Board index » delphi » Got Indy spam :-/

Got Indy spam :-/


2003-08-13 04:01:20 AM
delphi141
And the sender is fairly up-to-date as well!
X-Library: Indy 10.00.14-B
The thing that triggered me to look at it was spamassassin:
14.60 points, 10 required;
* 1.6 -- Message has X-Library header
* 0.3 -- From address is webmail, and ends in lots of numbers
* 1.1 -- From: does not include a real name
* 0.6 -- From: ends in numbers
* 2.1 -- Uses an address with lots of numbers, at a big ISP
* 3.0 -- BODY: Bayesian classifier says spam probability is 90 to 99%
[score: 0.9864]
* 0.6 -- Date: is 96 hours or more before Received: date
* 1.4 -- hotmail.com 'From' address, but no 'Received:'
* 3.9 -- Forged mail pretending to be from AOL
1.6 points is a lot! Most people filter at much less than 10 points.
johannes
 
 

Re:Got Indy spam :-/

Another interesting thing:
From: David I <XXXX@XXXXX.COM>
Subject: Thank you for taking the BDN survey...
X-Library: Indy 9.00.10
Date: Thu, 15 May 2003 21:12:25 -0700
:-)
Other than that and 3 emails about intraweb I have 20 spam mails using
Indy, and a lot of mails of people on various Indy mailing lists.
Just thought this might interest someone as I grepped through my emails...
johannes
 

Re:Got Indy spam :-/

Johannes Berg writes:
Quote
And the sender is fairly up-to-date as well!

X-Library: Indy 10.00.14-B

The thing that triggered me to look at it was spamassassin:

14.60 points, 10 required;
* 1.6 -- Message has X-Library header
Unfortunately there is nothing that can be done to stop spammers
writing their software using Indy. that is the downside of writing good
component library for networking protocols :(
It's also a bad thing that SpamAssassin as well as many other spam
filtering applications give any points at all based on that single
header. Because they do that, people writing legitimate mail sending
applications should comment out the part of code that outputs this
line into headers. Furthermore, people writing spammer tools for
sending out spam should keep the line in :) Since the problem has
already been introduced and there's really nothing we (the people
writing legitimate mail sending applications) can do for it -
unfortunately.
--
Markku Uttula
 

Re:Got Indy spam :-/

On Tue, 12 Aug 2003 22:01:20 +0200, Johannes Berg
<XXXX@XXXXX.COM>writes:
Quote
And the sender is fairly up-to-date as well!

X-Library: Indy 10.00.14-B

Are you sure about this? I ask because I did my own search through
the Indy Source-code and I could not find it at all.
Here's what I found in my search:
===
w:\source\Indy10\box\source\IdMessage.pas(22): { Removed X-Library
Line that was causing people problems with spam detection
w:\source\Indy10\box\source\IdMessage.pas(46): - Removed X-Library
line
w:\source\Indy10\Dist\DistRoot\Source\IdMessage.pas(22): { Removed
X-Library Line that was causing people problems with spam detection
w:\source\Indy10\Dist\DistRoot\Source\IdMessage.pas(46): - Removed
X-Library line
w:\source\Indy10\IdMessage.pas(46): { Removed X-Library Line that was
causing people problems with spam detection
w:\source\Indy10\IdMessage.pas(76): - Removed X-Library line
===
We used to have that X-Library header. After Indy 9.0 was initially
released, we removed the line that cause the "X-Library" header to
appear. An explanation about this is in the Indy Downloadable Indy
FAQ (at www.indyproject.org/FAQ.html) and I checked this just
now. The item reads as follows:
===
11.10 A SMTP server is treating E-Mail from my program as if it was
spam or the server rejects it with a 554 error. I don't have any
problems with Outlook. How do I fix this?
The reason this is occuring is because some spam filtering software is
screening E-Mail for the "Xlibrary:" header. This header is sent by
Indy 8.0 and the release versions of Indy 9.0. In and of itself,
this is not bad. However, some malware such as spam bulk E-Mails and
even a worm (W32/Nicehello@MM), were built with Indy meaning that they
sent the same "X-Library:" header that most Indy-based E-Mail programs
do.
For this reason, we have decided to remove the X-Library header from
Indy 9.0 code and you can obtain it from our VCS. Instructions are at:
www.indyproject.org/download/DevSnapshot.html
If you are using Indy 8.0 and you can't upgrade to this code, you
can remove the X-Library header by editing IdMessage and removing line
439 which reads:
Values['X-Library'] := gsIdProductName + ' ' + gsIdVersion ; {do not
localize}
and then rebuild Indy using the FULL*.BAT file for your system.
===
This has effected some of us as well as others. I am mention this to
David I as this could effect some of Borland's things.
J. Peter Mugaas - Chairperson, Distribution Team, Indy Pit Crew
Internet Direct (Indy) Website - www.nevrona.com/Indy
Personal Home Page - www.wvnet.edu/~oma00215
If I want to do business with you, I will contact you. Otherwise, do not contact me.
 

Re:Got Indy spam :-/

On Wed, 13 Aug 2003 04:55:54 -0400, J Peter Mugaas writes:
Quote
>X-Library: Indy 10.00.14-B
>
Are you sure about this? I ask because I did my own search through
the Indy Source-code and I could not find it at all.
Yes.
Quote
We used to have that X-Library header. After Indy 9.0 was initially
released, we removed the line that cause the "X-Library" header to
appear. An explanation about this is in the Indy Downloadable Indy
FAQ (at www.indyproject.org/FAQ.html) and I checked this just
now. The item reads as follows:
[...]
I know :)
Well, no. I knew there were problems with it, and that it was considered
to remove it. I never kept track if it was removed or not. Now, if you say
it was removed, how did it get into that email?
johannes
 

Re:Got Indy spam :-/

On Wed, 13 Aug 2003 11:20:34 +0200, Johannes Berg
<XXXX@XXXXX.COM>writes:
Quote
On Wed, 13 Aug 2003 04:55:54 -0400, J Peter Mugaas writes:

>>X-Library: Indy 10.00.14-B
>>
>Are you sure about this? I ask because I did my own search through
>the Indy Source-code and I could not find it at all.

Yes.

>We used to have that X-Library header. After Indy 9.0 was initially
>released, we removed the line that cause the "X-Library" header to
>appear. An explanation about this is in the Indy Downloadable Indy
>FAQ (at www.indyproject.org/FAQ.html) and I checked this just
>now. The item reads as follows:
>[...]

I know :)
Well, no. I knew there were problems with it, and that it was considered
to remove it. I never kept track if it was removed or not. Now, if you say
it was removed, how did it get into that email?

I'm not completely sure. I could see where there might have been an
early Indy 10 version with the X-Library header but that is very early.
The version stamp for what's in VCS now is 10.00.16-B.
Our current policy with build marking is to increment the build number
only if I make a formal release or Kudzu asks me to change it. That
can be monthes at a time.
J. Peter Mugaas - Chairperson, Distribution Team, Indy Pit Crew
Internet Direct (Indy) Website - www.nevrona.com/Indy
Personal Home Page - www.wvnet.edu/~oma00215
If I want to do business with you, I will contact you. Otherwise, do not contact me.
 

Re:Got Indy spam :-/

I just use this line before sending a mail:
msg.Headers.Values['X-Library'] := '';
Cheers
Uli
 

Re:Got Indy spam :-/

Johannes Berg <XXXX@XXXXX.COM>wrote in
Quote
And the sender is fairly up-to-date as well!

X-Library: Indy 10.00.14-B
This was removed from 9, and should have been from 10 as well. 10.00.14-B
looks like a suspicious version number. Are you sure this is a unmodified
copy of 10? Im on a plane now to Siberia so I cant check easily.
Quote
* 1.6 -- Message has X-Library header
Yes, SA IMO is a horrible utility, not because of this but other reasons.
Probably 5% of our orders come back as bounced by SA, even when we send from
Outlook and then the customers yell at us. :(
Anyways they dont have a clue what the X-Library header is and have marked it
1.6 out of ingorance.
Need extra help with an Indy problem?
www.atozedsoftware.com/indy/experts/support.html
ELKNews - Get your free copy at www.atozedsoftware.com
 

Re:Got Indy spam :-/

On Wed, 13 Aug 2003 18:32:27 -0500, Chad Z. Hower aka Kudzu writes:
Quote
This was removed from 9, and should have been from 10 as well. 10.00.14-B
looks like a suspicious version number. Are you sure this is a unmodified
copy of 10? Im on a plane now to Siberia so I cant check easily.
I don't know - I don't have a copy of the Indy 10 source code. I only got
the email :)
Quote
Yes, SA IMO is a horrible utility, not because of this but other reasons.
Probably 5% of our orders come back as bounced by SA, even when we send from
Outlook and then the customers yell at us. :(
That was one of the reasons I set the threshold to 10 :->
Quote
Anyways they dont have a clue what the X-Library header is and have marked it
1.6 out of ingorance.
Actually, thats not quite true. If I read the documentation correctly,
they did not just give it a 1.6, but that was part of their learning
process. It is probable that at the time the last learning took place,
many more spam tools used Indy than normal email agents, so it was marked
with 1.6 because the header only occurred in spam.
See
spamassassin.taint.org/faq/index.cgi
(although the information given there is not very much, and I cannot find
where I originally read about the learning algorithm)
johannes
 

Re:Got Indy spam :-/

Johannes Berg <XXXX@XXXXX.COM>wrote in
Quote
I don't know - I don't have a copy of the Indy 10 source code. I only
got the email :)
Indy 9 has had some adjustments and the SA score is much lower now. Indy 10
has had further adjustements and now reports a score of 0 on mails that
previously scored 5-10, so check it out. :)
Want more Indy stuff? Try the Atozed Indy Portal at
www.atozedsoftware.com/
* More Free Demos
* Free Articles
* Extra Support
ELKNews - Get your free copy at www.atozedsoftware.com