'Re: What changes would you make to stop spam? - United Nations Paper'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spamassassin-users
Subject:    Re: What changes would you make to stop spam? - United Nations Paper
From:       "jdow" <jdow () earthlink ! net>
Date:       2006-08-04 3:05:48
Message-ID: 0b4e01c6b772$e63bc7b0$0225a8c0 () Wednesday
[Download RAW message or body]

From: "MennovB" <mvbengro@xs4all.nl>
> jdow wrote:
>>
>> The direct in that case is probably the fault of the underlying cable
>> provider more than Earthlink. Did the spam come through the Earthlink
>> servers or merely from an address that claimed to be Earthlink? By the
>> way, there is no such address as "cable.earthlink.net". The address
>> may have been spoofed.
>>
> Of course cable.earthlink.net does not exist, you must be joking ;-) and no

===8<---
[jdow@XXX ~]$ ping cable.earthlink.net
ping: unknown host cable.earthlink.net
[jdow@XXX ~]$
[jdow@XXX ~]$ host cable.earthlink.net
[jdow@XXX ~]$ dig cable.earthlink.net any

; <<>> DiG 9.3.1 <<>> cable.earthlink.net any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32859
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;cable.earthlink.net.           IN      ANY

;; ANSWER SECTION:
cable.earthlink.net.    86400   IN      NS      itchy.earthlink.net.
cable.earthlink.net.    86400   IN      NS      scratchy.earthlink.net.
cable.earthlink.net.    86400   IN      SOA     itchy.earthlink.net. 
hostmaster.earthlink.net. 2005031800 86400 3600 2592000 86400

;; AUTHORITY SECTION:
cable.earthlink.net.    86400   IN      NS      scratchy.earthlink.net.
cable.earthlink.net.    86400   IN      NS      itchy.earthlink.net.

;; ADDITIONAL SECTION:
itchy.earthlink.net.    1484    IN      A       207.69.188.196
scratchy.earthlink.net. 1484    IN      A       207.69.188.197

;; Query time: 34 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug  3 19:59:24 2006
;; MSG SIZE  rcvd: 187
[jdow@XXX ~]$ whois 24.41.24.117
[Querying whois.arin.net]
[whois.arin.net]
EarthLink Network, Inc. EARTHLINK-CABLE (NET-24-41-0-0-1)
                                  24.41.0.0 - 24.41.95.255
Charter Cable/Monterey Park LAN CBLMPLAN-USER0134 (NET-24-41-24-112-1)
                                  24.41.24.112 - 24.41.24.119
===8<---

No, I am not kidding or joking. It apparently does not exist. (Although
the response to "host" is intrigueing.) The dig any report shows it
"exists" but has no address of its own. Go figure. If it has no
address how can it be sent from cable.earthlink.net. I guess only its
subdomains exist. It is also Charter Cable in Monterey Park. So it is
probably a Charter Cable problem. (That must be a very small corporate
block for them or something like that.) Cable providers seem to be
remarkably lax on security. That probably does not have port 25 blocked.

Did the email submission go through smtpauth.earthlink.net or some
other route? If it didn't go through smtpauth.earthlink.net it is
not Earthlink originated spam.

> it is not spoofed.
> I mentioned 'cable' so that you could see it is not sent through the server
> but directly, meaning port 25 to the Internet seems still wide open for that
> host.
> Here's the complete address: user-0c2i63l.cable.earthlink.net [24.41.24.117]
> Spamassassin got that one fine with URIBL_JP_SURBL and GAPPY_SUBJECT! But I
> rather didn't get it at all.. I know I want too much (or too little in this
> case).

It looks like Earthlink needs to protect its name from Charter Cable's
predations.

{^_^} 

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic