Adding the sample spam email attachment.
On Mon, Aug 07, 2017 at 07:44:39AM -0400, David T. Lewis wrote:
CC box-admins
Hi Marcel,
I am quite sure that our lists are under attack, but as far as I know nothing bad is actually getting getting distributed to list subscribers.
Which lists do you see this on? I am not seeing anything that reaches the archives on http://lists.squeakfoundation.org/pipermail/ (but maybe someone already deleted things?).
For what it's worth, the vm-dev-owner@lists.squeakfoundation.org address (which is redirected to me) has again been under attack for the last serveral days. This happened once before (around July 20). Levente reduced the problem by blocking a range of addresses:
http://lists.squeakfoundation.org/pipermail/box-admins/2017-July/002427.html
And the attacks stopped entirely after a week or so, then resumed a few days ago. I am attaching an example of one of the recent spam emails.
I am not sure if this is related to whatever problem you are seeing on forum.world.st, but my assumption is that someone is attempting to gain access to mailing lists in order to use them for distributing spam. Presumably the source is a bot of some kind.
Dave
On Mon, Aug 07, 2017 at 10:41:48AM +0200, Marcel Taeumel wrote:
Hi, there.
Could somebody block this user "pfizerobataborsi" and delete all its postings (Aug 1 - 6)? http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...]
Same for users "eyangsemar004" and??"eyangsemar003": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...] http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...]
Same for user "dion": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...]
Same for user "kusmiati88": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13...]
Same for user "BASERRR888": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13...]
... Wait ... Basically all users that posted on this "global" location here, which dates back to June 5: http://forum.world.st/Smalltalk-f1294792.standard.html [http://forum.world.st/Smalltalk-f1294792.standard.html]
Woah, what's happening? :-/
Best, Marcel
From SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org Sun Aug 6 22:49:19 2017
Return-Path: SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org Received: from mail.squeak.org (mail.squeak.org [162.242.237.43]) by shell.msen.com (8.14.3/8.14.3) with ESMTP id v772nJ2D079063; Sun, 6 Aug 2017 22:49:19 -0400 (EDT) (envelope-from SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org) Received: from localhost (localhost [127.0.0.1]) by mail.squeak.org (Postfix) with ESMTP id 5AED7BD9F0 for lewis@mail.msen.com; Mon, 7 Aug 2017 02:49:13 +0000 (UTC) Received: from mail.squeak.org ([127.0.0.1]) by localhost (mail.squeak.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uuqRI-hyB5s3 for lewis@mail.msen.com; Mon, 7 Aug 2017 02:49:13 +0000 (UTC) Received: from mail.squeak.org (localhost [IPv6:::1]) by mail.squeak.org (Postfix) with ESMTP id 4B4C3BC63C for lewis@mail.msen.com; Mon, 7 Aug 2017 02:49:13 +0000 (UTC) X-Original-To: vm-dev-owner@lists.squeakfoundation.org Delivered-To: vm-dev-owner@mail.squeak.org Received: from localhost (localhost [127.0.0.1]) by mail.squeak.org (Postfix) with ESMTP id 5B754BD9F0 for vm-dev-owner@lists.squeakfoundation.org; Mon, 7 Aug 2017 02:49:12 +0000 (UTC) Received: from mail.squeak.org ([127.0.0.1]) by localhost (mail.squeak.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DCNKtbN7Tchy for vm-dev-owner@lists.squeakfoundation.org; Mon, 7 Aug 2017 02:49:12 +0000 (UTC) Received: from cl68.com (unknown [IPv6:240e:f2:c001:eab6:1885:1ccf:2215:7cda]) by mail.squeak.org (Postfix) with ESMTP id 5048ABC63C for vm-dev-owner@lists.squeakfoundation.org; Mon, 7 Aug 2017 02:49:11 +0000 (UTC) MIME-Version: 1.0 Date: Mon, 07 Aug 2017 10:49:05 +0800 Message-ID: 875a72865f1358a5@8f5598c8031dbf91 Subject: =?utf-8?Q?------=E9=9A=A9=E9=97=A8=E5=A8=81=E5=B0=BC=E6=96=AF=E4=BA=BA=E5=AE=98=E7=BD=91336468=E3=80=82C0M=E9=82=80=E6=82=A8=E4=BD=8F=E5=86=8A=E5=B6=BA=E2=91=B6?= =?utf-8?Q?=E2=92=8F=E7=80=9B38O=E6=8F=90=E7=8E=B0=EE=A0=BE=E4=BC=BD=E7=A2=A6=E6=9C=8D=E6=89=A3:2855592926=E5=B6=BA=EE=A0=BE=E7=BA=A2=E5=AE=9D=E5=A4=A9=E5=A4=A9=E6=8A=A2?= =?utf-8?Q?=EE=A0=BE=EE=A0=BE=E5=91=A8=E5=91=A8=E9=A2=86=E5=B7=A5=E8=B5=80=EE=A0=BE=E6=9C=88=E6=9C=88=E7=BB=99=E4=BF=B8=E7=A6=84=EF=BC=8C=E5=85=A5=E7=AA=BE=E9=A4=B82%=E9=A6=96=E5=AD=98=E5=8F=AF=E8=8E=B7=E6=9C=80=E9=AB=983888=E5=85=83?= =?utf-8?Q?=EE=A0=BE-----?= To: vm-dev-owner@lists.squeakfoundation.org Received: from cl68.com (unknown (247.81.36.233]) by cl68.com with SMTP id 6bb1d819-dd40-4468-9bd1-6e016a726446; for vm-dev-owner@lists.squeakfoundation.org; Mon, 07 Aug 2017 10:49:05 +08:00 From: =?utf-8?Q?=E6=88=90=E5=BF=A0?= 824498549@qq.com Content-Type: multipart/alternative; boundary="f763a86d-162b-4b5f-bece-83f669b2bb79" Errors-To: mailman-bounces@lists.squeak.org Sender: "Vm-dev" mailman-bounces@lists.squeak.org Received-SPF: Pass; receiver=msen.com; client-ip=162.242.237.43; envelope-from=SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org Received-SPF: Pass; receiver=msen.com; client-ip=162.242.237.43; helo=mail.squeak.org X-Keywords: X-UID: 3332 Status: RO Content-Length: 220 Lines: 7
--f763a86d-162b-4b5f-bece-83f669b2bb79 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
<p>=e8=bb=ba=e6=a5=82=e5=94=af=e6=a4=92=e8=96=88</p> --f763a86d-162b-4b5f-bece-83f669b2bb79--
I suppose we could stop this kind of spam with greylisting. Optionally we might skip greylisting if the sender has a valid SPF record (PASS only (+)). We should also reject all emails which FAILs (-) the SPF check. And perhaps do the same to SOFTFAIL (~) as well, since we don't use tags.
Levente
On Mon, 7 Aug 2017, David T. Lewis wrote:
Adding the sample spam email attachment.
On Mon, Aug 07, 2017 at 07:44:39AM -0400, David T. Lewis wrote:
CC box-admins
Hi Marcel,
I am quite sure that our lists are under attack, but as far as I know nothing bad is actually getting getting distributed to list subscribers.
Which lists do you see this on? I am not seeing anything that reaches the archives on http://lists.squeakfoundation.org/pipermail/ (but maybe someone already deleted things?).
For what it's worth, the vm-dev-owner@lists.squeakfoundation.org address (which is redirected to me) has again been under attack for the last serveral days. This happened once before (around July 20). Levente reduced the problem by blocking a range of addresses:
http://lists.squeakfoundation.org/pipermail/box-admins/2017-July/002427.html
And the attacks stopped entirely after a week or so, then resumed a few days ago. I am attaching an example of one of the recent spam emails.
I am not sure if this is related to whatever problem you are seeing on forum.world.st, but my assumption is that someone is attempting to gain access to mailing lists in order to use them for distributing spam. Presumably the source is a bot of some kind.
Dave
On Mon, Aug 07, 2017 at 10:41:48AM +0200, Marcel Taeumel wrote:
Hi, there.
Could somebody block this user "pfizerobataborsi" and delete all its postings (Aug 1 - 6)? http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...]
Same for users "eyangsemar004" and??"eyangsemar003": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...] http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...]
Same for user "dion": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...]
Same for user "kusmiati88": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13...]
Same for user "BASERRR888": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13...]
... Wait ... Basically all users that posted on this "global" location here, which dates back to June 5: http://forum.world.st/Smalltalk-f1294792.standard.html [http://forum.world.st/Smalltalk-f1294792.standard.html]
Woah, what's happening? :-/
Best, Marcel
From SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org Sun Aug 6 22:49:19 2017
Return-Path: SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org Received: from mail.squeak.org (mail.squeak.org [162.242.237.43]) by shell.msen.com (8.14.3/8.14.3) with ESMTP id v772nJ2D079063; Sun, 6 Aug 2017 22:49:19 -0400 (EDT) (envelope-from SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org) Received: from localhost (localhost [127.0.0.1]) by mail.squeak.org (Postfix) with ESMTP id 5AED7BD9F0 for lewis@mail.msen.com; Mon, 7 Aug 2017 02:49:13 +0000 (UTC) Received: from mail.squeak.org ([127.0.0.1]) by localhost (mail.squeak.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uuqRI-hyB5s3 for lewis@mail.msen.com; Mon, 7 Aug 2017 02:49:13 +0000 (UTC) Received: from mail.squeak.org (localhost [IPv6:::1]) by mail.squeak.org (Postfix) with ESMTP id 4B4C3BC63C for lewis@mail.msen.com; Mon, 7 Aug 2017 02:49:13 +0000 (UTC) X-Original-To: vm-dev-owner@lists.squeakfoundation.org Delivered-To: vm-dev-owner@mail.squeak.org Received: from localhost (localhost [127.0.0.1]) by mail.squeak.org (Postfix) with ESMTP id 5B754BD9F0 for vm-dev-owner@lists.squeakfoundation.org; Mon, 7 Aug 2017 02:49:12 +0000 (UTC) Received: from mail.squeak.org ([127.0.0.1]) by localhost (mail.squeak.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DCNKtbN7Tchy for vm-dev-owner@lists.squeakfoundation.org; Mon, 7 Aug 2017 02:49:12 +0000 (UTC) Received: from cl68.com (unknown [IPv6:240e:f2:c001:eab6:1885:1ccf:2215:7cda]) by mail.squeak.org (Postfix) with ESMTP id 5048ABC63C for vm-dev-owner@lists.squeakfoundation.org; Mon, 7 Aug 2017 02:49:11 +0000 (UTC) MIME-Version: 1.0 Date: Mon, 07 Aug 2017 10:49:05 +0800 Message-ID: 875a72865f1358a5@8f5598c8031dbf91 Subject: =?utf-8?Q?------=E9=9A=A9=E9=97=A8=E5=A8=81=E5=B0=BC=E6=96=AF=E4=BA=BA=E5=AE=98=E7=BD=91336468=E3=80=82C0M=E9=82=80=E6=82=A8=E4=BD=8F=E5=86=8A=E5=B6=BA=E2=91=B6?= =?utf-8?Q?=E2=92=8F=E7=80=9B38O=E6=8F=90=E7=8E=B0=EE=A0=BE=E4=BC=BD=E7=A2=A6=E6=9C=8D=E6=89=A3:2855592926=E5=B6=BA=EE=A0=BE=E7=BA=A2=E5=AE=9D=E5=A4=A9=E5=A4=A9=E6=8A=A2?= =?utf-8?Q?=EE=A0=BE=EE=A0=BE=E5=91=A8=E5=91=A8=E9=A2=86=E5=B7=A5=E8=B5=80=EE=A0=BE=E6=9C=88=E6=9C=88=E7=BB=99=E4=BF=B8=E7=A6=84=EF=BC=8C=E5=85=A5=E7=AA=BE=E9=A4=B82%=E9=A6=96=E5=AD=98=E5=8F=AF=E8=8E=B7=E6=9C=80=E9=AB=983888=E5=85=83?= =?utf-8?Q?=EE=A0=BE-----?= To: vm-dev-owner@lists.squeakfoundation.org Received: from cl68.com (unknown (247.81.36.233]) by cl68.com with SMTP id 6bb1d819-dd40-4468-9bd1-6e016a726446; for vm-dev-owner@lists.squeakfoundation.org; Mon, 07 Aug 2017 10:49:05 +08:00 From: =?utf-8?Q?=E6=88=90=E5=BF=A0?= 824498549@qq.com Content-Type: multipart/alternative; boundary="f763a86d-162b-4b5f-bece-83f669b2bb79" Errors-To: mailman-bounces@lists.squeak.org Sender: "Vm-dev" mailman-bounces@lists.squeak.org Received-SPF: Pass; receiver=msen.com; client-ip=162.242.237.43; envelope-from=SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org Received-SPF: Pass; receiver=msen.com; client-ip=162.242.237.43; helo=mail.squeak.org X-Keywords: X-UID: 3332 Status: RO Content-Length: 220 Lines: 7
--f763a86d-162b-4b5f-bece-83f669b2bb79 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
<p>=e8=bb=ba=e6=a5=82=e5=94=af=e6=a4=92=e8=96=88</p> --f763a86d-162b-4b5f-bece-83f669b2bb79--
To me it is just an annoyance, just as long as it is not affecting the normal list subscribers. So if there is an easy fix that's great, but please do not put a lot of effort into it just for me.
But I think that Tobias must be seeing some other problems on forum.world.st?
Dave
On Mon, Aug 07, 2017 at 03:05:27PM +0200, Levente Uzonyi wrote:
I suppose we could stop this kind of spam with greylisting. Optionally we might skip greylisting if the sender has a valid SPF record (PASS only (+)). We should also reject all emails which FAILs (-) the SPF check. And perhaps do the same to SOFTFAIL (~) as well, since we don't use tags.
Levente
On Mon, 7 Aug 2017, David T. Lewis wrote:
Adding the sample spam email attachment.
On Mon, Aug 07, 2017 at 07:44:39AM -0400, David T. Lewis wrote:
CC box-admins
Hi Marcel,
I am quite sure that our lists are under attack, but as far as I know nothing bad is actually getting getting distributed to list subscribers.
Which lists do you see this on? I am not seeing anything that reaches the archives on http://lists.squeakfoundation.org/pipermail/ (but maybe someone already deleted things?).
For what it's worth, the vm-dev-owner@lists.squeakfoundation.org address (which is redirected to me) has again been under attack for the last serveral days. This happened once before (around July 20). Levente reduced the problem by blocking a range of addresses:
http://lists.squeakfoundation.org/pipermail/box-admins/2017-July/002427.html
And the attacks stopped entirely after a week or so, then resumed a few days ago. I am attaching an example of one of the recent spam emails.
I am not sure if this is related to whatever problem you are seeing on forum.world.st, but my assumption is that someone is attempting to gain access to mailing lists in order to use them for distributing spam. Presumably the source is a bot of some kind.
Dave
On Mon, Aug 07, 2017 at 10:41:48AM +0200, Marcel Taeumel wrote:
Hi, there.
Could somebody block this user "pfizerobataborsi" and delete all its postings (Aug 1 - 6)? http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...]
Same for users "eyangsemar004" and??"eyangsemar003": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...] http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...]
Same for user "dion": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=370...]
Same for user "kusmiati88": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13...]
Same for user "BASERRR888": http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13... [http://forum.world.st/template/NamlServlet.jtp?macro=user_nodes&user=a13...]
... Wait ... Basically all users that posted on this "global" location here, which dates back to June 5: http://forum.world.st/Smalltalk-f1294792.standard.html [http://forum.world.st/Smalltalk-f1294792.standard.html]
Woah, what's happening? :-/
Best, Marcel
From SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org Sun Aug 6 22:49:19 2017
Return-Path: SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org Received: from mail.squeak.org (mail.squeak.org [162.242.237.43]) by shell.msen.com (8.14.3/8.14.3) with ESMTP id v772nJ2D079063; Sun, 6 Aug 2017 22:49:19 -0400 (EDT) (envelope-from SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org) Received: from localhost (localhost [127.0.0.1]) by mail.squeak.org (Postfix) with ESMTP id 5AED7BD9F0 for lewis@mail.msen.com; Mon, 7 Aug 2017 02:49:13 +0000 (UTC) Received: from mail.squeak.org ([127.0.0.1]) by localhost (mail.squeak.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uuqRI-hyB5s3 for lewis@mail.msen.com; Mon, 7 Aug 2017 02:49:13 +0000 (UTC) Received: from mail.squeak.org (localhost [IPv6:::1]) by mail.squeak.org (Postfix) with ESMTP id 4B4C3BC63C for lewis@mail.msen.com; Mon, 7 Aug 2017 02:49:13 +0000 (UTC) X-Original-To: vm-dev-owner@lists.squeakfoundation.org Delivered-To: vm-dev-owner@mail.squeak.org Received: from localhost (localhost [127.0.0.1]) by mail.squeak.org (Postfix) with ESMTP id 5B754BD9F0 for vm-dev-owner@lists.squeakfoundation.org; Mon, 7 Aug 2017 02:49:12 +0000 (UTC) Received: from mail.squeak.org ([127.0.0.1]) by localhost (mail.squeak.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DCNKtbN7Tchy for vm-dev-owner@lists.squeakfoundation.org; Mon, 7 Aug 2017 02:49:12 +0000 (UTC) Received: from cl68.com (unknown [IPv6:240e:f2:c001:eab6:1885:1ccf:2215:7cda]) by mail.squeak.org (Postfix) with ESMTP id 5048ABC63C for vm-dev-owner@lists.squeakfoundation.org; Mon, 7 Aug 2017 02:49:11 +0000 (UTC) MIME-Version: 1.0 Date: Mon, 07 Aug 2017 10:49:05 +0800 Message-ID: 875a72865f1358a5@8f5598c8031dbf91 Subject: =?utf-8?Q?------=E9=9A=A9=E9=97=A8=E5=A8=81=E5=B0=BC=E6=96=AF=E4=BA=BA=E5=AE=98=E7=BD=91336468=E3=80=82C0M=E9=82=80=E6=82=A8=E4=BD=8F=E5=86=8A=E5=B6=BA=E2=91=B6?= =?utf-8?Q?=E2=92=8F=E7=80=9B38O=E6=8F=90=E7=8E=B0=EE=A0=BE=E4=BC=BD=E7=A2=A6=E6=9C=8D=E6=89=A3:2855592926=E5=B6=BA=EE=A0=BE=E7=BA=A2=E5=AE=9D=E5=A4=A9=E5=A4=A9=E6=8A=A2?= =?utf-8?Q?=EE=A0=BE=EE=A0=BE=E5=91=A8=E5=91=A8=E9=A2=86=E5=B7=A5=E8=B5=80=EE=A0=BE=E6=9C=88=E6=9C=88=E7=BB=99=E4=BF=B8=E7=A6=84=EF=BC=8C=E5=85=A5=E7=AA=BE=E9=A4=B82%=E9=A6=96=E5=AD=98=E5=8F=AF=E8=8E=B7=E6=9C=80=E9=AB=983888=E5=85=83?= =?utf-8?Q?=EE=A0=BE-----?= To: vm-dev-owner@lists.squeakfoundation.org Received: from cl68.com (unknown (247.81.36.233]) by cl68.com with SMTP id 6bb1d819-dd40-4468-9bd1-6e016a726446; for vm-dev-owner@lists.squeakfoundation.org; Mon, 07 Aug 2017 10:49:05 +08:00 From: =?utf-8?Q?=E6=88=90=E5=BF=A0?= 824498549@qq.com Content-Type: multipart/alternative; boundary="f763a86d-162b-4b5f-bece-83f669b2bb79" Errors-To: mailman-bounces@lists.squeak.org Sender: "Vm-dev" mailman-bounces@lists.squeak.org Received-SPF: Pass; receiver=msen.com; client-ip=162.242.237.43; envelope-from=SRS0=9hiW=7J=lists.squeak.org=mailman-bounces@squeak.org Received-SPF: Pass; receiver=msen.com; client-ip=162.242.237.43; helo=mail.squeak.org X-Keywords: X-UID: 3332 Status: RO Content-Length: 220 Lines: 7
--f763a86d-162b-4b5f-bece-83f669b2bb79 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
<p>=e8=bb=ba=e6=a5=82=e5=94=af=e6=a4=92=e8=96=88</p> --f763a86d-162b-4b5f-bece-83f669b2bb79--
box-admins@lists.squeakfoundation.org