Klez-G

Julian Field jkf at ecs.soton.ac.uk
Thu May 9 12:22:45 IST 2002


Parsing out the domain and then guessing at the relevant postmaster address
is almost impossible to do automatically. For example, if you sent it to
"postmaster at xxx.yyy" as you suggest, and the message claims to have come
from us, you would miss us completely as I am postmaster at vvv.xxx.yyy.zzz.
Mailing postmaster at xxx.yyy would get you nowhere, apart from annoying the
administrators for the entire UK academic community.

And sending it to "postmaster at 130.85.253.53" will only work if they either
have wildcard MX records (a very bad thing) or an MX record for every host
in their domain (unnecessary). In our case, all mail leaves as
foobar at ecs.soton.ac.uk and we just have MX records for ecs.soton.ac.uk, not
every host.ecs.soton.ac.uk.

So you see my problem...

At 11:52 09/05/2002, you wrote:
>Julian,
>    I too would like to see something going back to the remote postmaster.
>Since I turned on the "Postmaster Gets Full Mail Headers" option, I can
>see the domain that Klez came from, not just the phony "From:".  What
>I have been doing (by hand), is looking at the topmost Received line in the
>header, eg:
>
>  Received: from mx3out.umbc.edu (mx3out.umbc.edu [130.85.253.53])
>
>then bouncing the entire mailscanner message to "postmaster at xxx.yyy"
>the last two components of the domain.  In this case, it would go to
>postmaster at umbc.edu.  Maybe even postmaster at 130.85.253.53 in a pinch.
>This logic could be automated via perl.
>
>** Jeff A. Earickson, Ph.D                         PHONE: 207-872-3659
>** Senior UNIX Sysadmin, Information Technology    EMAIL: jaearick at colby.edu
>** Colby College, 4214 Mayflower Hill,               FAX: 207-872-3076
>** Waterville ME, 04901-8842
>----------------------------------------------------------------------------
>
>On Thu, 9 May 2002, Julian Field wrote:
>
> > Date: Thu, 9 May 2002 10:25:38 +0100
> > From: Julian Field <jkf at ECS.SOTON.AC.UK>
> > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Klez-G
> >
> > At 00:23 09/05/2002, you wrote:
> > >Has anyone made any modifications to Mailscanner yet forward a copy of
> > >the postmaster warning message to the postmaster in the domain of the
> > >sending machine?  Or is this a bad idea of attempting?
> > >
> > >Just getting annoying seeing all these Klez's coming from Comcast,
> > >Verizon and broadband provider domains.
> >
> > Oh, and another problem: what happens when the sender address is fake (like
> > it is in most spam)? Then you are just going to harass completely the wrong
> > person, which is a good way to get blocked by them.
> >
> > There is absolutely no way of guaranteeing the domain name from where the
> > email message originated.
> > --
> > Julian Field                Teaching Systems Manager
> > jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> > Tel. 023 8059 2817          University of Southampton
> >                              Southampton SO17 1BJ
> >

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list