[Box-Admins] [Board] Recent spam on the lists

Levente Uzonyi leves at caesar.elte.hu
Mon Aug 7 13:05:27 UTC 2017 

I suppose we could stop this kind of spam with greylisting. Optionally 
we might skip greylisting if the sender has a valid SPF record (PASS 
only (+)).
We should also reject all emails which FAILs (-) the SPF check. And 
perhaps do the same to SOFTFAIL (~) as well, since we don't use tags.

Levente

On Mon, 7 Aug 2017, David T. Lewis wrote:

> Adding the sample spam email attachment.
>
> On Mon, Aug 07, 2017 at 07:44:39AM -0400, David T. Lewis wrote:
>> CC box-admins
>>
>> Hi Marcel,
>>
>> I am quite sure that our lists are under attack, but as far as I know nothing
>> bad is actually getting getting distributed to list subscribers.
>>
>> Which lists do you see this on? I am not seeing anything that reaches the archives
>> on http://lists.squeakfoundation.org/pipermail/ (but maybe someone already
>> deleted things?).
>>
>> For what it's worth, the vm-dev-owner at lists.squeakfoundation.org address (which
>> is redirected to me) has again been under attack for the last serveral days. This
>> happened once before (around July 20). Levente reduced the problem by blocking
>> a range of addresses:
>>
>>   http://lists.squeakfoundation.org/pipermail/box-admins/2017-July/002427.html
>>
>> And the attacks stopped entirely after a week or so, then resumed a few days ago.
>> I am attaching an example of one of the recent spam emails.
>>
>> I am not sure if this is related to whatever problem you are seeing on forum.world.st,
>> but my assumption is that someone is attempting to gain access to mailing lists
>> in order to use them for distributing spam. Presumably the source is a bot of
>> some kind.
>>
>> Dave
>>
>>
>> On Mon, Aug 07, 2017 at 10:41:48AM +0200, Marcel Taeumel wrote:
>>> Hi, there.
>>>
>>> Could somebody block this user "pfizerobataborsi" and delete all its postings (Aug 1 - 6)?
>>> http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370940 [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370940]
>>>
>>> Same for users "eyangsemar004" and??"eyangsemar003":
>>> http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370954 [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370954]
>>> http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370946 [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370946]
>>>
>>> Same for user "dion":
>>> http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370800 [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370800]
>>>
>>> Same for user "kusmiati88":
>>> http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a135323403%7Ekusmiati88 [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a135323403%7Ekusmiati88]
>>>
>>> Same for user "BASERRR888":
>>> http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a135289409%7EBASERRR888 [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a135289409%7EBASERRR888]
>>>
>>> ... Wait ... Basically all users that posted on this "global" location here, which dates back to June 5:
>>> http://forum.world.st/Smalltalk-f1294792.standard.html [http://forum.world.st/Smalltalk-f1294792.standard.html]
>>>
>>> Woah, what's happening? :-/
>>>
>>> Best,
>>> Marcel
>
>>> From SRS0=9hiW=7J=lists.squeak.org=mailman-bounces at squeak.org  Sun Aug  6 22:49:19 2017
>> Return-Path: <SRS0=9hiW=7J=lists.squeak.org=mailman-bounces at squeak.org>
>> Received: from mail.squeak.org (mail.squeak.org [162.242.237.43])
>> 	by shell.msen.com (8.14.3/8.14.3) with ESMTP id v772nJ2D079063;
>> 	Sun, 6 Aug 2017 22:49:19 -0400 (EDT)
>> 	(envelope-from SRS0=9hiW=7J=lists.squeak.org=mailman-bounces at squeak.org)
>> Received: from localhost (localhost [127.0.0.1])
>> 	by mail.squeak.org (Postfix) with ESMTP id 5AED7BD9F0
>> 	for <lewis at mail.msen.com>; Mon,  7 Aug 2017 02:49:13 +0000 (UTC)
>> Received: from mail.squeak.org ([127.0.0.1])
>> 	by localhost (mail.squeak.org [127.0.0.1]) (amavisd-new, port 10024)
>> 	with ESMTP id uuqRI-hyB5s3 for <lewis at mail.msen.com>;
>> 	Mon,  7 Aug 2017 02:49:13 +0000 (UTC)
>> Received: from mail.squeak.org (localhost [IPv6:::1])
>> 	by mail.squeak.org (Postfix) with ESMTP id 4B4C3BC63C
>> 	for <lewis at mail.msen.com>; Mon,  7 Aug 2017 02:49:13 +0000 (UTC)
>> X-Original-To: vm-dev-owner at lists.squeakfoundation.org
>> Delivered-To: vm-dev-owner at mail.squeak.org
>> Received: from localhost (localhost [127.0.0.1])
>>  by mail.squeak.org (Postfix) with ESMTP id 5B754BD9F0
>>  for <vm-dev-owner at lists.squeakfoundation.org>;
>>  Mon,  7 Aug 2017 02:49:12 +0000 (UTC)
>> Received: from mail.squeak.org ([127.0.0.1])
>>  by localhost (mail.squeak.org [127.0.0.1]) (amavisd-new, port 10024)
>>  with ESMTP id DCNKtbN7Tchy
>>  for <vm-dev-owner at lists.squeakfoundation.org>;
>>  Mon,  7 Aug 2017 02:49:12 +0000 (UTC)
>> Received: from cl68.com (unknown [IPv6:240e:f2:c001:eab6:1885:1ccf:2215:7cda])
>>  by mail.squeak.org (Postfix) with ESMTP id 5048ABC63C
>>  for <vm-dev-owner at lists.squeakfoundation.org>;
>>  Mon,  7 Aug 2017 02:49:11 +0000 (UTC)
>> MIME-Version: 1.0
>> Date: Mon, 07 Aug 2017 10:49:05 +0800
>> Message-ID: <875a72865f1358a5 at 8f5598c8031dbf91>
>> Subject: =?utf-8?Q?------=E9=9A=A9=E9=97=A8=E5=A8=81=E5=B0=BC=E6=96=AF=E4=BA=BA=E5=AE=98=E7=BD=91336468=E3=80=82C0M=E9=82=80=E6=82=A8=E4=BD=8F=E5=86=8A=E5=B6=BA=E2=91=B6?=
>>  =?utf-8?Q?=E2=92=8F=E7=80=9B38O=E6=8F=90=E7=8E=B0=EE=A0=BE=E4=BC=BD=E7=A2=A6=E6=9C=8D=E6=89=A3:2855592926=E5=B6=BA=EE=A0=BE=E7=BA=A2=E5=AE=9D=E5=A4=A9=E5=A4=A9=E6=8A=A2?=
>>  =?utf-8?Q?=EE=A0=BE=EE=A0=BE=E5=91=A8=E5=91=A8=E9=A2=86=E5=B7=A5=E8=B5=80=EE=A0=BE=E6=9C=88=E6=9C=88=E7=BB=99=E4=BF=B8=E7=A6=84=EF=BC=8C=E5=85=A5=E7=AA=BE=E9=A4=B82%=E9=A6=96=E5=AD=98=E5=8F=AF=E8=8E=B7=E6=9C=80=E9=AB=983888=E5=85=83?=
>>  =?utf-8?Q?=EE=A0=BE-----?=
>> To: vm-dev-owner at lists.squeakfoundation.org
>> Received: from cl68.com (unknown (247.81.36.233])
>>  by cl68.com with SMTP id 6bb1d819-dd40-4468-9bd1-6e016a726446;
>>  for <vm-dev-owner at lists.squeakfoundation.org>; Mon, 07 Aug 2017 10:49:05 +08:00
>> From: =?utf-8?Q?=E6=88=90=E5=BF=A0?= <824498549 at qq.com>
>> Content-Type: multipart/alternative;
>>  boundary="f763a86d-162b-4b5f-bece-83f669b2bb79"
>> Errors-To: mailman-bounces at lists.squeak.org
>> Sender: "Vm-dev" <mailman-bounces at lists.squeak.org>
>> Received-SPF: Pass; receiver=msen.com; client-ip=162.242.237.43; envelope-from=<SRS0=9hiW=7J=lists.squeak.org=mailman-bounces at squeak.org>
>> Received-SPF: Pass; receiver=msen.com; client-ip=162.242.237.43; helo=mail.squeak.org
>> X-Keywords:
>> X-UID: 3332
>> Status: RO
>> Content-Length: 220
>> Lines: 7
>>
>> --f763a86d-162b-4b5f-bece-83f669b2bb79
>> Content-Type: text/html;
>> 	charset="utf-8"
>> Content-Transfer-Encoding: quoted-printable
>>
>> <p>=e8=bb=ba=e6=a5=82=e5=94=af=e6=a4=92=e8=96=88</p>
>> --f763a86d-162b-4b5f-bece-83f669b2bb79--
>>
>
>

More information about the Box-Admins mailing list