finding the spammer (was Re: [clug] <your email address> I take that back)

Kim Holburn kim.holburn at anu.edu.au
Thu Apr 20 03:32:49 GMT 2006 

On 2006 Apr 20, at 1:01 PM, Robert Edwards wrote:
> We want the juicy details - who is it and how did you find them?

Now they've been removed from the list I'll tell you:  
trashmachine at gmail.com

I wrote a script that sent an email individually to each list member  
in the subscription list with their email address in the subject  
line.  The spammer's automated reply had his email address in the  
subject.

Oh here is the script I used.  It was running on a system with exim.   
The data file was copied and pasted and slightly massaged from the  
subscribers list in mailman.

#-------------------------------------------------------------------
#!/bin/sh

file="$1"
if [ ! -r "$file" ]; then
   echo "can't read file \"$file\""
   exit 1
fi

while read line; do
escline="${line/@/%40}"
ename="${line%%@*}"
ehost="${line##*@}"
bounce="linux-bounces+$ename=$ehost at lists.samba.org"

sendmail -t <<EOF
Return-Path: <$bounce>
Received: from dp.samba.org (localhost [127.0.0.1])
   by lists.samba.org (Postfix) with ESMTP id 99450162B00
   for <$line>; Thu, 20 Apr 2006 11:36:53 +1000 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: [clug] $line I take that back
From: Kim Holburn <kim.holburn at anu.edu.au>
To: $line
Date: Thu, 20 Apr 2006 11:35:57 +1000
Precedence: list
X-BeenThere: linux at lists.samba.org
X-Mailman-Version: 2.1.5
List-Id: Canberra Linux User Group <linux.lists.samba.org>
Sender: linux-bounces+kim.holburn=anu.edu.au at lists.samba.org
Errors-To: linux-bounces+kim.holburn=anu.edu.au at lists.samba.org

I take that back, did get a reply.  Perhaps this will work.

--
Kim Holburn
Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
mailto:kim.holburn at nicta.com.au  aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.

Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961


--
linux mailing list
linux at lists.samba.org
https://lists.samba.org/mailman/listinfo/linux

EOF

done < $file

#--------------------------------------------------------------

-- 
Kim Holburn
Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
mailto:kim.holburn at nicta.com.au  aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.

Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the linux mailing list