Guess what? More Microsoft spam!
Some Guy
Another round of spam is hitting all the microsoft newsgroups.
So let's check it against my previously posted spam-detection rules:
- message ID ends with "phx.gb1"
- presence of "X-Newsposter:" line
- Content-Type, M-ID, and user-agent preceeds Date line
So yes, Microsoft's pathetic server administrators are allowing mass
postings to be injected into usenet via their own servers. The first
rule applies - the message id ends with phx.gb1.
Yes, we have an "X-Newsposter:" line. The second rule has been met.
And yes, the content-type, MID, and user-agent preceeds the date line.
The third rule applies.
Had my 3 rules been in place, this spam would have beed detected and
shit-canned.
-------------------------------------------
From: tesddalws<sfdeee...@yahoo.com>
Subject: 69 Hosting Web www.ivys.es
Reply-To: erdf...@yahoo.com
Content-Type: text/plain
X-Newsposter: Microsoft Outlook Express 6.00.2800.1106
Message-ID: <uNLwLrU...@TK2MSFTNGP02.phx.gbl>
Newsgroups: microsoft.public.win98.setup.win31
Date: Wed, 04 Nov 2009 04:31:54 -0800
NNTP-Posting-Host: cerberus.ivysnetworks.net 89.140.7.254
Hosting Web www.Ivys.es
Winston
> Message-ID: <uNLwLrU...@TK2MSFTNGP02.phx.gbl>
This part isn't surprising. For reasons unknown, Hotmail, MSN.com, and
probably other Microsoft-owned services have been using the bogus phx.gbl
"domain" for years. I've seen it in valid email since at least 2004. It's
not just used in message-IDs, it's also used in host names; e.g.,
"BAY0-XMR-010.phx.gbl" was the SMTP HELO name used by
"bay0-xmr-010.hotmail.com".
So, seeing phx.gbl in a microsoft.* news group is not at all surprising.
-WBE
D. Stussy
news:ydhbta4...@UBEblock.psr.com...
"I've seen it in [OTHERWISE] valid email since at least 2004." ;-)
Everyone I know KILLS this fake domain on sight: Mail is refused, client
connections to web servers are terminated (including their spiders),
etc....
D. Stussy
news:ydhbta4...@UBEblock.psr.com...
"I've seen it in [OTHERWISE] valid email since at least 2004." ;-)
D. Stussy
news:ydhbta4...@UBEblock.psr.com...
"I've seen it in [OTHERWISE] valid email since at least 2004." ;-)
D. Stussy
news:ydhbta4...@UBEblock.psr.com...
"I've seen it in [OTHERWISE] valid email since at least 2004." ;-)
VanguardLH
> Another round of spam ...
The nymshifter reappears.
Some Guy
> Everyone I know KILLS this fake domain on sight:
Did you have to post that gem 3 times?
Winston wrote:
> This part isn't surprising. For reasons unknown, Hotmail, MSN.com,
> and probably other Microsoft-owned services have been using the
> bogus phx.gbl
It doesn't matter that microsoft identifies their servers with the fake
FQDN phx.gb1. That has got absolutely no relationship to the spam
observed in the microsoft usenet groups that are emitted by the MS
servers.
Even if Macro$haft used a "proper" domain suffix, the spam messages
would still be posted and would be just as easily identifiable given the
rules I posted previously. The only difference would be to modify the
MID suffix search rule to what-ever the "proper" domain you think should
be used.
D. Stussy
news:4AF23014...@Guy.com...
> "D. Stussy" wrote:
> > Everyone I know KILLS this fake domain on sight:
>
> Did you have to post that gem 3 times?
No. I only posted it once.
> Winston wrote:
> > This part isn't surprising. For reasons unknown, Hotmail, MSN.com,
> > and probably other Microsoft-owned services have been using the
> > bogus phx.gbl
>
> It doesn't matter that microsoft identifies their servers with the fake
> FQDN phx.gb1. That has got absolutely no relationship to the spam
> observed in the microsoft usenet groups that are emitted by the MS
> servers.
If it's useful in identifying the spam, there's no reason not to use it.
BTW, it's PHX.GBL. The last character is NOT a one.
> Even if Macro$haft used a "proper" domain suffix, the spam messages
> would still be posted and would be just as easily identifiable given the
> rules I posted previously. The only difference would be to modify the
> MID suffix search rule to what-ever the "proper" domain you think should
> be used.
No, it's not. You'd have to remove or replace your message-ID rule.
Ray Banana
> "Some Guy" <So...@Guy.com> wrote in message
> news:4AF23014...@Guy.com...
>> "D. Stussy" wrote:
>> > Everyone I know KILLS this fake domain on sight:
>>
>> Did you have to post that gem 3 times?
>
> No. I only posted it once.
IBTD:
<hcsu8j$cat$1...@snarked.org>
<hcsvg0$ck7$1...@snarked.org>
<hcsv73$cja$1...@snarked.org>
<hcsv1d$cip$1...@snarked.org>
--
Too many ingredients in the soup, no room for a spoon
http://www.eternal-september.org
Winston
>> Did you have to post that gem 3 times?
to which "D. Stussy" <spam+ne...@bde-arc.ampr.org> replied:
> No. I only posted it once.
FWIW, I also saw three copies of it.
-WBE
Winston
>> I've seen [phx.gbl] in valid email since at least 2004.
"D. Stussy" <spam+ne...@bde-arc.ampr.org> replied:
> "I've seen it in [OTHERWISE] valid email since at least 2004." ;-)
OK, "I've seen it in non-spam / email from friends since at least 2004."
:-)
-WBE
D. Stussy
news:slrnhf4ot1...@banana.shacknet.nu...
> * D. Stussy wrote:
> > "Some Guy" <So...@Guy.com> wrote in message
> > news:4AF23014...@Guy.com...
> >> "D. Stussy" wrote:
> >> > Everyone I know KILLS this fake domain on sight:
> >>
> >> Did you have to post that gem 3 times?
> >
> > No. I only posted it once.
>
> IBTD:
>
> <hcsu8j$cat$1...@snarked.org>
> <hcsvg0$ck7$1...@snarked.org>
> <hcsv73$cja$1...@snarked.org>
> <hcsv1d$cip$1...@snarked.org>
I only sent it once.
Ray Banana
>> >> Did you have to post that gem 3 times?
>> > No. I only posted it once.
>> IBTD:
>> <hcsu8j$cat$1...@snarked.org>
>> <hcsvg0$ck7$1...@snarked.org>
>> <hcsv73$cja$1...@snarked.org>
>> <hcsv1d$cip$1...@snarked.org>
> I only sent it once.
Your client sent it four times. This has been going on for
several weeks and you have been informed of the problem before.
FWIW: I noticed the same behaviour with Outlook Express and INN
on the old Motzarella server, when the server (innd) was under
heavy load or throttled. The client just timed out before innd
processed the article, causing the client to assume that posting
had failed, so it kept resending it.
Bruce Esquibel
> I only sent it once.
I got four copies of it, something broken on your end again.
Most of your posts on other groups are showing up 2 or 3 times also.
-bruce
b...@ripco.com
Some Guy
> > Did you have to post that gem 3 times?
>
> No. I only posted it once.
There is something wrong with your server then.
> > It doesn't matter that microsoft identifies their servers with
> > the fake FQDN phx.gb1. That has got absolutely no relationship
> > to the spam observed in the microsoft usenet groups that are
> > emitted by the MS servers.
>
> If it's useful in identifying the spam, there's no reason not
> to use it.
If *what* is useful in identifying spam?
> BTW, it's PHX.GBL. The last character is NOT a one.
Hmmm. The font I'm using for displaying usenet message bodies (fixed
width Courier New) is using the exact same character for lower-case "L"
and the number 1. But the variable-width font (News Gothic MT) is used
for the message header, and yes, I can see a difference between "l" and
"1".
> > Even if Macro$haft used a "proper" domain suffix, the spam
> > messages would still be posted and would be just as easily
> > identifiable given the rules I posted previously. The only
> > difference would be to modify the MID suffix search rule to
> > what-ever the "proper" domain you think should be used.
>
> No, it's not. You'd have to remove or replace your message-ID rule.
That's exactly what I said in my last sentence that you quoted:
"The only difference would be to modify the MID suffix search
rule to what-ever the "proper" domain you think should be used."
The bottom line is this:
You don't like the fact that Microsoft uses the domain suffix "phx.gbl"
in the headers and MID of posts generated by their usenet servers and
other services like e-mail. You feel that they should use a proper,
registered domain suffix, like "microsoft.com".
Ok, say they did that. Say that they did use "microsoft.com" instead of
"phx.gbl". That means the MID of the spam I'm talking about would end
with "microsoft.com". So what? The spam in question would still
happen. The only difference is that my third rule would be modified to
look for a MID that ends with "microsoft.com" instead of "phx.gbl".
That's what I said above.
You seem to be saying that microsoft using "phx.gbl" is somehow
facilitating or enabling this spam, and that it wouldn't happen if they
used a "normal" or "proper" domain suffix. That is obviously wrong as I
have just explained.
Steve Crook
On Wed, 04 Nov 2009 07:47:25 -0500, Some Guy wrote in
Message-Id: <4AF177DD...@Guy.com>:
> So yes, Microsoft's pathetic server administrators are allowing mass
> postings to be injected into usenet via their own servers. The first
> rule applies - the message id ends with phx.gb1.
>
> Yes, we have an "X-Newsposter:" line. The second rule has been met.
>
> And yes, the content-type, MID, and user-agent preceeds the date line.
> The third rule applies.
>
> Had my 3 rules been in place, this spam would have beed detected and
> shit-canned.
True, but potentially so would many other innocent messages matching
those criteria. The golden rule of spam filtering is that it's better
to have spam than to reject valid postings.
> Hosting Web www.Ivys.es
As the server has access to the entire message for filtering purposes,
it would be better to filter on this.
Some Guy
> > The first rule applies - the message id ends with phx.gb1.
> >
> > Yes, we have an "X-Newsposter:" line. The second rule has been met.
> >
> > And yes, the content-type, MID, and user-agent preceeds the date
> > line. The third rule applies.
> >
> > Had my 3 rules been in place, this spam would have beed detected
> > and shit-canned.
>
> True, but potentially so would many other innocent messages matching
> those criteria.
My suggested rule-set is such that all three critera need to be met for
the message to be considered as spam.
I have looked at the headers of many spam and non-spam messages. I have
never seen valid posts where the header contains an "X-Newsposter" line,
and I have never seen legit posts where the lines "Content-Type, Message
ID, and user-agent" all precede the Date line.
Can you point out any examples where all three of those criteria are
met, but the message is not machine-generated spam?
Do you have any knowledge or information regarding the user-agents that
create an "X-Newsposter" line?
> The golden rule of spam filtering is that it's better
> to have spam than to reject valid postings.
I agree. That's why I'm suggesting that all three of the above
conditions need to be met.
> > Hosting Web www.Ivys.es
> As the server has access to the entire message for filtering
> purposes, it would be better to filter on this.
Filtering based on the message subject or body just doesn't work.
Only my three header critera seem to reliably identify these spam posts
and hence can be shit-canned before they get accepted by individual
servers.
Steve Crook
Message-Id: <4AF2DEBA...@Guy.com>:
- message ID ends with "phx.gb1"
- presence of "X-Newsposter:" line
- Content-Type, M-ID, and user-agent preceeds Date line
> I have looked at the headers of many spam and non-spam messages. I have
> never seen valid posts where the header contains an "X-Newsposter" line
I've just put a filter in place to log these articles. I'll let you
know what comes out of it when I've got some data.
> and I have never seen legit posts where the lines "Content-Type, Message
> ID, and user-agent" all precede the Date line.
This depends on the server software and how it reorders the headers.
There is no standard that defines what order the headers should appear
in. It would also be difficult for filtering software to exploit header
order as they're passed by the server in dictionary/hash format which
is, (in this context), orderless.
> Do you have any knowledge or information regarding the user-agents that
> create an "X-Newsposter" line?
No, but perhaps I will have shortly if the filter mentioned above turns
up any useful data.
> Filtering based on the message subject or body just doesn't work.
Why do you think that? Most spam is trying to direct people to a URL so
surely the URL in question is good filtering criteria?
D. Stussy
> ...
> You seem to be saying that microsoft using "phx.gbl" is somehow
> facilitating or enabling this spam, and that it wouldn't happen if they
> used a "normal" or "proper" domain suffix. That is obviously wrong as I
> have just explained.
What I am saying is that since it's invalid, it is sufficient to filter on
it alone, as any non-spammy messages will still be invalid and need to be
eliminated for other reasons.
D. Stussy
> ...
> You seem to be saying that microsoft using "phx.gbl" is somehow
> facilitating or enabling this spam, and that it wouldn't happen if they
> used a "normal" or "proper" domain suffix. That is obviously wrong as I
> have just explained.
What I am saying is that since it's invalid, it is sufficient to filter on
Some Guy
> > You seem to be saying that microsoft using "phx.gbl" is somehow
> > facilitating or enabling this spam, and that it wouldn't happen
> > if they used a "normal" or "proper" domain suffix.
>
> What I am saying is that since it's invalid, it is sufficient to
> filter on it alone, as any non-spammy messages will still be
> invalid and need to be eliminated for other reasons.
It seems that it's your messages that need to be filtered, because of
your double and tripple postings (this last one of your's resulted in
two copies on the server I read from). Why do you do nothing to correct
it?
Your logic is assinine.
There is no justification for filtering based on the naming convention
that an NNTP server chooses to use for it's path and MID construction.
Your consistent harping on this just shows you to be a crotchety old
bastard with a bad attitude.
> any non-spammy messages will still be invalid and need to
> be eliminated for other reasons.
And just what are those "other reasons" ?
D. Stussy
> * D. Stussy wrote:
> >> >> Did you have to post that gem 3 times?
> >> > No. I only posted it once.
> >> IBTD:
> >> <hcsu8j$cat$1...@snarked.org>
> >> <hcsvg0$ck7$1...@snarked.org>
> >> <hcsv73$cja$1...@snarked.org>
> >> <hcsv1d$cip$1...@snarked.org>
> > I only sent it once.
>
> Your client sent it four times. This has been going on for
> several weeks and you have been informed of the problem before.
> FWIW: I noticed the same behaviour with Outlook Express and INN
> on the old Motzarella server, when the server (innd) was under
> heavy load or throttled. The client just timed out before innd
> processed the article, causing the client to assume that posting
> had failed, so it kept resending it.
OK. It's possible that this is happening - or someone else is playing
games with me (which is happening on "alt.fan.winona-ryder").
D. Stussy
I noted that too, and cancelled two of them. However, I only sent one.
D. Stussy
I have NOT seen it in mail sent from anyone I know. Regardless, it's not
valid.
Some Guy
> - message ID ends with "phx.gb1"
> - presence of "X-Newsposter:" line
> - Content-Type, M-ID, and user-agent preceeds Date line
>
> I've just put a filter in place to log these articles. I'll let you
> know what comes out of it when I've got some data.
Just make sure that when you look for "phx.gbl", that you spell it
correctly. The last character is a lower-case L, not the number 1.
> > and I have never seen legit posts where the lines "Content-Type,
> > Message ID, and user-agent" all precede the Date line.
> This depends on the server software and how it reorders the
> headers. There is no standard that defines what order the
> headers should appear in.
The spam in question originates from Microsoft's servers.
But so do many legit posts.
When I look at the spam, I see that the date line appears further down
in the header.
When I look at legit posts (from the same server) the date line is
usually the third or fourth line - right after the Subject line.
Sometimes the date is the first line.
I don't know if what I'm seeing in this line ordering is also visible on
other news servers.
So there is as yet no explanation as to how, or why, the line-ordering
of the header is (from my POV) consistent between spam and non-spam
posts, and why the Microsoft server allows the spammer to re-order the
header lines in the first place.
The spam headers has this line ordering:
1) From:
2) Subject:
3) Reply-To:
4) Content-Type:
5) X-Newsposter:
6) Message-ID: <some...@TK2MSFTNGP02.phx.gbl>
7) Newsgroups:
8) Date:
9) NNTP-Posting-Host:
Headers of legit (non-spam) posts have this order:
1) From:
2) Subject:
3) Date:
4) Lines:
5) X-Priority:
6) X-MSMail-Priority:
7) X-Newsreader:
8) X-MimeOLE:
9) Message-ID:
10) Newsgroups:
11) NNTP-Posting-Host:
And I've seen this as well:
1) Date:
2) From:
3) User-Agent (Thunderbird)
4) Mime-Version
5) Subject:
6) Content-Type:
7) Content-Transfer-Encoding:
8) Message-ID:
9) Newsgroups:
10) NNTP-Posting-Host:
11) Lines:
> It would also be difficult for filtering software to exploit
> header order as they're passed by the server in dictionary/hash
> format which is, (in this context), orderless.
So what determines the header order as I eventually see it as I read the
posts?
> > Do you have any knowledge or information regarding the user-agents
> > that create an "X-Newsposter" line?
> No, but perhaps I will have shortly if the filter mentioned above
> turns up any useful data.
I'll be watching, but wish you would post the results to either
aioe.news.helpdesk or news.admin.misc as I'm more likely to catch it
there vs alt.free.newsservers.
> > Filtering based on the message subject or body just doesn't work.
> Why do you think that? Most spam is trying to direct people to
> a URL so surely the URL in question is good filtering criteria?
Yea - after the spam has already been accepted and is polluting dozens
of newsgroups and after some human administrator has noticed it and has
taken action against it.
The rules I'm proposing would prevent the spam from even being accepted
and posted by the server to the groups in question in the first place.