-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/08/15 23:09, Fabian Arrotin wrote:> On 25/08/15 20:39, Alice Wonder wrote: >> julie70773 [at] loverhearts.com > >> Responded off-list to message on the list, spam with content >> that is not suitable for minors. > >> It is possible subscribed under different address. > >> IP of offending spam : > >> Received: from mx2.loverhearts.com (mx2.loverhearts.com >> [45.55.128.151]) (using TLSv1.2 with cipher >> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client >> certificate requested) by mail.domblogger.net (Postfix) with >> ESMTPS id C4871C5B for <alice at domblogger.net>; Tue, 25 Aug 2015 >> 18:29:11 +0000 (UTC) > > Thanks for the notification, and for not having forwarded the mail > to the list (which some people did on other lists ...) Please note > that such user (or multiple ones from that domain) isn't/aren't > subscribed to the list. In fact, I see a bunch of mails rejected at > our level, from that domain, but from a *bunch* of different IP > addresses, and so directly bounced back .. It seems someone/some > bot is tracking the mail lists and answering to both the reply-to > *and* the originator (but bounced by mailman, so no mail on the > list[s]) > > Under investigation to see how to help stopping the flood, even if > not originating from/passing through the centos.org servers ... >Just a quick status update : we've identified (from the mails bounced/rejected by our server) 14 IPs addresses used to send those mails. All those IPs are originating from DigitalOcean, so we reported the abuse so that they can investigate on their side. Cheers, - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlXdWL0ACgkQnVkHo1a+xU4ylgCfcJcHdOw1vhUtmfUYiFWpefji yhcAnRChmlbYNG8efqx9uZZCrOWpqtD1 =VvHI -----END PGP SIGNATURE-----
On Wed, August 26, 2015 1:12 am, Fabian Arrotin wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 25/08/15 23:09, Fabian Arrotin wrote: >> On 25/08/15 20:39, Alice Wonder wrote: >>> julie70773 [at] loverhearts.com >> >>> Responded off-list to message on the list, spam with content >>> that is not suitable for minors. >> >>> It is possible subscribed under different address. >> >>> IP of offending spam : >> >>> Received: from mx2.loverhearts.com (mx2.loverhearts.com >>> [45.55.128.151]) (using TLSv1.2 with cipher >>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client >>> certificate requested) by mail.domblogger.net (Postfix) with >>> ESMTPS id C4871C5B for <alice at domblogger.net>; Tue, 25 Aug 2015 >>> 18:29:11 +0000 (UTC) >> >> Thanks for the notification, and for not having forwarded the mail >> to the list (which some people did on other lists ...) Please note >> that such user (or multiple ones from that domain) isn't/aren't >> subscribed to the list. In fact, I see a bunch of mails rejected at >> our level, from that domain, but from a *bunch* of different IP >> addresses, and so directly bounced back .. It seems someone/some >> bot is tracking the mail lists and answering to both the reply-to >> *and* the originator (but bounced by mailman, so no mail on the >> list[s]) >> >> Under investigation to see how to help stopping the flood, even if >> not originating from/passing through the centos.org servers ... >> > > Just a quick status update : we've identified (from the mails > bounced/rejected by our server) 14 IPs addresses used to send those > mails. All those IPs are originating from DigitalOcean, so we reported > the abuse so that they can investigate on their side. >Thanks a lot! The most difficult part of this I noticed is to make sure they responded with report of what discovered and which actions were taken, and if this didn't happen to have the whole block of IPs registered to them blocked off (at least this is what I am doing where I can). Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
----- Original Message ----- | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | On 25/08/15 23:09, Fabian Arrotin wrote: | > On 25/08/15 20:39, Alice Wonder wrote: | >> julie70773 [at] loverhearts.com | > | >> Responded off-list to message on the list, spam with content | >> that is not suitable for minors. | > | >> It is possible subscribed under different address. | > | >> IP of offending spam : | > | >> Received: from mx2.loverhearts.com (mx2.loverhearts.com | >> [45.55.128.151]) (using TLSv1.2 with cipher | >> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client | >> certificate requested) by mail.domblogger.net (Postfix) with | >> ESMTPS id C4871C5B for <alice at domblogger.net>; Tue, 25 Aug 2015 | >> 18:29:11 +0000 (UTC) | > | > Thanks for the notification, and for not having forwarded the mail | > to the list (which some people did on other lists ...) Please note | > that such user (or multiple ones from that domain) isn't/aren't | > subscribed to the list. In fact, I see a bunch of mails rejected at | > our level, from that domain, but from a *bunch* of different IP | > addresses, and so directly bounced back .. It seems someone/some | > bot is tracking the mail lists and answering to both the reply-to | > *and* the originator (but bounced by mailman, so no mail on the | > list[s]) | > | > Under investigation to see how to help stopping the flood, even if | > not originating from/passing through the centos.org servers ... | > | | Just a quick status update : we've identified (from the mails | bounced/rejected by our server) 14 IPs addresses used to send those | mails. All those IPs are originating from DigitalOcean, so we reported | the abuse so that they can investigate on their side. | | Cheers, | | - -- | Fabian Arrotin | The CentOS Project | http://www.centos.org | gpg key: 56BEC54E | twitter: @arrfab | -----BEGIN PGP SIGNATURE----- | Version: GnuPG v2.0.22 (GNU/Linux) | | iEYEARECAAYFAlXdWL0ACgkQnVkHo1a+xU4ylgCfcJcHdOw1vhUtmfUYiFWpefji | yhcAnRChmlbYNG8efqx9uZZCrOWpqtD1 | =VvHI | -----END PGP SIGNATURE----- | _______________________________________________ | CentOS mailing list | CentOS at centos.org | http://lists.centos.org/mailman/listinfo/centos | I told my wife (yes awkward) that I thought that the list would be removing content of this type (images), since likely it is of little value to the list for helping people. I was shocked (for many reasons) that it is not. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 604-365-6432 Fax : 778-782-3045 E-Mail : jpeltier at sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology
On 8/26/2015 10:55 AM, James A. Peltier wrote:> I told my wife (yes awkward) that I thought that the list would be removing content of this type (images), since likely it is of little value to the list for helping people. I was shocked (for many reasons) that it is not.the spammer was NOT emailing via the listserver. rather, they have a different account (or more than one) subscribed, and it was replying directly to list posters using the spammers own network of email servers. -- john r pierce, recycling bits in santa cruz
On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote:> > > ----- Original Message ----- > | -----BEGIN PGP SIGNED MESSAGE----- > | Hash: SHA1 > | > | On 25/08/15 23:09, Fabian Arrotin wrote: > | > On 25/08/15 20:39, Alice Wonder wrote: > | >> julie70773 [at] loverhearts.com > | > > | >> Responded off-list to message on the list, spam with content > | >> that is not suitable for minors. > | > > | >> It is possible subscribed under different address. > | > > | >> IP of offending spam : > | > > | >> Received: from mx2.loverhearts.com (mx2.loverhearts.com > | >> [45.55.128.151]) (using TLSv1.2 with cipherAs you see from this your header spam was not delivered through centos mail list, but comes from one of the IPs of digitalocean.com IP block: 45.55.0.0/16. As Fabian told centos mail list server admins contacted digitalocean.com about abuse (even though indirect, but with apparent misuse of centos list servers for collecting e-mails of posters). And the moment I received my copy of this spam _after_ Fabian mentioned they contacted digitalocean.com, I just blocked mail from their block of IP addresses (45.55.0.0/16) on my servers as digitalocean apparently didn't react to abuse notice promptly. Others may want to do the same, thus we will pass the message with all seriousness to digitalocean.com. Just my $0.02 Valeri> | >> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client > | >> certificate requested) by mail.domblogger.net (Postfix) with > | >> ESMTPS id C4871C5B for <alice at domblogger.net>; Tue, 25 Aug 2015 > | >> 18:29:11 +0000 (UTC) > | > > | > Thanks for the notification, and for not having forwarded the mail > | > to the list (which some people did on other lists ...) Please note > | > that such user (or multiple ones from that domain) isn't/aren't > | > subscribed to the list. In fact, I see a bunch of mails rejected at > | > our level, from that domain, but from a *bunch* of different IP > | > addresses, and so directly bounced back .. It seems someone/some > | > bot is tracking the mail lists and answering to both the reply-to > | > *and* the originator (but bounced by mailman, so no mail on the > | > list[s]) > | > > | > Under investigation to see how to help stopping the flood, even if > | > not originating from/passing through the centos.org servers ... > | > > | > | Just a quick status update : we've identified (from the mails > | bounced/rejected by our server) 14 IPs addresses used to send those > | mails. All those IPs are originating from DigitalOcean, so we reported > | the abuse so that they can investigate on their side. > | > | Cheers, > | > | - -- > | Fabian Arrotin > | The CentOS Project | http://www.centos.org > | gpg key: 56BEC54E | twitter: @arrfab > | -----BEGIN PGP SIGNATURE----- > | Version: GnuPG v2.0.22 (GNU/Linux) > | > | iEYEARECAAYFAlXdWL0ACgkQnVkHo1a+xU4ylgCfcJcHdOw1vhUtmfUYiFWpefji > | yhcAnRChmlbYNG8efqx9uZZCrOWpqtD1 > | =VvHI > | -----END PGP SIGNATURE----- > | _______________________________________________ > | CentOS mailing list > | CentOS at centos.org > | http://lists.centos.org/mailman/listinfo/centos > | > > I told my wife (yes awkward) that I thought that the list would be > removing content of this type (images), since likely it is of little value > to the list for helping people. I was shocked (for many reasons) that it > is not. > > -- > James A. Peltier > IT Services - Research Computing Group > Simon Fraser University - Burnaby Campus > Phone : 604-365-6432 > Fax : 778-782-3045 > E-Mail : jpeltier at sfu.ca > Website : http://www.sfu.ca/itservices > Twitter : @sfu_rcg > Powering Engagement Through Technology > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Wed, 2015-08-26 at 09:53 -0500, Valeri Galtsev wrote:> Thanks a lot! The most difficult part of this I noticed is to make sure > they responded with report of what discovered and which actions were > taken, and if this didn't happen to have the whole block of IPs registered > to them blocked off (at least this is what I am doing where I can).(1) Not all complaints about spam are acknowledged. (2) Usually no information is provided on what, specifically, was done to rectify the problem. I run Exim on C5 and C6. If there is (something wrong with the sender's host name including no rDNS) + (sender's HELO/EHLO name defective) + (recipient is non-existent or sender is defective) blocked at the firewall until the end of the month. Monthly if there are no more attempts, meaning the count is zero, then the IP is removed from the monthly banned list else the count is reset to zero (flushed -F) and ignored until reinspected at the next month's end. I have other anti-junk defences including rejecting spammers' hosts. We received a junk email once every 6 to 12 weeks. I am NOT going to be a willing victim of spam. -- Regards, Paul. England, EU. England's place is in the European Union.