On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote:> > > ----- Original Message ----- > | -----BEGIN PGP SIGNED MESSAGE----- > | Hash: SHA1 > | > | On 25/08/15 23:09, Fabian Arrotin wrote: > | > On 25/08/15 20:39, Alice Wonder wrote: > | >> julie70773 [at] loverhearts.com > | > > | >> Responded off-list to message on the list, spam with content > | >> that is not suitable for minors. > | > > | >> It is possible subscribed under different address. > | > > | >> IP of offending spam : > | > > | >> Received: from mx2.loverhearts.com (mx2.loverhearts.com > | >> [45.55.128.151]) (using TLSv1.2 with cipherAs you see from this your header spam was not delivered through centos mail list, but comes from one of the IPs of digitalocean.com IP block: 45.55.0.0/16. As Fabian told centos mail list server admins contacted digitalocean.com about abuse (even though indirect, but with apparent misuse of centos list servers for collecting e-mails of posters). And the moment I received my copy of this spam _after_ Fabian mentioned they contacted digitalocean.com, I just blocked mail from their block of IP addresses (45.55.0.0/16) on my servers as digitalocean apparently didn't react to abuse notice promptly. Others may want to do the same, thus we will pass the message with all seriousness to digitalocean.com. Just my $0.02 Valeri> | >> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client > | >> certificate requested) by mail.domblogger.net (Postfix) with > | >> ESMTPS id C4871C5B for <alice at domblogger.net>; Tue, 25 Aug 2015 > | >> 18:29:11 +0000 (UTC) > | > > | > Thanks for the notification, and for not having forwarded the mail > | > to the list (which some people did on other lists ...) Please note > | > that such user (or multiple ones from that domain) isn't/aren't > | > subscribed to the list. In fact, I see a bunch of mails rejected at > | > our level, from that domain, but from a *bunch* of different IP > | > addresses, and so directly bounced back .. It seems someone/some > | > bot is tracking the mail lists and answering to both the reply-to > | > *and* the originator (but bounced by mailman, so no mail on the > | > list[s]) > | > > | > Under investigation to see how to help stopping the flood, even if > | > not originating from/passing through the centos.org servers ... > | > > | > | Just a quick status update : we've identified (from the mails > | bounced/rejected by our server) 14 IPs addresses used to send those > | mails. All those IPs are originating from DigitalOcean, so we reported > | the abuse so that they can investigate on their side. > | > | Cheers, > | > | - -- > | Fabian Arrotin > | The CentOS Project | http://www.centos.org > | gpg key: 56BEC54E | twitter: @arrfab > | -----BEGIN PGP SIGNATURE----- > | Version: GnuPG v2.0.22 (GNU/Linux) > | > | iEYEARECAAYFAlXdWL0ACgkQnVkHo1a+xU4ylgCfcJcHdOw1vhUtmfUYiFWpefji > | yhcAnRChmlbYNG8efqx9uZZCrOWpqtD1 > | =VvHI > | -----END PGP SIGNATURE----- > | _______________________________________________ > | CentOS mailing list > | CentOS at centos.org > | http://lists.centos.org/mailman/listinfo/centos > | > > I told my wife (yes awkward) that I thought that the list would be > removing content of this type (images), since likely it is of little value > to the list for helping people. I was shocked (for many reasons) that it > is not. > > -- > James A. Peltier > IT Services - Research Computing Group > Simon Fraser University - Burnaby Campus > Phone : 604-365-6432 > Fax : 778-782-3045 > E-Mail : jpeltier at sfu.ca > Website : http://www.sfu.ca/itservices > Twitter : @sfu_rcg > Powering Engagement Through Technology > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 08/26/15 13:11, Valeri Galtsev wrote:> On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote:<<>> something no one seems to have mentioned, so i will..>> | >> Received: from mx2.loverhearts.com (mx2.loverhearts.comloverhearts.com is a single page that seems to do nothing. and there is nothing in page source to do anything. validator.w3.org shows 1 error and 1 warning showing that page was poorly written. so the only harm is spam, which i now have going to my Junk folder. so, to all of you, i pass along a much more loving 'love' link; http://lovehearts.com enjoy. -- peace out. If Bill Gates got a dime for every time Windows crashes... ...oh, wait. He does. THAT explains it! -+- in a world with out fences, who needs gates. CentOS GNU/Linux 6.6 tc,hago. g .
On 08/26/2015 12:11 PM, g wrote:> > > On 08/26/15 13:11, Valeri Galtsev wrote: >> On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote: > <<>> > > something no one seems to have mentioned, so i will.. > >>> | >> Received: from mx2.loverhearts.com (mx2.loverhearts.com > > loverhearts.com is a single page that seems to do nothing. and there is > nothing in page source to do anything. > > validator.w3.org shows 1 error and 1 warning showing that page was > poorly written. > > so the only harm is spam, which i now have going to my Junk folder. > > so, to all of you, i pass along a much more loving 'love' link; > > http://lovehearts.com > > enjoy. > >If you look at the SPF record for loverhearts.com (where they are coming from for me) there are a whole slew of servers permitted to send on their behalf. So I took all those IP addresses specified and added them to my blacklist, it appears spammers are learning that SPF records can be a path to filter avoidance. Maybe I'll start blocking any server with an SPF record that includes more than 5 IP addresses, or servers where any host in the SPF record is in a DNS blacklist.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 26/08/15 20:11, Valeri Galtsev wrote:> > On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote: >> >> >> ----- Original Message ----- | -----BEGIN PGP SIGNED >> MESSAGE----- | Hash: SHA1 | | On 25/08/15 23:09, Fabian Arrotin >> wrote: | > On 25/08/15 20:39, Alice Wonder wrote: | >> julie70773 >> [at] loverhearts.com | > | >> Responded off-list to message on >> the list, spam with content | >> that is not suitable for >> minors. | > | >> It is possible subscribed under different >> address. | > | >> IP of offending spam : | > | >> Received: from >> mx2.loverhearts.com (mx2.loverhearts.com | >> [45.55.128.151]) >> (using TLSv1.2 with cipher > > As you see from this your header spam was not delivered through > centos mail list, but comes from one of the IPs of digitalocean.com > IP block: 45.55.0.0/16. As Fabian told centos mail list server > admins contacted digitalocean.com about abuse (even though > indirect, but with apparent misuse of centos list servers for > collecting e-mails of posters). And the moment I received my copy > of this spam _after_ Fabian mentioned they contacted > digitalocean.com, I just blocked mail from their block of IP > addresses (45.55.0.0/16) on my servers as digitalocean apparently > didn't react to abuse notice promptly. Others may want to do the > same, thus we will pass the message with all seriousness to > digitalocean.com. > > Just my $0.02 > > ValeriStill no news from DigitalOcean since multiple people complained to them about that issue. There are also some other IPs used to send those mails, and from CIDR: 104.236.0.0/16 too. I can try to ask again the status about those IPs, but I also guess that the more people complain about it, the more they'll look at it. If you still receive such mail (I personally never had *any* of those offending/spam mails myself), feel free to report that to https://www.digitalocean.com/company/contact/#tab_abusetrigger Kind Regards, - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlXeLdcACgkQnVkHo1a+xU64tACgjvpWWxnXJuZ/Pnc+ucUKxstb d4gAn2ZIJPRmkMwhg1Qf15q9tpRfY38X =Yfy0 -----END PGP SIGNATURE-----
On Wednesday 26 August 2015 20:11:20 g wrote:> so the only harm is spam, which i now have going to my Junk folder. >That is not the only harm. These people are very good and very effective confidence tricksters and are experts at getting vulnerable people to send them money which they usually cannot affort to lose in the first place.