[clug] Re: Killing SPAMER/lurker - been there, want to do that...
Kim Holburn
kim.holburn at nicta.com.au
Fri Apr 21 08:51:51 GMT 2006
Unfortunately not so simple:
$ host tira-teima.as.uol.com.br
tira-teima.as.uol.com.br has address 200.221.2.14
tira-teima.as.uol.com.br has address 200.221.2.15
$ host 200.221.2.14
14.2.221.200.in-addr.arpa domain name pointer herbie1.uol.com.br.
$ host 200.221.2.15
15.2.221.200.in-addr.arpa domain name pointer herbie2.uol.com.br.
$ whois 200.221.2.14
OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Potosi 1517
City: Montevideo
StateProv:
PostalCode: 11500
Country: UY
ReferralServer: whois://whois.lacnic.net
NetRange: 200.0.0.0 - 200.255.255.255
CIDR: 200.0.0.0/8
NetName: LACNIC-200
NetHandle: NET-200-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
NameServer: NS2.DNS.BR
NameServer: NS1.AFRINIC.NET
Comment: This IP address range is under LACNIC responsibility for
further
Comment: allocations to users in LACNIC region.
Comment: Please see http://www.lacnic.net/ for further details, or
check the
Comment: WHOIS server located at whois.lacnic.net
RegDate: 2002-07-27
Updated: 2005-12-05
OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Whois Info
OrgTechPhone:
OrgTechEmail: whois-contact at lacnic.net
# ARIN WHOIS database, last updated 2006-04-20 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries
% Copyright registro.br
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to domain name and IP number registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2006-04-21 05:48:48 (BRT -03:00)
inetnum: 200.221.0/18
aut-num: AS15201
abuse-c: SEO50
owner: Universo Online S.A.
ownerid: 001.109.184/0001-95
responsible: Contato da Entidade UOL
address: Av. Brigadeiro Faria Lima, 1384, 10 andar
address: 01452-002 - Sao Paulo - SP
phone: (11) 3038-8431 [0]
owner-c: CAU12
tech-c: CAU12
inetrev: 200.221.0/18
nserver: eliot.uol.com.br
nsstat: 20060420 AA
nslastaa: 20060420
nserver: borges.uol.com.br
nsstat: 20060420 AA
nslastaa: 20060420
created: 20000403
changed: 20031202
nic-hdl-br: CAU12
person: Contato Administrativo - UOL
e-mail: l-registrobr-uol at corp.uol.com.br
created: 20031202
changed: 20031209
nic-hdl-br: SEO50
person: Security Office
e-mail: security at uol.com.br
created: 20021114
changed: 20040713
remarks: Security issues should also be addressed to
remarks: cert at cert.br, http://www.cert.br/
remarks: Mail abuse issues should also be addressed to
remarks: mail-abuse at cert.br
% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.
$ whois uol.com.br
% Copyright registro.br
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to domain name and IP number registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2006-04-21 05:50:38 (BRT -03:00)
domain: uol.com.br
owner: Universo Online S.A.
ownerid: 001.109.184/0001-95
responsible: Contato da Entidade UOL
address: Av. Brigadeiro Faria Lima, 1384, 10 andar
address: 01452-002 - Sao Paulo - SP
phone: (11) 3038-8431 [0]
owner-c: CAU12
admin-c: CAU12
tech-c: CTU6
billing-c: CCU10
nserver: eliot.uol.com.br 200.221.11.98
nsstat: 20060420 AA
nslastaa: 20060420
nserver: borges.uol.com.br 200.147.255.105
nsstat: 20060420 AA
nslastaa: 20060420
created: 19960424 #7137
updated: 19980116
changed: 20040115
status: published
nic-hdl-br: CAU12
person: Contato Administrativo - UOL
e-mail: l-registrobr-uol at corp.uol.com.br
created: 20031202
changed: 20031209
nic-hdl-br: CCU10
person: Contato de Cobranca - UOL
e-mail: l-adm-dns at uolinc.com
created: 20031202
changed: 20040705
nic-hdl-br: CTU6
person: Contato Tecnico - UOL
e-mail: l-adm-dns at uolinc.com
created: 20031202
changed: 20040705
remarks: Security issues should also be addressed to
remarks: cert at cert.br, http://www.cert.br/
remarks: Mail abuse issues should also be addressed to
remarks: mail-abuse at cert.br
% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.
On 2006 Apr 21, at 6:33 PM, E. wrote:
> Or do a dirty, look up the MX record of the petsupermarket domain
> and do
> some blockage.
> Cheers,
> E.
>
>> -----Original Message-----
>> From: linux-bounces+kane=areujoking.com at lists.samba.org
>> [mailto:linux-bounces+kane=areujoking.com at lists.samba.org] On
>> Behalf Of Kim Holburn
>> Sent: Friday, 21 April 2006 12:15 PM
>> To: paulway at mabula.net
>> Cc: CLUG List
>> Subject: Re: [clug] Re: Killing SPAMER/lurker - been there,
>> want to do that...
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi Paul,
>>
>> After a couple of false starts I sent an individual email to
>> everyone on the list (including digest readers which I see in
>> hindsight was unnecessesary (sorry guys)) with their
>> individual email address in the subject line. This worked,
>> bingo I got the spammer's address.
>>
>> Yes, I talked to someone who administers the debian lists and
>> he recognised the name petsupermarket straight away. Their
>> problem ie their membership numbers are much larger than ours
>> though. Your solutions 2 and 3 were nice but I went for the
>> blanket approach which was much less work for me and more
>> hassle for everyone else (sorry).
>>
>> The address was removed yesterday although may have been
>> added back (I guess this post will test that!!!) maybe we
>> should keep logs of member lists so we can narrow this down
>> if it happens again!!!
>>
>> The address was found on other samba lists which have also
>> suffered from this problem.
>>
>> Kim
>>
>> On 2006 Apr 21, at 11:23 AM, Paul Wayper wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> steve jenkin wrote:
>>>> Could we collectively apply ourselves to solving this
>> problem - for
>>>> these guys and for any future spamers?
>>
>> Yes
>>
>>> I hate to say this, but I posted a/my solution to this to
>> Tim Potter
>>> and another guy who runs the Debian development lists (who have the
>>> same problem) a while back now. It was:
>>>
>>> 1) petsupermarket is not on the list; so mail to the list must be
>>> forwarded to it by another address. It's reasonable to
>> assume that no
>>> person that has posted to the list (excluding spammers) is
>> doing this
>>> forwarding.
>>>
>>> 2) So I went through the entire logs of the list and
>> collected every
>>> address that had sent at least two messages to the list. I then
>>> removed duplicates (and any obvious spammer addresses) from
>> this list.
>>> This gives us a list of 'known good' addresses, which I
>> forwarded to
>>> Tim.
>>>
>>> 3) Only they have access to the full subscriber list. Subtract the
>>> known good list from the address list and you have the people who
>>> haven't posted at least twice to the list - a list of
>> addresses that
>>> are potentially forwarding mail to petsupermarket.
>>>
>>> 4) The mail people get back from petsupermarket includes
>> the subject
>>> line of the message you sent. Therefore, all you have to
>> do is send
>>> each of the suspect addresses an email with an individual
>> subject line
>>> - e.g. a unique identifier like a 32-bit number. Store identifiers
>>> keyed to email addresses in a separate file, and when you get your
>>> bounce, the subject line will tell you which email address it was
>>> forwarded from. I also supplied Tim et al with a program that I'd
>>> tested that would do just this.
>>>
>>> 5) I'm quite willing to do step 4 myself from my own
>> account, but I do
>>> not have the one thing that I need to do this all myself:
>> the list of
>>> subscribers.
>>> If someone trusts me enough to forward me this, I will do
>> the whole
>>> thing myself and report back to everyone.
>>>
>>> I'm a little disappointed that (what I see as) the solution to this
>>> problem has been in the hands of the people who can actually do
>>> something about it, and nothing has actually been done. I've also
>>> made the offer in item 5 before, too.
>>
>> The list of subscribers is available to all list members. I
>> just did it as a list member and because I hate spammers...
>> mumble mumble mumble....
>>
>> Maybe the list admins have lots of other things to do and let
>> the situation stand but I didn't like it. Sometimes we all
>> may have to work together to act in these things, not wait
>> for someone else to do it!!!!
>>
>>
>>> Have fun,
>>>
>>> Paul
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.2.2 (GNU/Linux)
>>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>>
>>> iD8DBQFESDQmu7W0U8VsXYIRAsW/AKDCkiwn5tpCuW1+PRzSOOQ+CrNtIwCfaFdK
>>> xy3Wv2VyvoJrvnHidIzFub0=
>>> =kfJI
>>> -----END PGP SIGNATURE-----
>>> --
>>> linux mailing list
>>> linux at lists.samba.org
>>> https://lists.samba.org/mailman/listinfo/linux
>>
>> - --
>> Kim Holburn
>> Security Manager, National ICT Australia Ltd.
>> Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121
>> mailto:kim.holburn at nicta.com.au aim://kimholburn
>> skype://kholburn - PGP Public Key on request Cacert Root
>> Cert: http://www.cacert.org/cacert.crt Aust. Spam Act: To
>> stop receiving mail from me: reply and let me know.
>>
>> Use ISO 8601 dates [YYYY-MM-DD]
>> http://www.saqqara.demon.co.uk/ datefmt.htm Democracy imposed
>> from without is the severest form of tyranny.
>> -- Lloyd Biggle, Jr. Analog, Apr 1961
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.3 (Darwin)
>>
>> iD8DBQFESEBF38zqvCNRL3YRAvr6AKCwk5WgOyhI+PDowWWKxUtrATXJqgCgxfJ1
>> /LlRJFNeWRmJt3g5h8JafjE=
>> =tTw8
>> -----END PGP SIGNATURE-----
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
>>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
--
Kim Holburn
Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121
mailto:kim.holburn at nicta.com.au aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux
mailing list