Who's sending the spam?

Regardless of how many blocks you've got for spam, some still gets through. This agent and view will let you see where it's coming from, so you can block the IPs at the server.

This Content Component encountered an error

View member feedback to this tip.

Regardless of how many blocks you've got for spam, some still gets through. I created an agent and a view to see where it's coming from, so I can block the IPs at the server.

Code:

Agent= 
FIELD Recd := Received;
FIELD FirstRoute := 
@Middle(Recd;"([";"])");
SELECT @All

Build a view/folder
Column #1 = a numbered & 
totaled column. 
(numbered & totaled = column 
with nothing but the number 1 in it, totaled)
Column #2 = @LeftBack(FirstRoute;".") - 
Categorized
Column #3 = FirstRoute
I also like to put a column in to track down ISPs.

@RightBack(SMTPOriginator;"@")

Although, these are spoofed so often it can be irrelevant -- but every so often, you get a hit. (And that is sooooooo satisfying.)

By the way, I put it in my mail file, but being the spam queen that I am, I also have a repository for spam from different users -- I put it in there too.

MEMBER FEEDBACK TO THIS TIP

Instead of blocking the IP on your server, why not report your findings to the DNS Blacklist sites below?

  • dsn.rfc-ignorant.org
  • dul.dnsbl.sorbs.net
  • sbl.spamhaus.org
  • list.dsbl.org
  • bl.spamcop.net

    —Gregory W.

    ******************************************

    I don't like the idea of running an agent to change the documents by adding two fields -- Recd and FirstRoute -- when these can be easily enough calculated by the view formula. Especially in a mail file, unread marks are very important; it's a bad idea to do mass document updates.

    The total column should "hide detail values," since there's no value to the user in seeing a "1" on each row.

    —Andre Guirard

    ******************************************

    AUTHOR OF ORIGINAL TIP:

    Perhaps I should have put this tip in context....

    I manage e-mail for my company. We're not in an environment where the end-users are capable of setting up their own filters, rules, etc. (we could get into a long drawn out conversation about behaviors, competencies, etc. -- just suffice it to say, this level of management is best done globally here.) so when someone complains about Spam, I have them put it into a Spam folder. I monitor about 10 user mail files (including my own), and gather up all the spam and put it into a repository mail file. This is where I do most of my analysis.

    Currently, this mail file is about 2 GB. I use additional calculations in the views. I prefer to speed them up a bit by putting the calculated fields in the document. I would not recommend putting these fields in the template, or as a server agent on all mail files.

    —Cheryl F.

    ******************************************

    There are two items that I think you might find useful.

    1. The received field will always contain the IP address of the server the e-mail came from. This is rarely the spammer's server but a relay the spammer used. Blocking sites will block the relay because the relay represents an administrator who's asleep at the wheel -- thus giving spammers a place to forward mail from.

    2. The IP addresses you glean from the received field can be placed in the "Deney Connections From..." field of the SMTP configuration document on the server, thus blocking all e-mails from the unmanaged server. Now, this isn't to say you'll never hear from them again. Your log files will be filled with messages about connections that where refused. But the e-mails from those locations will not be delivered.

      You can also specify IP Ranges in the deny field rather then just single IP addresses for those situations where your constantly being harassed by a particular IP range. Arin.net will help you identify if the IP belongs to a particular range and can help you identify repeat offenders. Below is what my Deny field looks like (warning, it has been growing for more then seven years). To specify an IP or range, just place the IP or range in square brackets.

    monsterhut.com; *.co.jp; 
    *.apnic.jp; apnic.net; [211.*.*.*]; [210.*.*.*]; 
    [205.207.26.*]; [202.*.*.*]; [203.*.*.*];
     [209.167.79.*]; [199.185.139.*]; 
    [200.59.*.*]; [154.11.137.34];
     [154.11.137.98]; [213.163.6.138]; 
    [209.183.
    *.*]; [61.*.*.*]; [212.25.*.*]; [200.*.*.*]; 
    [212.171.42.*]; [212.69.222.
    *]; [212.69.223.*]; [154.11.137.66]; 
    [213.215.*.*]; [62.168.*.*]; 
    [217.197.192.*]; [205.152.58.30]; 
    [38.144.87.85]; [66.115.24.50]; 
    [207.30.119.*]; [194.213.226.*]; 
    [194.213.227.*]; [212.184.87.*]; 
    [65.101.226.*]; [216.216.0.*]; [213.2.*.*]; 
    [213.165.*.*]; [24.92.*.*]; 
    [12.102.39.*]; [207.65.96.*]; [65.112.252.*]; 
    [192.115.183.*]; [168.103.*.
    *]; [213.77.115.*]; [213.255.50.*]; 
    [194.204.0.*]; [195.80.192.*]; 
    [209.99.224.*]; [212.168.20.*]; 
    [216.219.253.*]; [195.108.118.*]; 
    [209.212.100.*]; [12.39.66.*]; 
    [195.161.*.*]; [195.55.15.*]; [195.117.*.*]; 
    [207.233.*.*]; [213.56.83.*]; [216.55.*.*];
     [194.206.161.206]; [195.53.2.
    *]; [216.112.*.*]; [64.0.*.*]; [64.57.*.*]; 
    [64.39.*.*]; [64.12.*.*]; 
    [207.155.*.*]; [207.173.216.*]; 
    [212.156.*.*]; [198.170.139.250]; [208.36.
    *.*]; [208.37.*.*]; [199.243.107.*]; 
    [209.248.206.226]; Norstan.com; 
    [204.249.218.98]; [218.*.*.*]; 
    [209.61.192.*]; [208.39.142.*]; [69.55.106.
    *]; [64.125.188.*]; [68.127.187.155];
     [24.205.144.194]; [66.26.180.204]; 
    [24.6.128.209]; [203.164.51.145];
     [24.158.164.15]; [216.121.224.125]; 
    [82.64.86.119]; [213.205.33.28];
     [12.222.14.88]; [82.227.185.42]; 
    [24.199.109.216]; [220.127.31.88];
     [217.217.113.162]; [62.201.66.250]; 
    [196.40.91.202]; [80.220.149.29];
     [207.44.180.33]; [221.138.207.136]; 
    [62.149.140.19]; [66.168.112.135]; 
    [67.149.152.147]; [66.63.189.30]; 
    [66.63.189.15]; [193.69.4.182]; 
    [194.65.158.15]; [213.239.57.84]; 
    [192.118.71.127]; [67.18.27.228]; 
    [68.189.172.57]
    

    One final thing that you can do is get the users to use aliases for their SMTP mail needs. This can be done by adding new entries to the short name field on the person document. The change takes effect immediately. In my case, I make up a new alias for every Internet service I signup for. If the Internet server sells the e-mail address to someone for spamming, I'll know exactly who sold it and I can remove the alias for their service from my person document -- thus leaving the spam for that alias as undeliverable dead mail. The only problem your left with then is the logs loading up with errors from the server attempting to send dozens of delivery failures to false e-mail sender domains and mail.box's that load up really fast.

    —John G.

    Do you have comments on this tip? Let us know.

    This tip was submitted to the SearchDomino.com tip exchange by member Cheryl Foster. Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

  • This was first published in May 2004

    Dig deeper on Lotus Notes Domino Agents

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchWinIT

    Search400

    • iSeries tutorials

      Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

    • V6R1 upgrade planning checklist

      When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

    • Connecting multiple iSeries systems through DDM

      Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

    SearchEnterpriseLinux

    SearchVirtualDataCentre.co.UK

    Close