SMTP id question [was : Re: NET-ABUSER CAUGHT IN OWN SPAM-TRAP!!! :-) (fwd)]
Uri Raz
David Bromage (dbro...@metz.une.edu.au) wrote:
>
> The ones I was sent all got caught by the following procmail recipie:
>
> :0
> *.*\(8\.8\.5/8\.6\.5\) with SMTP id GAA0
> {
> EXITCODE = 77
> :0
> /dev/null
> }
>
> This is the signature of one of the spam engines.
>
What's the meaning of the SMTP id (the GAA0 part) ?
--
+---------+---------------------------+-------+-----+-----+
| Uri Raz | mailto:ur...@iil.intel.com | Noire | :-) | :-( |
| All opinions are mine. Others may share them. |
+---------------------------------------------------------+
Paul Tomblin
In a previous article, SpamBait@[127.0.0.1] said:
>>David Bromage (dbro...@metz.une.edu.au) wrote:
>>> :0
>>> *.*\(8\.8\.5/8\.6\.5\) with SMTP id GAA0
>>> {
>>> EXITCODE = 77
>>> :0
>>> /dev/null
>>> }
>>>
>>> This is the signature of one of the spam engines.
>>>
>> What's the meaning of the SMTP id (the GAA0 part) ?
>
>That particular also always in teh same Received header puts EST of
>-0600.
GAA0 is invalid? Since when? A quick grep over my mail folders show that
both of my ISPs, my home machine, and two companies that I used to work for
all generate email with "GAA0" in the id string. I assure you it's not spam.
Here's some examples:
:Received: from info (localhost.kodak.com [127.0.0.1]) by info.kodak.com
(8.8.5/8.8.3) with SMTP id GAA06892; Wed, 9 Jul 1997 06:25:24 -0400 (EDT)
:Received: from info (localhost.kodak.com [127.0.0.1]) by info.kodak.com
(8.8.5/8.8.3) with SMTP id GAA06836; Wed, 9 Jul 1997 06:11:30 -0400 (EDT)
:Received: by posse.ekfido.Kodak.COM (940816.SGI.8.6.9) id GAA07080; Mon, 7 Aug
1995 06:47:23 -0400
:Received: from dial27.probe.net (dial27.probe.net [206.28.166.27]) by
elwood.probe.net (8.6.12/8.6.10) with SMTP id GAA01409 for
<ptom...@xcski.com>; Fri, 19 Apr 1996 06:42:09 -0500
:Received: from sunpub.com (NS.FINPOST.COM [205.210.170.48]) by xcski.com
(8.7.5/8.7.3) with ESMTP id GAA09712 for <ptom...@xcski.com>; Thu, 19 Dec
1996 06:20:49 -0500
--
Paul Tomblin, Current Product Engineering team leader.
I don't speak for Kodak, they don't speak for me.
(Email that is not work related should go to: ptom...@xcski.com)
"You are in a twisty maze of Motif Widget resources, all inconsistent."
si...@msh.xs4all.nl
In article <mqpvqil...@orangutan.cv.nrao.edu>,
<pmurphy+usenet@nrTOG-E_SEO-AMACHao.edu> wrote:
>ur...@iil.intel.com (Uri Raz) writes:
>
>> David Bromage (dbro...@metz.une.edu.au) wrote:
>> >
>> > The ones I was sent all got caught by the following procmail recipie:
>> >
>> > *.*\(8\.8\.5/8\.6\.5\) with SMTP id GAA0
>> > {
>> > EXITCODE = 77
>> > :0
>> > /dev/null
>> > }
>> >
>> > This is the signature of one of the spam engines.
>> >
>> What's the meaning of the SMTP id (the GAA0 part) ?
>
>With certain versions, these consist of a single letter followed by AA,
>AB, etc. and a 5-digit number; this number is often the process ID of the
>instance of sendmail that handles the message, and on most systems
>recycles before getting to 32k.
That's right, and according to the bat book all emails generated after 6
but before 7 am have this "G" as the first letter of the identifier...
[rest deleted for brevity]
CU, Sico.
Hugh McIntyre
In article <5v406t$o...@apollo.ei.kodak.com>, tom...@ei.kodak.com (Paul Tomblin) writes:
|> In a previous article, SpamBait@[127.0.0.1] said:
|> >>David Bromage (dbro...@metz.une.edu.au) wrote:
|> >
|> >
|> >That particular also always in teh same Received header puts EST of
|> >-0600.
|>
|> GAA0 is invalid? Since when? A quick grep over my mail folders show that
|> both of my ISPs, my home machine, and two companies that I used to work for
|> all generate email with "GAA0" in the id string. I assure you it's not spam.
|>
|> Here's some examples:
|> :Received: from info (localhost.kodak.com [127.0.0.1]) by info.kodak.com
|> (8.8.5/8.8.3) with SMTP id GAA06892; Wed, 9 Jul 1997 06:25:24 -0400 (EDT)
Examination of the sendmail source code shows that the SMTP id is formed as
follows (at least for 8.8.5 and 8.8.7). In the example above (GAA06892):
G = 'A' plus the number of hours since midnight localtime.
AA = Normally "AA"; will change if needed for a unique ID.
06892 = the process ID of the sendmail process.
So on a Unix system, 1/3 of all mail received between 6:00 and 6:59am
is likely to match "SMTP id GAA0", and maybe more. Therefore this looks
like a dubious spam trap.
Although it's true (looking through my incoming mail backup) that most mail
matching this ID is spam, and also that using time of day and/or
weekend/weekday for probability-based filtering could be productive, several
real mail messages and one mailing list also came up with matches.
Hugh.
--
| Hugh McIntyre -- Hugh.M...@Eng.Sun.COM |
| SRAM Design, Sun Microelectronics, Sun Microsystems, Inc. |
| Speaking for myself, not for Sun Microsystems. |
Howard Eisenberger
Hugh McIntyre (hu...@Eng.Sun.COM) writes:
>
> Examination of the sendmail source code shows that the SMTP id is formed as
> follows (at least for 8.8.5 and 8.8.7). In the example above (GAA06892):
>
> G = 'A' plus the number of hours since midnight localtime.
> AA = Normally "AA"; will change if needed for a unique ID.
> 06892 = the process ID of the sendmail process.
>
> So on a Unix system, 1/3 of all mail received between 6:00 and 6:59am
> is likely to match "SMTP id GAA0", and maybe more. Therefore this looks
> like a dubious spam trap.
However, the "-0600 (EST)" part of the bogus header seems less dubious.
si...@msh.xs4all.nl
In article <mqpvqil...@orangutan.cv.nrao.edu>,
<pmurphy+usenet@nrTOG-E_SEO-AMACHao.edu> wrote:
>ur...@iil.intel.com (Uri Raz) writes:
>
>> David Bromage (dbro...@metz.une.edu.au) wrote:
>> >
>> > The ones I was sent all got caught by the following procmail recipie:
>> >
>> > :0
>> > *.*\(8\.8\.5/8\.6\.5\) with SMTP id GAA0
>> > {
>> > EXITCODE = 77
>> > :0
>> > /dev/null
>> > }
>> >
>> > This is the signature of one of the spam engines.
>> >
>> What's the meaning of the SMTP id (the GAA0 part) ?
>
>Sendmail assigns a quasi-unique identifier to each message it receives.
>With certain versions, these consist of a single letter followed by AA,
>AB, etc. and a 5-digit number; this number is often the process ID of the
>instance of sendmail that handles the message, and on most systems
>recycles before getting to 32k.
That's right, and according to the bat book all emails generated after 6
but before 7 am have this "G" as the first letter of the identifier...
[rest deleted for brevity]
CU, Sico.
========= WAS CANCELLED BY =======:
Path: ...!btnet-feed2!btnet!mithras.relay.co.uk!cyberwhiner!perfectly-propagating-posts-per-poopy-pants
From: edg...@tropicads.an
Newsgroups: news.admin.net-abuse.email
Subject: cmsg cancel <5v4prt$8jq$1...@news2.xs4all.nl>
Control: cancel <5v4prt$8jq$1...@news2.xs4all.nl>
Date: 10 Sep 1997 17:21:03 GMT
Organization: Crislewis, Inc.
Lines: 2
Sender: si...@msh.xs4all.nl
Approved: edg...@tropicads.an
Message-ID: <cancel.5v4prt$8jq$1...@news2.xs4all.nl>
NNTP-Posting-Host: 206.133.64.34
X-Cancelled-By: edg...@tropicads.an
X-No-Archive: Yes
X-Cancelbot: UCE - Usenet Cancel Engine
X-URL: http://www.softwaredesigners.com
X-Commentary: Whiners are bad. Whining is lame
X-Thanks-To-Andrew-For-Reporting-Propagation-Bug: Thanks, dude. You rule.
The article was canceled on 9/10/97 at 1:25:08 PM with the Usenet Cancel Engine (UCE).
Scott R. Keszler
In article <5v4u58$2h8$1...@engnews2.Eng.Sun.COM>,
hu...@Eng.Sun.COM (Hugh McIntyre) wrote:
}Examination of the sendmail source code shows that the SMTP id is formed as
}follows (at least for 8.8.5 and 8.8.7). In the example above (GAA06892):
}
} G = 'A' plus the number of hours since midnight localtime.
} AA = Normally "AA"; will change if needed for a unique ID.
} 06892 = the process ID of the sendmail process.
}
}So on a Unix system, 1/3 of all mail received between 6:00 and 6:59am
}is likely to match "SMTP id GAA0", and maybe more. Therefore this looks
}like a dubious spam trap.
Exactly. And the sendmail version string 8.8.5/8.6.5 is also in use at some
sites - rrnet being one of them. Anyone filtering for that version and an
SMTP id beginning with GAA0 is likely to trap any email I send in the hour
of 6 am.
A far more reliable filter for the same Received: header is the -0600 (EST)
timezone stamp. The updated version of the same stealth mailer uses an SMTP id
beginning with XAA0 (also valid, for 23:00-23:59) and a timezone stamp of
-0700 (EDT) which is also not correct. EST is -0500, EDT is -0400.
To filter that "stealth" mailer, filter for '-0600 (EST)' and '-0700 (EDT)'.
Filtering on the sendmail version and/or SMTP id *will* result in false
positives. Filtering on the invalid timezones will not.
--
Dead Hard Drives make great clocks: http://rrnet.com/~keszler/hddclock.html
Scott R. Keszler
========= WAS CANCELLED BY =======:
Path: ...!btnet-feed2!btnet!mithras.relay.co.uk!cyberwhiner!perfectly-propagating-posts-per-poopy-pants
From: pf...@msjovert.pl
Newsgroups: news.admin.net-abuse.email
Subject: cmsg cancel <5v7up6$hng...@rrnet.com>
Control: cancel <5v7up6$hng...@rrnet.com>
Date: 11 Sep 1997 20:15:30 GMT
Organization: Crislewis, Inc.
Lines: 2
Sender: kes...@rrnet.com (Scott R. Keszler)
Approved: pf...@msjovert.pl
Message-ID: <cancel.5v7up6$hng...@rrnet.com>
NNTP-Posting-Host: 206.133.64.35
X-Cancelled-By: pf...@msjovert.pl
X-No-Archive: Yes
X-Cancelbot: UCE - Usenet Cancel Engine
X-URL: http://www.softwaredesigners.com
X-Commentary: Whiners are bad. Whining is lame
X-Thanks-To-Andrew-For-Reporting-Propagation-Bug: Thanks, dude. You rule.
The article was canceled on 9/11/97 at 4:19:30 PM with the Usenet Cancel Engine (UCE).