This article was posted to the Usenet group alt.hackers in
1995; any technical information is probably outdated.
Parent
Re: Time to remove alt.hackers.malicious
Article: 8591 of alt.hackers From: buhr@stat.wisc.edu (Kevin Buhr) Newsgroups: alt.hackers Subject: Re: Time to remove alt.hackers.malicious Date: 17 Sep 1995 17:35:10 -0500 Organization: Statistics Department, University of Wisconsin---Madison Lines: 80 Sender: buhr@mozart.stat.wisc.edu Approved: buhr@stat.wisc.edu (Kevin Buhr) Message-ID: vba4tybxpb5.fsf_-_@mozart.stat.wisc.edu NNTP-Posting-Host: mozart.stat.wisc.edu X-Newsreader: Gnus v5.0 Status: RO
-----BEGIN PGP SIGNED MESSAGE----- In article <43f9mu$fsg@fullfeed.msn.fullfeed.com> gregc@msn.fullfeed.com (Greg Corey) writes: | | Essentially, this will tell you how to cancel a message posted by anyone at | any site. This allows you to end net.spam the moment you see it. | | 59 6F 75 20 73 69 6D 70 6C 79 20 63 68 61 6E 67 65 20 . . | 73 65 74 74 69 6E 67 73 2E IMHO, this is a bad way to control spam. First, it fails to follow the "cyberspam" and "cancel." conventions. Hence, there's no way for those strange enough to *want* to filter spam-cancels out to do so, and the flood of cancels could end up producing more of a load than the spam itself. Second, it fails to provide any accountability---no message is posted to "news.admin.net-abuse.announce", and no "X-Cancelled-By" header is included in the cancel. Third, it may simply not work. According to RFC 1036, the "verified sender" of a message is the "Sender" line or else the "From" line if no sender is present. The "verified sender" of the cancel message must be the same as either the "Sender" or "From" field of the original message in order for RFC1036-compliant news servers to cancel the message. Some (non-compliant) news servers require both the "Sender" *and* the "From" field to match, or the cancel is discarded. It's easy to screw it up. Since people like Chris Lewis do such an incredibly good job of killing spams, a better solution is probably to post a copy of the spam, with full headers, to "news.admin.net-abuse.misc", and let those folks go to work on it. Just my two cents... ObHack: On a related note, I'm very proud of my "findspam" Perl script, which reads a driver file like the following >> Server: xxxx.xxxx.xxxx.xxxx >> Backup-File: backup >> Cancel-File: cancel >> NoCeM-File: nocem >> Search-Header: From # the main header to match >> Search-Regexp: ^spammer\@spams\.are\.us >> >> X-Newsreader: ^Forte Agent >> Lines: ^241$ >> Subject: ^RADICAL WAREZ 4 SALE$ >> >> Path: cyberspam!buhr # template for cancel >> X-Cancelled-By: buhr@stat.wisc.edu (Kevin Buhr) >> >> EMP/ECP (aka SPAM) cancelled by buhr@stat.wisc.edu >> >> See news.admin.net-abuse.announce for further details. and then searches the newsspool via NNTP (using XOVER or, if that's unsupported, XHDR) and generates (1) a backup copy of all articles found, (2) a NoCeM-format list of article IDs, and (3) a file full of cancel messages based on the template. I use a much simpler script to actually post the cancels. AFAIK, it's not as sophisticated as Chris Lewis's setup, but I have used it to clean up a large scale spam or two when he hasn't been around. ;) Kevin <buhr@stat.wisc.edu> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4beta, an Emacs/PGP interface iQBVAwUBMFyif4mVIQW1OgXhAQFLYwH/SKetj8UhKUldbNH2R0NQtyXoPvYSGjqt 1q3g+Yoh9JHpvMqu0HFY0nFNUPXtqtfg4QrtkOtGi8i5A3WCqoxwUA== =S4kQ -----END PGP SIGNATURE-----
Parent