In consequence of this thread I went looking for a probe script that would send individualized email messages to each subscriber of a mailman list and found none. Does such a thing in fact exist? It seems to me that this would be an invaluable tool in tracking down which subscriber is the bot-bait. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 08/29/15 12:04, James B. Byrne wrote:> In consequence of this thread I went looking for a probe script that > would send individualized email messages to each subscriber of a > mailman list and found none. Does such a thing in fact exist? > > It seems to me that this would be an invaluable tool in tracking down > which subscriber is the bot-bait. >. it seems to me that you could have used a new "Subject:" line instead of using what you did. to increase possible amount of replies/answers, you should repost with a different "Subject:" line as what you chose may well be filtered by list readers. -- peace out. If Bill Gates got a dime for every time Windows crashes... ...oh, wait. He does. THAT explains it! -+- in a world with out fences, who needs gates. CentOS GNU/Linux 6.6 tc,hago. g .
On Sat, August 29, 2015 12:04 pm, James B. Byrne wrote:> In consequence of this thread I went looking for a probe script that > would send individualized email messages to each subscriber of a > mailman list and found none. Does such a thing in fact exist? > > It seems to me that this would be an invaluable tool in tracking down > which subscriber is the bot-bait. >James, I doubt it is doable, even if you have cooperation of IP block owner from whose IP(s) individual spam comes. The following is [probably] the scheme that is implemented [on really small test scale] in case of abuse of posting subscribers of centos mail list: 1. some e-mail address is subscribed to centos mail list. 2. When that e-mail address receives post to CentOS mail list, actual sender address is being extracted from the header. 3. this address is passed over to one of zombie machines in some bot net. 4. That particular zombie machine sends signal to host (in our case one of DigitalOcean (DO) customers assigned IP). Quite likely just through POST HTML command giving in it recipient address and content of message to be sent, and quite likely some security code that prevents this chain from being used by anybody except those who can provide correct security code. If the scheme is as above, even with full real cooperation of DO you only can have pointer to one of the zombie computers. To track chain down to the machine that sent command to zombie computer you at least need to investigate the content of this zombie computer. Which I'm sceptical is possible. Things become even worse if the chain of transmitting command has more that one zombie computer. The bottom line is: it is quite unlikely that the bad subscriber can be discovered. (Somebody clever, correct me and tell how). We probably should stop wasting time of CentOS team who have better things to do. After all this scheme was probably aimed against CentOS and us keeping discussing these things is what these rogue people were aiming to achieve. The only productive way to deal with this spam is to one way or another block this spam on our own - recipients - side. To do it one can blacklist DO ranges of IP addresses, or as cleverer that I person suggested: add them to spam filter configuration with just a notch of extra spam score. Use cation and be ware that this is purely your own decision. And my apologies for continuing this really annoying for some list members thread. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Sat, 2015-08-29 at 13:04 -0400, James B. Byrne wrote:> In consequence of this thread I went looking for a probe script that > would send individualized email messages to each subscriber of a > mailman list and found none. Does such a thing in fact exist?What might work, although the task is potentially daunting, is to examine the MX for each list member's domain name and from that derive the IP address. A quantity, much less than the list's total membership, of possible suspects would result. The quantity gets divided into groups of 5 or 10 email addresses; then each group is sent a message with a fake email address (I can supply suitable and currently unused domain names). When a junk mail is sent to a fake email address the 5 or 10 members of the group receiving the fake email address are potential suspects. 10 more 'fake' email addresses from a different domain can be used to isolate the culprit. As this nuisance started very recently, the joining dates of recent subscribers could identify the possible culprit. Reading our emails could encourage the culprit to subscribe again using different credentials. However, if Mailman retains the joining date, that could be easy to identity.> It seems to me that this would be an invaluable tool in tracking down > which subscriber is the bot-bait.The pest is a brain-dead moron, male, lonely with no girl-friend (or even a boy-friend). Pitiful personality who deserves our sympathy. -- Regards, Paul. England, EU. England's place is in the European Union.
On Sat, Aug 29, 2015 at 08:24:57PM +0100, Always Learning wrote:> What might work, although the task is potentially daunting, is to > examine the MX for each list member's domain name and from that derive > the IP address. A quantity, much less than the list's total membership, > of possible suspects would result.I think people are missing the fact that you don't need to subscribe to the mailing list to just grab the email addresses out of the archives, which are public. This isn't the first spammer who has harvested live email addresses off of email lists, and is likely not to be the last. -- Jonathan Billings <billings at negate.org>