************************************************************
Please, DO NOT RESPOND TO THE ROMANCE MESSAGE WITH ANY WAY!
************************************************************
It is an officially recognized spam which has hit thousands of
mailing list all over the world, beginning last Thursday. This attack
has been reported to the Internet newsgroup news.admin.net-abuse.misc
for registration and further actions.
The addresses have been forged in the message to make tracking the source
and legal actions etc. more difficult. Yesterday, this criminal attacked
with this same message all *internal, Finnish-speaking* mailing lists at
METLA, Finland. He/she cleverly sends the message t a small number of
lists at a time to prevent automatic spam-regocnizers to identify the
message as a spam and cut it out. Now the target was the mailserver at
nic.funet.fi (the old forest-list address is still linked to the new list
at listserv.funet.fi, which would probably have intereceded the message?).
IMHO, This is already an act of criminal harrassment!
Jarmo Saarikko
listowner, forest-request@listserv.funet.fi
--
Finnish Forest Research Institute METLA
I will include a piece from the spam-faq file. This is rather long,
technical, and designed for usenet-news readers, but is is applicable for
mail-spamming. I suggest only those who were very annoyed should read it.
WHAT IS A SPAM? HOW CAN I RECOGNIZE IF A MESSAGE ADDRESS WAS FORGED?
*************************************************************************
From: scotty@ancho.ucs.indiana.edu (Scott Southwick)
Subject: news.admin.net-abuse FAQ (1/2)
Date: 23 May 1995 17:25:53 GMT
Organization: Indiana University, Bloomington
Archive-name: net-abuse-faq/part1
...
2.1) What is Spam?
It's a luncheon meat, kinda pink, comes in a can, made by Hormel. Most
Americans intuitively, viscerally associate "Spam" with "no nutritive
or aesthetic value." The luncheon meat has its own newsgroup,
alt.spam.
The term "spam," as used on this newsgroup, means "the same article
(or essentially the same article) posted an unacceptably high number
of times to one or more newsgroups." CONTENT IS IRRELEVANT. 'Spam'
doesn't mean "ads." It doesn't mean "abuse." It doesn't mean "posts
whose content I object to." Spam is a funky name for a phenomenon that
can be measured pretty objectively: did that post appear X times?
(See: "Yeah, but how many is X?')
There have recently been examples of "customized" spams--where each
post made some effort to apply to each individual newsgroup, but the
general thrust of each article was the same. A huge straw poll on
news.admin.policy, news.admin.misc, and a.c-e.n-a (late 1994?) showed
that as many of 90% of the readers felt that cancellations for these
posts were justified. So, simply put: if you plan to post the same or
similar messages to dozens of newsgroups, the posts are probably going
to get cancelled.
If you feel that a massive multi-post you are planning constitutes an
exception, you are more than welcome to run the idea past the readers
of news.admin.net-abuse.misc for feedback first.
It should be noted that cross-posting a single message to many
newsgroups (which many call "velveeta") is definitely *not* considered
cancellable spam by those who cancel spam. That doesn't mean it's
always a swell idea, though, and a large cross-post will probably
evoke many flames. If you *must* cross-post, set the followups to a
single appropriate group by adding a header line like
Followup-to: group.name.here
This prevents the readers of all the groups from having to deal with
the thread for weeks afterwards if the readers of only one or two of
the groups take an interest in it.
...
Passionately dissenting note: Rahul Dhesi [dhesi@rahul.net], one of
the fathers of the cancel-bot movement, sticks by the following
definition:
More than five physically distinct postings with substantially
identical content posted within a period of ten days.
...
3.2) How can I tell if a post is forged?
Sometimes it's easy to spot a forgery, sometimes it takes years of
experience, and unfortunately, sometimes it's just impossible. (Note:
most newsreaders don't show the entire header. Yours may have a
command (e.g. 'h' in nn, 'v' in rn and trn, CTRL/h in tin) that allows
you to see them in their entirety. If it doesn't, save the post to a
file -- if given the choice, use 'mailbox' format. Then bring that
file up in an editor.)
For starters, these four sites in the header should agree:
--The From: line, listing the site where the poster is.
--The 'path:' line shows all the sites the message passed thru, on its
way *to* you (most recent, to oldest). So the poster's site should be
at (approximately) the end of that path.
--The last part of the 'message ID,' which is the originating site name.
--On many posts there is an "NNTP host" field, as well.
The last item in the "Path" header line is the poster; working
backwards, it lists the hosts the message passed through until it got
to the server the reader uses. First check on a supposed forgery is
whether the host that supposedly posted the message is on this list in
the correct location. However, even if it were that doesn't mean it
isn't a forgery since wily forgers forge part of the path line before
slipping the message into the usenet.
The Message-ID: is a unique id number created by the posting
software. In all cases that we know of, the posting machine's ID is
appended at the end of it. Sometimes, but not always, this matches the
poster's account. Sometimes a slightly different machine in the domain
is used for posting, and may vary slightly. But if the sites in the
message-ID and the poster's account vary wildly--e.g., netcom.com and
army.mil--you may be dealing with a forgery.
Some other ideas:
* Check the time stamps; if the site and the time zone don't agree,
something might be up.
* With experience, you can look at the intermediates on the 'path' and
spot things that look 'funny'. If a message that purports to have
come from someone in Detroit, MI, goes bouncing thru half-a-dozen
sites in EUROPE, before arriving in Chicago, IL -- it's likely its a
phoney origin. If you have the advantage of knowing about what sites
are connected to where -- even for a few sites-- you can spot a fake
if it shows routing between two machines that you *know* don't talk to
each other.
However, as Steve Patlan cautions: "I posted a message from Austin, TX
that went through Austria.eu.net (something like that) before reaching
(a newsfeed received from Rice U in) Houston, TX."
* The "Organization" line, which is usually set by the site's news
administrator (but can be easily changed by the poster for purposes
legitimate or devious) may also contain clues. If somebody's trying to
cause trouble for a particular organization, for instance, they may
include it, but not get the name or address right.
Of course, if the forger simply forgets to alter the Organization
line, you may get clues that way also.
For more information on headers, see RFC-1036, "Standard for
Interchange of Usenet Messages," at
http://www.cis.ohio-state.edu/htbin/rfc/rfc1036.html
(Thanks to Robert Bonomi, Arthur Byrne, Emma Pease, and Alan Bostick
for most of this information.)
(This entry comes from Indiana University's UCS Knowledge Base.)
Mail converted by
MHonArc 1.1.0