978303078977925
Content-Type: multipart/alternative;
         boundary="Java.EVBYR.9139572339837257858"

--Java.EVBYR.9139572339837257858
Content-Type: text/plain;
         charset="us-ascii"
Content-Transfer-Encoding: 7bit

Minnesota, which can clinch a wild-card
playoff spot with a loss by either Carolina or St. Louis this weekend, appeared on
its way to retaking the lead. But a holding penalty on Birk -- the Vikings were
flagged nine times for 78 yards -- wiped out a 16-yard run by Michael Bennett that
would have given them the ball at the Green Bay 40 just before the 2-minute warning.

--Java.EVBYR.9139572339837257858
Content-Type: text/html;
         chars

This is a multi-part message in MIME format.

------------=_41DEEB14.3691D71D
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "rome.hostgo.com", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Minnesota, which can clinch a wild-card playoff spot
   with a loss by either Carolina or St. Louis this weekend, appeared on
   its way to retaking the lead. But a holding penalty on Birk -- the
   Vikings were flagged nine times for 78 yards -- wiped out a 16-yard
   run by Michael Bennett that would have given them the ball at the
   Green Bay 40 just before the 2-minute warning. [...]

Content analysis details:   (20.3 points, 7.0 required)

  pts rule name              description
---- ---------------------- --------------------------------------------------
  4.4 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr 1)
  1.2 HELO_DYNAMIC_DHCP      Relay HELO'd using suspicious hostname (DHCP)
  0.9 RCVD_ILLEGAL_IP        Received: contains illegal IP address
  1.9 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                             [score: 1.0000]
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.0 HTML_40_50             BODY: Message is 40% to 50% HTML
  0.1 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
                             [201.128.81.77 listed in combined.njabl.org]
  0.3 RCVD_IN_SORBS_MISC     RBL: SORBS: sender is open proxy server
                             [201.128.81.77 listed in dnsbl.sorbs.net]
  0.0 RCVD_IN_SORBS_HTTP     RBL: SORBS: sender is open HTTP proxy server
                             [201.128.81.77 listed in dnsbl.sorbs.net]
  3.8 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
                             [<http://dsbl.org/listing?201.128.81.77>]
  3.1 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                             [201.128.81.77 listed in sbl-xbl.spamhaus.org]
  2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
                             [201.128.81.77 listed in dnsbl.sorbs.net]
  1.0 URIBL_SBL              Contains an URL listed in the SBL blocklist
                             [URIs: goforthesoft.info]
  1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
                             [URIs: goforthesoft.info]

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

------------=_41DEEB14.3691D71D
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Received: from [201.128.81.77] (helo=dsl-201-128-81-77.prod-infinitum.com.mx)
        by rome.hostgo.com with smtp (Exim 4.43)
        id 1Cn0KL-0007W8-JW
        for adr...@bekolite.com; Fri, 07 Jan 2005 15:03:22 -0500
Received: from afterthought.adres.nl ([248.174.119.38])
  by brenda.adres.nl (Sun Java System Messaging Server 6.1 HotFix 0.03 (built
  Aug 25 2004)) with ESMTP id <0Q9R00WS387F...@brenda.adres.nl> for
  adr...@bekolite.com; Fri, 07 Jan 2005 13:50:29 -0600 (IST)
Received: from lucrative.goodgirlz.com ([248.104.212.196])
  by afterthought.adres.nl
  (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Aug 29 2004))
  with ESMTP id <0C5V00LX647I...@afterthought.adres.nl> for adr...@bekolite.com
  (ORCPT adr...@bekolite.com); Fri, 07 Jan 2005 21:55:29 +0200 (IST)
Date: Fri, 07 Jan 2005 17:58:29 -0200
From: "Elisabeth Lam" <ygemdtrc...@sofcom.com.au>
To: <adr...@bekolite.com>
Subject: Payyless fOr Wnd0ws 2ooo Server
Sender: "Elisabeth Lam" <ygemdtrc...@sofcom.com.au>
Message-ID: <364459645216.EBN69...@lucrative.goodgirlz.com>
MIME-Version: 1.0
Content-Type: multipart/related;
          boundary="Java.FBWWO.57978303078977925"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <1797928@MPQMG>
X-Mailer: Microsoft Outlook Express  6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
X-MailScanner-Information: This email message has been scanned for viruses
X-MailScanner-HostGo: Found to be clean
X-Spam-Exim: pCWyj5_c7Tvvutm9wqHEleW6

This is a multi-part message in MIME format.

--Java.FBWWO.57978303078977925
Content-Type: ...

read more »

--
We have heard rumors that an anti is in here.
That actual posts from here have ended up on
shiksas posts elswhere. Who is the rat bastard!!!
 -paranoid spammer Dec-19-03, 03:40 PM (EST)

http://www.versiontracker.com/dyn/moreinfo/win/35346

--Mike

This would appear to be just another chickenboner that couldn't make it
selling his "FFA Email List Management software" so that we all could
"...do your own bulk Email!"

<
http://64.233.167.104/search?q=cache:YT13dnTzpegJ:www.arnes.si/news/a...
 >

Wayback machine also points out;
Nov 09, 2000: "Get our FFA MS-Excel based Email list processor to
automate the process of sending out your FFA Email advertisements!"

Apr 02, 2001: "Get Over 11000 Email Addresses!"

SgtChains

http://exspam.surriel.com/

--
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

Well, if you're using Postfix, and it's compiled with PCRE support:

/etc/postfix/main.cf:
    header_checks = pcre:/etc/postfix/header_checks

/etc/postfix/header_checks:
    /^Subject: EMail Abuse Complaint (\d{1,2}\/){2}\d{1,2}\s+(\d{1,2}:){2}\d/ REJECT

Should do the trick.  (Sorry for the long line.)

Personally, I think I'd be more prone to toss such things at the
spam db and let 'em be blocklisted.  Abuse is abuse, ya know...

--
Jim Seymour                          | "Some of the lies are so strange it
WARNING: The "From:" address is a    |  makes you wonder about the spammer's
spam trap.  DON'T USE IT!  Use:      |  sanity."
jseym...@LinxNet.com                 |   - Ed Foster, "The Gripe Line" 6/24/02

He said (on his own proposal, not mine!) that he would whitelist our
address range from future versions of the software.  Since then I
haven't gotten any further erroneous complaints from his users, and I'm
a bit ashamed to say I didn't follow the matter any further.

A Google search revealed that Sp@mX is listed prominently on a number of
"downloads" sites, including Apple's.  In penance for getting
whitelisted, I've just sent Apple a request that it be removed,
referencing Rik van Riel's Web page and this thread.

--
Karl A. Krueger <kkrue...@example.edu> { s/example/whoi/ }

Every program has at least one bug and can be shortened by at least one line.
By induction, every program can be reduced to one line which does not work.

snip

And if anyone needs a sendmail filer for a hard bounce during smtp chat,
there's plenty of fodder on the web, or I'll post my ugly hack.

http://www.hendricom.com/forums/index.php?showtopic=440

--
***************************************************
I killfile anyone who responds to Jamie or Moris.
If I don't see your response, that's probably why.
***************************************************

I sent the following email to my customers this morning -
Some email filtering software like SpamAssassin, embeds URLs in the
SMTP header pointing to the site of the reporting source.
Sp@mX is picking up these URLs and reporting them, which is frustrating
the admins at these domains.
There is a link to the message board that will be updated as needed to
list these domains.
http://www.hendricom.com/forums/index.php?showtopic=440
Can you please add the following entries to your donotsend list?
spamhaus.org
dsbl.org
spamcop.net
sorbs.net
email.com
ordb.org
blitzed.org
abuseat.org
We're on version 3.1.8, which is looking good with almost all of the
bug reports closed.  If you download the entire package, please
remember to backup your configuration files!  You can download it here:
http://www.hendricom.com/forums/index.php?showtopic=427

Also, starting this morning, the software ships with this donotsend
list as default.

This problem should clear up quickly, and I apologize for any
inconvenience caused.

Ok, now go ahead and abuse me....

--
rizlernet [5:34 PM]:  ok you are calling me a scumbag
rizlernet [5:34 PM]:  but im really not mailing
Shiksaa [5:34 PM]:  why, yes i am. you are a scumbag
rizlernet [5:34 PM]:  well mabe but im NOT mailing

--
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

Your product will be abusive, and cause us to block the users of it, as
long as it tries unsuccessfully to parse headers for mail routing
information upon which to base reports.  For all practical purposes,
automatically telling the difference between legitimate headers and
spammer forgeries is an insoluble problem.  You certainly haven't
solved it...

Remove that header parsing misfeature from your product as well, and we
won't have to block users of your stuff.

Thanks!

Richard

--
To reply via email, make sure you don't enter the whirlpool on river left.

My mailbox. My property. My personal space. My rules. Deal with it.
                        http://www.river.com/users/share/cluetrain/

Richard

--
To reply via email, make sure you don't enter the whirlpool on river left.

My mailbox. My property. My personal space. My rules. Deal with it.
                        http://www.river.com/users/share/cluetrain/

So, I warned the idiot to stop, and instead of not using the
program anymore until the fix was released, he used it again and
again, over and over, until we had at least 100 of them from him
over several days.

So, we've adopted the new policy here of blocking the mail servers
of the users who do this until their provider either 1) forces them
to stop using the tool, 2) terminates their dumbasses, 3) imparts a
clue somehow.

Yes, I know this is rather extreme, but this falls within the
definition of abuse, which is what the AHBL covers.  They are being
listed under the SOS category so that only the people who have
decided to use our extremely agressive policies will block them.

--
Brian Bruns
Founder, The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org

The Abusive Hosts Blocking List - DNSbl
http://www.ahbl.org

However,

I only have my subspions as to why Thunderbird picked "KOI8-R" over my
default settings of "ISO-8859-1"...  My best guess at this point is
because the post I was resonding to was set to "KOI8-R"...

I'll try to keep an eye out for it in the future...  But, it doesn't
seem to flag the change very well.

SgtChains

http://www.versiontracker.com/php/feedback/article.php?story=20050108...
50140#comments

--Mike

When producing a commercial application, did you consider that perhaps you
should be running those lookup servers and not raping the antispam
community for your own gain? Did you, perhaps, consider using a less
intensive protocol like whois or dns to do your queries? Do you have plans
to compensate MAPS for providing the basis of your product?

~Empty

--
"You are not special. You are not a beautiful or unique snowflake.
You are the same decaying organic matter as everything else."
        -Tyler Durden, Fight Club
http://www.emptiedout.com

--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003

There are a lot of anti-spam, anti-virus experts selling expensive
services consisting of white boxes running Linux, SpamAssassin,
MIMEdefang, and dccproc.  I'd have no reaction to that besides contempt
for the laziness of the suckers who buy the service instead of building
it themselves and for the technically incomptent entrepreneurs who use
dccproc instead of dccifd except for one thing.  The DCC as well as
the other code they use is open source, and in my view that means they
can do whatever they want with it including selling it without even
thanking the people who wrote the code.

Dccproc is the low performance client interface to the DCC.  It is
intended to be executed in series or by procmail or similar, and
hence its name.  It's low performance because it involves various
start-up costs for every delivery of every message.  Dccifd is a
daemon that avoids the start-up costs.  At less than msg/second or
100K msgs/day, those start-up costs don't matter, but I think they
should matter at higher loads.

That one thing that changes my reaction is that essentially all of
these entrepreneurs don't bother to run their own DCC servers.  The
ridiculously high (considering their cost of goods) monthly fees give
their customers generally misconfigured systems set to use the CPU
cycles, bandwidth, disk space, and human administration time of the
operators of the public DCC servers.  I think that is theft.

Then there are the outfits that not only ship systems that bang on the
public DCC servers, but also use perverted versions of the DCC client
code to send bogus requests that cause the DCC servers to complain in
their system logs, and continue to do that through multiple system
releases despite my nagging.  Speaking of Barracuda Networks, also see
http://www.rhyolite.com/anti-spam/objections/mperone.html

Part of what bugs me is that I have no ideas for distinguishing the
boxes of the thieves among the perhaps 50,000 small DCC clients.  I
only discover them when I write one of their larger customers that is
triggering the DCC server rate limiting or that is sending several
100K useless requests/day thanks to misconfigured firewalls, and the
luser says "What's the DCC?  I'm using an Acme Spam and Virus Filter."

Vernon Schryver    v...@rhyolite.com

I'd be tempted to feed them (mild) poison data.  Let them complain to Acme.

--
Ron Sharp.