Who's sending the spam?

View member feedback to this tip.

Regardless of how many blocks you've got for spam, some still gets through. I created an agent and a view to see where it's coming from, so I can block the IPs at the server.


FIELD Recd := Received;
FIELD FirstRoute := 

Build a view/folder
Column #1 = a numbered & 
totaled column. 
(numbered & totaled = column 
with nothing but the number 1 in it, totaled)
Column #2 = @LeftBack(FirstRoute;".") - 
Column #3 = FirstRoute
I also like to put a column in to track down ISPs.


Although, these are spoofed so often it can be irrelevant -- but every so often, you get a hit. (And that is sooooooo satisfying.)

By the way, I put it in my mail file, but being the spam queen that I am, I also have a repository for spam from different users -- I put it in there too.


Instead of blocking the IP on your server, why not report your findings to the DNS Blacklist sites below?

  • dsn.rfc-ignorant.org
  • dul.dnsbl.sorbs.net
  • sbl.spamhaus.org
  • list.dsbl.org
  • bl.spamcop.net

    —Gregory W.


    I don't like the idea of running an agent to change the documents by adding two fields -- Recd and FirstRoute -- when these can be easily enough calculated by the view formula. Especially in a mail file, unread marks are very important; it's a bad idea to do mass document updates.

    The total column should "hide detail values," since there's no value to the user in seeing a "1" on each row.

    Andre Guirard



    Perhaps I should have put this tip in context....

    I manage e-mail for my company. We're not in an environment where the end-users are capable of setting up their own filters, rules, etc. (we could get into a long drawn out conversation about behaviors, competencies, etc. -- just suffice it to say, this level of management is best done globally here.) so when someone complains about Spam, I have them put it into a Spam folder. I monitor about 10 user mail files (including my own), and gather up all the spam and put it into a repository mail file. This is where I do most of my analysis.

    Currently, this mail file is about 2 GB. I use additional calculations in the views. I prefer to speed them up a bit by putting the calculated fields in the document. I would not recommend putting these fields in the template, or as a server agent on all mail files.

    —Cheryl F.


    There are two items that I think you might find useful.

    1. The received field will always contain the IP address of the server the e-mail came from. This is rarely the spammer's server but a relay the spammer used. Blocking sites will block the relay because the relay represents an administrator who's asleep at the wheel -- thus giving spammers a place to forward mail from.

    2. The IP addresses you glean from the received field can be placed in the "Deney Connections From..." field of the SMTP configuration document on the server, thus blocking all e-mails from the unmanaged server. Now, this isn't to say you'll never hear from them again. Your log files will be filled with messages about connections that where refused. But the e-mails from those locations will not be delivered.

      You can also specify IP Ranges in the deny field rather then just single IP addresses for those situations where your constantly being harassed by a particular IP range. Arin.net will help you identify if the IP belongs to a particular range and can help you identify repeat offenders. Below is what my Deny field looks like (warning, it has been growing for more then seven years). To specify an IP or range, just place the IP or range in square brackets.

    monsterhut.com; *.co.jp; 
    *.apnic.jp; apnic.net; [211.*.*.*]; [210.*.*.*]; 
    [205.207.26.*]; [202.*.*.*]; [203.*.*.*];
     [209.167.79.*]; [199.185.139.*]; 
    [200.59.*.*]; [];
     []; []; 
    *.*]; [61.*.*.*]; [212.25.*.*]; [200.*.*.*]; 
    [212.171.42.*]; [212.69.222.
    *]; [212.69.223.*]; []; 
    [213.215.*.*]; [62.168.*.*]; 
    [217.197.192.*]; []; 
    []; []; 
    [207.30.119.*]; [194.213.226.*]; 
    [194.213.227.*]; [212.184.87.*]; 
    [65.101.226.*]; [216.216.0.*]; [213.2.*.*]; 
    [213.165.*.*]; [24.92.*.*]; 
    [12.102.39.*]; [207.65.96.*]; [65.112.252.*]; 
    [192.115.183.*]; [168.103.*.
    *]; [213.77.115.*]; [213.255.50.*]; 
    [194.204.0.*]; [195.80.192.*]; 
    [209.99.224.*]; [212.168.20.*]; 
    [216.219.253.*]; [195.108.118.*]; 
    [209.212.100.*]; [12.39.66.*]; 
    [195.161.*.*]; [195.55.15.*]; [195.117.*.*]; 
    [207.233.*.*]; [213.56.83.*]; [216.55.*.*];
     []; [195.53.2.
    *]; [216.112.*.*]; [64.0.*.*]; [64.57.*.*]; 
    [64.39.*.*]; [64.12.*.*]; 
    [207.155.*.*]; [207.173.216.*]; 
    [212.156.*.*]; []; [208.36.
    *.*]; [208.37.*.*]; [199.243.107.*]; 
    []; Norstan.com; 
    []; [218.*.*.*]; 
    [209.61.192.*]; [208.39.142.*]; [69.55.106.
    *]; [64.125.188.*]; [];
     []; []; 
    []; [];
     []; []; 
    []; [];
     []; []; 
    []; [];
     []; []; 
    []; [];
     []; []; 
    []; []; 
    []; []; 
    []; []; 
    []; []; 
    []; []; 

    One final thing that you can do is get the users to use aliases for their SMTP mail needs. This can be done by adding new entries to the short name field on the person document. The change takes effect immediately. In my case, I make up a new alias for every Internet service I signup for. If the Internet server sells the e-mail address to someone for spamming, I'll know exactly who sold it and I can remove the alias for their service from my person document -- thus leaving the spam for that alias as undeliverable dead mail. The only problem your left with then is the logs loading up with errors from the server attempting to send dozens of delivery failures to false e-mail sender domains and mail.box's that load up really fast.

    —John G.

    Do you have comments on this tip? Let us know.

    This tip was submitted to the SearchDomino.com tip exchange by member Cheryl Foster. Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

    This was first published in May 2004

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.