But there's a problem (note the first sentence of this
post): the software sends a complain about every URL
it finds in body and headers of the original spam.
*Including* the text added by eg SpamAssassin --
  X-Spam: listed in dsbl, http://dsbl.org/listing?127.0.0.2

So, now dsbl.org, cbl.abuseat.org, spamhaus.org, sorbs.net,
spamcop.net and so on and the like are all spamvertisied
sites, snd the software complains to both the "site owner"
and its upstream, using the whois information.  Voila,
go figure, all great spammer.

For example, dsbl.org got several 100s of complaints that
way from all over the world in a single day.  CBL is getting
those too.  Etc.

But that's not all the story obviously, or else the Subject
will be different.  Simply fix the bug and be done with it,
not a big deal really.  But the author isn't that "simple".

Several people notified him using email.  Several posts has
been made on the support forum.  Guess what?

He just deletes the "bad" posts in the support forum, continues
making new versions without fixing the problem, and leaves
only "thank you" messags on his forum.  There where several
posts by me, by Rik van Riel (several attemts), by others --
all gone in a few minutes...

There are several other probs with the software obviously
(look closely at the sample report below -- some characters
are missing -- eg right after the ===SMTP START== (what's
SMTP here, btw?), you'll find "evel: ***" header which
probably was "spam-level:"; and at the very end, there's
a spamX version number -- supposed to be full name of the
software with version and the url...)

So just ask yourself: is such behaviour a good one?  Do you
want to use such a software from SUCH an author?  I for one
don't want to deal with him...

/mjt

Sample report follows, with some @'s replaced with [X]'s.

Subject: EMail Abuse Complaint 8/01/05 13:24:28
From: ako...@newsguy.com
Date: Sat, 8 Jan 2005 13:28:38 -0600
To: ADMIN[X]DSBL.ORG, ABUSE[X]TACONIC.NET, SSRADMIN[X]TELMEX.COM, IPS-ADM[X]UNINET.NET.MX, LEGAL[X]NIC.MX, DOMINIOS[X]TELMEX.COM, ABUSE[X]UNINET.NET.MX, POSTMASTER[X]UNINET.NET.MX, ABUSE[X]NIC.MX

I believe this email either originated from your domain, your domain was involved in it's delivery, or you are the victim of a spammer abusing your domain.  All of the information is included for you to take action.

Here is the SMTP information.

IP Address(es) traced through 201.128.81.77 - 248.104.212.196 -

Spamvertized Domain(s) DSBL.ORG -

Domain(s) traced through UNINET.NET.MX -

Abuse address(es) traced to ADMIN[X]DSBL.ORG - ABUSE[X]TACONIC.NET - SSRADMIN[X]TELMEX.COM - IPS-ADM[X]UNINET.NET.MX - LEGAL[X]NIC.MX - DOMINIOS[X]TELMEX.COM - ABUSE[X]UNINET.NET.MX - POSTMASTER[X]UNINET.NET.MX - ABUSE[X]NIC.MX -

== SMTP Start ==========
evel: ********************
X-Spam-Status: Yes, score=20.3 required=7.0 tests=BAYES_99,HELO_DYNAMIC_DHCP,
        HELO_DYNAMIC_IPADDR,HTML_40_50,HTML_MESSAGE,RCVD_ILLEGAL_IP,
        RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_SORBS_HTTP,
        RCVD_IN_SORBS_MISC,RCVD_IN_XBL,URIBL_SBL,URIBL_WS_SURBL
        autolearn=spam version=3.0.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_41DEEB14.3691D71D"
X-MailScanner-Information: This email message has been scanned for viruses
X-MailScanner-HostGo: Found to be clean

  Payyless fOr Wnd0ws 2ooo Server
Sender: "Elisabeth Lam" <ygemdtrc...@sofcom.com.au>
Message-ID: <364459645216.EBN69...@lucrative.goodgirlz.com>
MIME-Version: 1.0
Content-Type: multipart/related;
          boundary="Java.FBWWO.57978303078977925"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <1797928@MPQMG>
X-Mailer: Microsoft Outlook Express  6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
X-MailScanner-Information: This email message has been scanned for viruses
X-MailScanner-HostGo: Found to be clean
X-Spam-Exim: pCWyj5_c7Tvvutm9wqHEleW6

This is a multi-part message in MIME format.

--Java.FBWWO.57978303078977925
Content-Type: multipart/alternative;
         boundary="Java.EVBYR.9139572339837257858"

--Java.EVBYR.9139572339837257858
Content-Type: text/plain;
         charset="us-ascii"
Content-Transfer-Encoding: 7bit

Minnesota, which can clinch a wild-card
playoff spot with a loss by either Carolina or St. Louis this weekend, appeared on
its way to retaking the lead. But a holding penalty on Birk -- the Vikings were
flagged nine times for 78 yards -- wiped out a 16-yard run by Michael Bennett that
would have given them the ball at the Green Bay 40 just before the 2-minute warning.

--Java.EVBYR.9139572339837257858
Content-Type: text/html;
         chars

This is a multi-part message in MIME format.

------------=_41DEEB14.3691D71D
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "rome.hostgo.com", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Minnesota, which can clinch a wild-card playoff spot
   with a loss by either Carolina or St. Louis this weekend, appeared on
   its way to retaking the lead. But a holding penalty on Birk -- the
   Vikings were flagged nine times for 78 yards -- wiped out a 16-yard
   run by Michael Bennett that would have given them the ball at the
   Green Bay 40 just before the 2-minute warning. [...]

Content analysis details:   (20.3 points, 7.0 required)

  pts rule name              description
---- ---------------------- --------------------------------------------------
  4.4 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr 1)
  1.2 HELO_DYNAMIC_DHCP      Relay HELO'd using suspicious hostname (DHCP)
  0.9 RCVD_ILLEGAL_IP        Received: contains illegal IP address
  1.9 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                             [score: 1.0000]
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.0 HTML_40_50             BODY: Message is 40% to 50% HTML
  0.1 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
                             [201.128.81.77 listed in combined.njabl.org]
  0.3 RCVD_IN_SORBS_MISC     RBL: SORBS: sender is open proxy server
                             [201.128.81.77 listed in dnsbl.sorbs.net]
  0.0 RCVD_IN_SORBS_HTTP     RBL: SORBS: sender is open HTTP proxy server
                             [201.128.81.77 listed in dnsbl.sorbs.net]
  3.8 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
                             [<http://dsbl.org/listing?201.128.81.77>]
  3.1 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                             [201.128.81.77 listed in sbl-xbl.spamhaus.org]
  2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
                             [201.128.81.77 listed in dnsbl.sorbs.net]
  1.0 URIBL_SBL              Contains an URL listed in the SBL blocklist
                             [URIs: goforthesoft.info]
  1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
                             [URIs: goforthesoft.info]

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

------------=_41DEEB14.3691D71D
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Received: from [201.128.81.77] (helo=dsl-201-128-81-77.prod-infinitum.com.mx)
        by rome.hostgo.com with smtp (Exim 4.43)
        id 1Cn0KL-0007W8-JW
        for adr...@bekolite.com; Fri, 07 Jan 2005 15:03:22 -0500
Received: from afterthought.adres.nl ([248.174.119.38])
  by brenda.adres.nl (Sun Java System Messaging Server 6.1 HotFix 0.03 (built
  Aug 25 2004)) with ESMTP id <0Q9R00WS387F...@brenda.adres.nl> for
  adr...@bekolite.com; Fri, 07 Jan 2005 13:50:29 -0600 (IST)
Received: from lucrative.goodgirlz.com ([248.104.212.196])
  by afterthought.adres.nl
  (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Aug 29 2004))
  with ESMTP id <0C5V00LX647I...@afterthought.adres.nl> for adr...@bekolite.com
  (ORCPT adr...@bekolite.com); Fri, 07 Jan 2005 21:55:29 +0200 (IST)
Date: Fri, 07 Jan 2005 17:58:29 -0200
From: "Elisabeth Lam" <ygemdtrc...@sofcom.com.au>
To: <adr...@bekolite.com>
Subject: Payyless fOr Wnd0ws 2ooo Server
Sender: "Elisabeth Lam" <ygemdtrc...@sofcom.com.au>
Message-ID: <364459645216.EBN69...@lucrative.goodgirlz.com>
MIME-Version: 1.0
Content-Type: multipart/related;
          boundary="Java.FBWWO.57978303078977925"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <1797928@MPQMG>
X-Mailer: Microsoft Outlook Express  6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
X-MailScanner-Information: This email message has been scanned for viruses
X-MailScanner-HostGo: Found to be clean
X-Spam-Exim: pCWyj5_c7Tvvutm9wqHEleW6

This is a multi-part message in MIME format.

--Java.FBWWO.57978303078977925
Content-Type: ...

read more »

--
We have heard rumors that an anti is in here.
That actual posts from here have ended up on
shiksas posts elswhere. Who is the rat bastard!!!
 -paranoid spammer Dec-19-03, 03:40 PM (EST)

http://www.versiontracker.com/dyn/moreinfo/win/35346

--Mike

This would appear to be just another chickenboner that couldn't make it
selling his "FFA Email List Management software" so that we all could
"...do your own bulk Email!"

<
http://64.233.167.104/search?q=cache:YT13dnTzpegJ:www.arnes.si/news/a...
 >

Wayback machine also points out;
Nov 09, 2000: "Get our FFA MS-Excel based Email list processor to
automate the process of sending out your FFA Email advertisements!"

Apr 02, 2001: "Get Over 11000 Email Addresses!"

SgtChains

http://exspam.surriel.com/

--
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

Well, if you're using Postfix, and it's compiled with PCRE support:

/etc/postfix/main.cf:
    header_checks = pcre:/etc/postfix/header_checks

/etc/postfix/header_checks:
    /^Subject: EMail Abuse Complaint (\d{1,2}\/){2}\d{1,2}\s+(\d{1,2}:){2}\d/ REJECT

Should do the trick.  (Sorry for the long line.)

Personally, I think I'd be more prone to toss such things at the
spam db and let 'em be blocklisted.  Abuse is abuse, ya know...

--
Jim Seymour                          | "Some of the lies are so strange it
WARNING: The "From:" address is a    |  makes you wonder about the spammer's
spam trap.  DON'T USE IT!  Use:      |  sanity."
jseym...@LinxNet.com                 |   - Ed Foster, "The Gripe Line" 6/24/02

He said (on his own proposal, not mine!) that he would whitelist our
address range from future versions of the software.  Since then I
haven't gotten any further erroneous complaints from his users, and I'm
a bit ashamed to say I didn't follow the matter any further.

A Google search revealed that Sp@mX is listed prominently on a number of
"downloads" sites, including Apple's.  In penance for getting
whitelisted, I've just sent Apple a request that it be removed,
referencing Rik van Riel's Web page and this thread.

--
Karl A. Krueger <kkrue...@example.edu> { s/example/whoi/ }

Every program has at least one bug and can be shortened by at least one line.
By induction, every program can be reduced to one line which does not work.

snip

And if anyone needs a sendmail filer for a hard bounce during smtp chat,
there's plenty of fodder on the web, or I'll post my ugly hack.