Hey Fabian, Here's the headers for one of the spam responses I got from the list: from:Tracy <tracy12614 at safeloves.com>reply-to:tracy12614 at safeloves.com to:Tim Dunphy <bluethundr at gmail.com> date:Fri, Aug 28, 2015 at 2:19 PMsubject:Re: [CentOS] apache mysterious 404 errormailed-by:safeloves.comsigned-by:safeloves.com:Important mainly because it was sent directly to you. Please let me know if that's not what you're looking for! Thanks, Tim On Fri, Aug 28, 2015 at 5:18 PM, Fabian Arrotin <arrfab at centos.org> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 28/08/15 22:24, John R Pierce wrote: > > On 8/28/2015 1:21 PM, Robert Wolfe wrote: > >> I've been getting that intermittently during the day today. > > > > I haven't seen any since I put the sending domain with a 'DISCARD' > > in my /etc/mail/access database (using sendmail here) > > > > Well, is there another domain involved now ? It seems the previous > spammer (using multiple VMs on DigitalOcean network) had been blocked. > As nothing is sent through the mailman/centos.org server, I can't even > look at logs, but if you have useful informations (like some headers), > feel free to forward those to me (and not on the list). > > Cheers, > > - -- > Fabian Arrotin > The CentOS Project | http://www.centos.org > gpg key: 56BEC54E | twitter: @arrfab > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iEYEARECAAYFAlXg0D4ACgkQnVkHo1a+xU5OnACggUMg3QikAFsgAAeHSGGGI5Q1 > 5MgAn2leYj3Wbflv1w8gHnNICEEOKOo3 > =rEWD > -----END PGP SIGNATURE----- > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
On 8/28/2015 2:21 PM, Tim Dunphy wrote:> Here's the headers for one of the spam responses I got from the list: > > from:Tracy<tracy12614 at safeloves.com>reply-to:tracy12614 at safeloves.com > to:Tim Dunphy<bluethundr at gmail.com> > date:Fri, Aug 28, 2015 at 2:19 PMsubject:Re: [CentOS] apache mysterious 404 > errormailed-by:safeloves.comsigned-by:safeloves.com:Important mainly > because it was sent directly to you. > > Please let me know if that's not what you're looking for!typically, you need the 'recieved from' headers so we can tell where it entered your mail system to block spammers. -- john r pierce, recycling bits in santa cruz
On Fri, August 28, 2015 4:28 pm, John R Pierce wrote:> On 8/28/2015 2:21 PM, Tim Dunphy wrote: >> Here's the headers for one of the spam responses I got from the list: >> >> from:Tracy<tracy12614 at safeloves.com>reply-to:tracy12614 at safeloves.com >> to:Tim Dunphy<bluethundr at gmail.com> >> date:Fri, Aug 28, 2015 at 2:19 PMsubject:Re: [CentOS] apache mysterious >> 404 >> errormailed-by:safeloves.comsigned-by:safeloves.com:Important mainly >> because it was sent directly to you. >> >> Please let me know if that's not what you're looking for! > > typically, you need the 'recieved from' headers so we can tell where it > entered your mail system to block spammers. >Well, this is second discussion on this subject during last fortnight, and I felt to stay away from it... But I just would add one thing. Blocking originator of messages as John suggests, will work. The only thing about it is: these are single IP domains, and one can easily keep registering new ones, and this is all doable withing the frame digitalocean's (the IP block owner) business model. Attempting to fight on per one case basis with something that can be scripted on the bad guys' side I found counter productive. The only way I've found in the past that is not total waste of my time is: block e-mail from the whole block of IPs of that provider. This can be done on the side of those being abused. Nothing as a mater of fact can be done on the side of CentOS, and I really regret us wasting Fabian's precious time on this. This is however really serious decision, as you may block some of domains hosted at digitalocean your users may need to communicate with. So, use your own judgement and caution. Grepping your mail logs for long time back is advisable, but by no means can be sufficient for sane decision. Contacting digitalocean with complaints, hm..., though is right thing to do, but quite unlikely will lead to them identifying the "person" and dealing with that person with whole seriousness. IMHO, this last doesn't fit into their business model. Just my $0.02 Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++