[clug] Re: Killing SPAMER/lurker - been there, want to do that...

Kim Holburn kim.holburn at nicta.com.au
Fri Apr 21 08:51:51 GMT 2006


Unfortunately not so simple:

$ host tira-teima.as.uol.com.br
tira-teima.as.uol.com.br has address 200.221.2.14
tira-teima.as.uol.com.br has address 200.221.2.15
$ host 200.221.2.14
14.2.221.200.in-addr.arpa domain name pointer herbie1.uol.com.br.
$ host 200.221.2.15
15.2.221.200.in-addr.arpa domain name pointer herbie2.uol.com.br.
$ whois 200.221.2.14

OrgName:    Latin American and Caribbean IP address Regional Registry
OrgID:      LACNIC
Address:    Potosi 1517
City:       Montevideo
StateProv:
PostalCode: 11500
Country:    UY

ReferralServer: whois://whois.lacnic.net

NetRange:   200.0.0.0 - 200.255.255.255
CIDR:       200.0.0.0/8
NetName:    LACNIC-200
NetHandle:  NET-200-0-0-0-1
Parent:
NetType:    Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
NameServer: NS2.DNS.BR
NameServer: NS1.AFRINIC.NET
Comment:    This IP address range is under LACNIC responsibility for  
further
Comment:    allocations to users in LACNIC region.
Comment:    Please see http://www.lacnic.net/ for further details, or  
check the
Comment:    WHOIS server located at whois.lacnic.net
RegDate:    2002-07-27
Updated:    2005-12-05

OrgTechHandle: LACNIC-ARIN
OrgTechName:   LACNIC Whois Info
OrgTechPhone:
OrgTechEmail:  whois-contact at lacnic.net

# ARIN WHOIS database, last updated 2006-04-20 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

% Joint Whois - whois.lacnic.net
%  This server accepts single ASN, IPv4 or IPv6 queries


% Copyright registro.br
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to domain name and IP number registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2006-04-21 05:48:48 (BRT -03:00)

inetnum:     200.221.0/18
aut-num:     AS15201
abuse-c:     SEO50
owner:       Universo Online S.A.
ownerid:     001.109.184/0001-95
responsible: Contato da Entidade UOL
address:     Av. Brigadeiro Faria Lima, 1384, 10 andar
address:     01452-002 - Sao Paulo - SP
phone:       (11) 3038-8431 [0]
owner-c:     CAU12
tech-c:      CAU12
inetrev:     200.221.0/18
nserver:     eliot.uol.com.br
nsstat:      20060420 AA
nslastaa:    20060420
nserver:     borges.uol.com.br
nsstat:      20060420 AA
nslastaa:    20060420
created:     20000403
changed:     20031202

nic-hdl-br:  CAU12
person:      Contato Administrativo - UOL
e-mail:      l-registrobr-uol at corp.uol.com.br
created:     20031202
changed:     20031209

nic-hdl-br:  SEO50
person:      Security Office
e-mail:      security at uol.com.br
created:     20021114
changed:     20040713

remarks:     Security issues should also be addressed to
remarks:     cert at cert.br, http://www.cert.br/
remarks:     Mail abuse issues should also be addressed to
remarks:     mail-abuse at cert.br

% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.


$ whois uol.com.br

% Copyright registro.br
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to domain name and IP number registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2006-04-21 05:50:38 (BRT -03:00)

domain:      uol.com.br
owner:       Universo Online S.A.
ownerid:     001.109.184/0001-95
responsible: Contato da Entidade UOL
address:     Av. Brigadeiro Faria Lima, 1384, 10 andar
address:     01452-002 - Sao Paulo - SP
phone:       (11) 3038-8431 [0]
owner-c:     CAU12
admin-c:     CAU12
tech-c:      CTU6
billing-c:   CCU10
nserver:     eliot.uol.com.br 200.221.11.98
nsstat:      20060420 AA
nslastaa:    20060420
nserver:     borges.uol.com.br 200.147.255.105
nsstat:      20060420 AA
nslastaa:    20060420
created:     19960424 #7137
updated:     19980116
changed:     20040115
status:      published

nic-hdl-br:  CAU12
person:      Contato Administrativo - UOL
e-mail:      l-registrobr-uol at corp.uol.com.br
created:     20031202
changed:     20031209

nic-hdl-br:  CCU10
person:      Contato de Cobranca - UOL
e-mail:      l-adm-dns at uolinc.com
created:     20031202
changed:     20040705

nic-hdl-br:  CTU6
person:      Contato Tecnico - UOL
e-mail:      l-adm-dns at uolinc.com
created:     20031202
changed:     20040705

remarks:     Security issues should also be addressed to
remarks:     cert at cert.br, http://www.cert.br/
remarks:     Mail abuse issues should also be addressed to
remarks:     mail-abuse at cert.br

% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.



On 2006 Apr 21, at 6:33 PM, E. wrote:

> Or do a dirty, look up the MX record of the petsupermarket domain  
> and do
> some blockage.
> Cheers,
> E.
>
>> -----Original Message-----
>> From: linux-bounces+kane=areujoking.com at lists.samba.org
>> [mailto:linux-bounces+kane=areujoking.com at lists.samba.org] On
>> Behalf Of Kim Holburn
>> Sent: Friday, 21 April 2006 12:15 PM
>> To: paulway at mabula.net
>> Cc: CLUG List
>> Subject: Re: [clug] Re: Killing SPAMER/lurker - been there,
>> want to do that...
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi Paul,
>>
>> After a couple of false starts I sent an individual email to
>> everyone on the list (including digest readers which I see in
>> hindsight was unnecessesary (sorry guys)) with their
>> individual email address in the subject line.  This worked,
>> bingo I got the spammer's address.
>>
>> Yes, I talked to someone who administers the debian lists and
>> he recognised the name petsupermarket straight away.  Their
>> problem ie their membership numbers are much larger than ours
>> though.  Your solutions 2 and 3 were nice but I went for the
>> blanket approach which was much less work for me and more
>> hassle for everyone else (sorry).
>>
>> The address was removed yesterday although may have been
>> added back (I guess this post will test that!!!) maybe we
>> should keep logs of member lists so we can narrow this down
>> if it happens again!!!
>>
>> The address was found on other samba lists which have also
>> suffered from this problem.
>>
>> Kim
>>
>> On 2006 Apr 21, at 11:23 AM, Paul Wayper wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> steve jenkin wrote:
>>>> Could we collectively apply ourselves to solving this
>> problem - for
>>>> these guys and for any future spamers?
>>
>> Yes
>>
>>> I hate to say this, but I posted a/my solution to this to
>> Tim Potter
>>> and another guy who runs the Debian development lists (who have the
>>> same problem) a while back now.  It was:
>>>
>>> 1) petsupermarket is not on the list; so mail to the list must be
>>> forwarded to it by another address.  It's reasonable to
>> assume that no
>>> person that has posted to the list (excluding spammers) is
>> doing this
>>> forwarding.
>>>
>>> 2) So I went through the entire logs of the list and
>> collected every
>>> address that had sent at least two messages to the list.  I then
>>> removed duplicates (and any obvious spammer addresses) from
>> this list.
>>> This gives us a list of 'known good' addresses, which I
>> forwarded to
>>> Tim.
>>>
>>> 3) Only they have access to the full subscriber list.  Subtract the
>>> known good list from the address list and you have the people who
>>> haven't posted at least twice to the list - a list of
>> addresses that
>>> are potentially forwarding mail to petsupermarket.
>>>
>>> 4) The mail people get back from petsupermarket includes
>> the subject
>>> line of the message you sent.  Therefore, all you have to
>> do is send
>>> each of the suspect addresses an email with an individual
>> subject line
>>> - e.g. a unique identifier like a 32-bit number.  Store identifiers
>>> keyed to email addresses in a separate file, and when you get your
>>> bounce, the subject line will tell you which email address it was
>>> forwarded from.  I also supplied Tim et al with a program that I'd
>>> tested that would do just this.
>>>
>>> 5) I'm quite willing to do step 4 myself from my own
>> account, but I do
>>> not have the one thing that I need to do this all myself:
>> the list of
>>> subscribers.
>>>  If someone trusts me enough to forward me this, I will do
>> the whole
>>> thing myself and report back to everyone.
>>>
>>> I'm a little disappointed that (what I see as) the solution to this
>>> problem has been in the hands of the people who can actually do
>>> something about it, and nothing has actually been done.  I've also
>>> made the offer in item 5 before, too.
>>
>> The list of subscribers is available to all list members.  I
>> just did it as a list member and because I hate spammers...
>> mumble mumble mumble....
>>
>> Maybe the list admins have lots of other things to do and let
>> the situation stand but I didn't like it.  Sometimes we all
>> may have to work together to act in these things, not wait
>> for someone else to do it!!!!
>>
>>
>>> Have fun,
>>>
>>> Paul
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.2.2 (GNU/Linux)
>>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>>
>>> iD8DBQFESDQmu7W0U8VsXYIRAsW/AKDCkiwn5tpCuW1+PRzSOOQ+CrNtIwCfaFdK
>>> xy3Wv2VyvoJrvnHidIzFub0=
>>> =kfJI
>>> -----END PGP SIGNATURE-----
>>> --
>>> linux mailing list
>>> linux at lists.samba.org
>>> https://lists.samba.org/mailman/listinfo/linux
>>
>> - --
>> Kim Holburn
>> Security Manager, National ICT Australia Ltd.
>> Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
>> mailto:kim.holburn at nicta.com.au  aim://kimholburn
>> skype://kholburn - PGP Public Key on request Cacert Root
>> Cert: http://www.cacert.org/cacert.crt Aust. Spam Act: To
>> stop receiving mail from me: reply and let me know.
>>
>> Use ISO 8601 dates [YYYY-MM-DD]
>> http://www.saqqara.demon.co.uk/ datefmt.htm Democracy imposed
>> from without is the severest form of tyranny.
>>                            -- Lloyd Biggle, Jr. Analog, Apr 1961
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.3 (Darwin)
>>
>> iD8DBQFESEBF38zqvCNRL3YRAvr6AKCwk5WgOyhI+PDowWWKxUtrATXJqgCgxfJ1
>> /LlRJFNeWRmJt3g5h8JafjE=
>> =tTw8
>> -----END PGP SIGNATURE-----
>> -- 
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
>>
>
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

-- 
Kim Holburn
Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
mailto:kim.holburn at nicta.com.au  aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.

Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961




More information about the linux mailing list