| Author |
outlook header stripper
|
|
| Compuweb 2004-02-26, 1:35 pm |
| Question:
Does anyone know of a tool that can scan my Outlook junk email box and
strip out the IP and server name separately and list them in a two
text files (IP and Server Name) while also analyzing mis-directions
and spoofs to increase accuracy? For possibly useful information
regarding this issue, please read on . . .
I've been "adding sender to blocked sender list" in my outlook 2003
for weeks now and have compiled a list of greater than a thousand
spammers and as an IMail Server 8.x administrator I've added this list
to my "kill.lst" file (I can make it available online if anyone is
interested in using it).
I've also used tools from Tamo Software (tamos.com) and Visualware
(visualware.com) to track IP and email addresses and have found a
nifty tool that will bulk scan my junk email box and strip out the
headers and email them to me. This tool is called "Spamsource"
(daesoft.com).
HOWEVER, I've been unable to find a tool that can scan my junk email
box and strip out the header information in a way that would catalog
and separate the real IP and server name of origin in a list that can
later be used in a block list. It seems that each tool that I've used
does one thing or the other as follows:
- EmailTrackerPro analyzes the header info. and will not attempted
misdirections, give you the real IP and server name. (one email at a
time).
- VisualRoute will tell you where the email originated (one email at a
time).
- Spamsource will strip out the header information in bulk and email
to you.
- Outlook 2003's internal "add to block sender" will list the from
address one email at a time).
| |
| Android Cat 2004-02-26, 4:35 pm |
| Compuweb wrote:
> Question:
> Does anyone know of a tool that can scan my Outlook junk email box and
> strip out the IP and server name separately and list them in a two
> text files (IP and Server Name) while also analyzing mis-directions
> and spoofs to increase accuracy? For possibly useful information
> regarding this issue, please read on . . .
If you wanted to roll your own, you could do it from any IDE that would
import a type library (VC++, VB, Borland, etc). (I've done this with
Outlook 2000, but not 2003 yet.) That gives you access to all of
Outlook's exposed objects down to single emails. I haven't looked to see
if stuff like block lists are exposed as well.
--
Ron Sharp.
| |
| Morely 'spam is theft' Dotes 2004-02-26, 5:35 pm |
| abuse@compuweb.com (Compuweb) wrote in
news:bba1161b.0402261035.776905ef@posting.google.com:
> I've been "adding sender to blocked sender list" in my outlook 2003
> for weeks now and have compiled a list of greater than a thousand
> spammers
No, you haven't. You've compiled a lsit of greater than a thousand forged
email addresses.
MS Outlook has no more clue who *really* sent that email that Moronis does.
--
Tired of spam in your mailbox?
Come to http://www.spamblocked.com
Don't spam <A HREF="mailto:remote-printer.Mary_Higgins/Investor_Relations@
12029429634.iddd.tpc.int">this.</a>
| |
| Steven M (to reply, remove the cola) 2004-02-26, 6:35 pm |
| On 26 Feb 2004 10:35:38 -0800, abuse@compuweb.com (Compuweb) wrote:
>Question:
>Does anyone know of a tool that can scan my Outlook junk email box and
>strip out the IP and server name separately and list them in a two
>text files (IP and Server Name) while also analyzing mis-directions
>and spoofs to increase accuracy? For possibly useful information
>regarding this issue, please read on . . .
>
>I've been "adding sender to blocked sender list" in my outlook 2003
>for weeks now and have compiled a list of greater than a thousand
>spammers and as an IMail Server 8.x administrator I've added this list
>to my "kill.lst" file (I can make it available online if anyone is
>interested in using it).
Correct me if I'm wrong, but you're talking two different tracks here.
First, I think you're saying that you are tracking the IP of the mail
server that delivered the spam to your mail server, correct? You're
also keeping track of the name that this server claims to be? That
looks like interesting data.
Next, you're blocking mail from addresses on the "blocked sender
list". Does that feature examine the Received headers or the From:
header?
I use Outlook 2000. It's hard to tell from the MS "help"
instructions, but apparently filters based on the address or domain in
the "From:" field. Unless the sender consistently uses the same
address or domain, that is entirely useless. That is why admins look
at the Received line.
Are you looking for a correlation between IP numbers used to send spam
and the addresses they put in the From: field?
Without making any formal study, I can tell you that almost all the
spam I get has legitimate domains in the "From:" field. This is not a
big sample space, I'm only talking about a handful of residential
email accounts and Yahoo addresses.
Whether real or fake, the spammers can create new domain names faster
than you can add them to your list.
Again, maybe I'm missing something. There is probably a need for
better header analysis tools. But I just don't see any point in
keeping track of what spammy is using in the From: field.
--
Steve M - unspam@houston.rrdirt.com (remove dirt for reply)
"Fear those prepared to die for the truth, for as a rule they
make many others die with them, often before them, at times
instead of them." -- Umberto Eco
| |
| Compuweb 2004-02-27, 3:35 pm |
| > No, you haven't. You've compiled a lsit of greater than a thousand forged
> email addresses. MS Outlook has no more clue who *really* sent that email that Moronis does.
--------------
I agree and was aware of that and that is why I listed the programs
and their features like:
- EmailTrackerPro analyzes the header info. and attempted
misdirections and attempt to give you the real IP and server name.
- Spamsource (the only program that I mentioned that will strip out
the header information in bulk and email to you doesn't analyze at
all.
I'm still hoping to find the ultimate integrated and complete tool for
analyzing and extracting Outlook header information.
In addition to running Symantec's "Scan Engine" enterprise software
for Imail Server, Compuweb has effectively been using the following
"URL blocking" and "phrase filtering" in the mail server and it seems
to be doing a good job.
I agree with Steven M's post that many spammers change their ID
everytime they spam so it definitely helps to add phrase filtering to
the effort.
Since we're using IMail we access an updated list that they provide at
the following link for those who are interested:
http://support.ipswitch.com/kb/IM-20030513-DM01.htm
And for a URL block list you can use: (updated 02/23/04)
http://compuweb.com/url-domain-bl.txt
And for a Phrase block list you can use: (updated 02/23/04)
http://compuweb.com/phrase-list.txt
| |
| Compuweb 2004-02-27, 3:36 pm |
| > No, you haven't. You've compiled a lsit of greater than a thousand forged
> email addresses. MS Outlook has no more clue who *really* sent that email that Moronis does.
--------------
I agree and was aware of that and that is why I listed the programs
and their features like:
- EmailTrackerPro analyzes the header info. and attempted
misdirections and attempt to give you the real IP and server name.
- Spamsource (the only program that I mentioned that will strip out
the header information in bulk and email to you doesn't analyze at
all.
I'm still hoping to find the ultimate integrated and complete tool for
analyzing and extracting Outlook header information.
In addition to running Symantec's "Scan Engine" enterprise software
for Imail Server, Compuweb has effectively been using the following
"URL blocking" and "phrase filtering" in the mail server and it seems
to be doing a good job.
I agree with Steven M's post that many spammers change their ID
everytime they spam so it definitely helps to add phrase filtering to
the effort.
Since we're using IMail we access an updated list that they provide at
the following link for those who are interested:
http://support.ipswitch.com/kb/IM-20030513-DM01.htm
And for a URL block list you can use: (updated 02/23/04)
http://compuweb.com/url-domain-bl.txt
And for a Phrase block list you can use: (updated 02/23/04)
http://compuweb.com/phrase-list.txt
| |
| Duncan McNiven 2004-02-27, 3:36 pm |
| On 27 Feb 2004 12:19:51 -0800, abuse@compuweb.com (Compuweb) wrote:
>I'm still hoping to find the ultimate integrated and complete tool for
>analyzing and extracting Outlook header information.
What would you like it to do? What features does it need?
--
Duncan
| |
| Chris Uren 2004-02-27, 5:35 pm |
| On 27 Feb 2004 12:18:21 -0800, abuse@compuweb.com (Compuweb) wrote:
>Since we're using IMail we access an updated list that they provide at
>the following link for those who are interested:
>
>http://support.ipswitch.com/kb/IM-20030513-DM01.htm
Did you pick up on a recent problem and patch for Ipswitch products
mentioned on the Sans org site. ??
It was mentioned in a recent daily diary posting by Sans org.
--
Animal
| |
| Compuweb 2004-02-28, 11:35 am |
| Duncan McNiven <duncan@mcniven.net> wrote in message
> What would you like it to do? What features does it need?
I'm looking for a program that will analyze ALL the email I select or
ALL email in my Outlook 2003 junk-email folder to rule out spoofing,
misdirection attempts and false information and attempt to find the
true source IP and server name of the true spammer, then dump the IP
and the server name into a text file. I'll copy and paste the IPs and
server names into the block list of my mail server.
That's it. If you know of a program that can do that you will have
surely made my day.
| |
| Compuweb 2004-02-28, 11:35 am |
| Chris Uren <pressedpork.animal.spamtrap@myrealbox.com> wrote in message > Did you pick up on a recent problem and patch for Ipswitch products
> mentioned on the Sans org site. ??
> It was mentioned in a recent daily diary posting by Sans org.
I visited Sans.org and searched for IMail issues and tons of
information came up. What specificially are you referring to?
Currently we're running the latest hotfix after the 8.05 udpate. I
knew that one of the updates cause a problem with the Imail server and
they quickly came out with another update. We loaded the 8.05 hotfix
just last week.
| |
| Chris Uren 2004-02-28, 3:35 pm |
| On 28 Feb 2004 07:42:14 -0800, abuse@compuweb.com (Compuweb) wrote:
>
>I visited Sans.org and searched for IMail issues and tons of
>information came up. What specificially are you referring to?
>Currently we're running the latest hotfix after the 8.05 udpate. I
>knew that one of the updates cause a problem with the Imail server and
>they quickly came out with another update. We loaded the 8.05 hotfix
>just last week.
First was posted http://isc.sans.org/diary.html?date=2004-02-22
Update
The increase in port 389 scans is believed to be due to a new exploit
against the iMail LDAP server. The exploit has been posted here:
http://www.coromputer.net/files/ldaped.c
and again on http://isc.sans.org/diary.html?date=2004-02-23
Ipswitch iMail LDAP Exploit Correlation
The packet captures we've received have allowed us to correlate the
increase in port 389 scanning as activity from a recently released
exploit tool against the Ipswitch iMail LDAP server.
We were unable to get in touch with Ipswitch to comment on this
vulnerability. Ipswitch customers using the iMail LDAP server are
advised to implement filtering on port 389 until a patch is made
available.
--
Animal
|
|
|
|