On Sat, August 29, 2015 12:04 pm, James B. Byrne wrote:
In consequence of this thread I went looking for a probe script that would send individualized email messages to each subscriber of a mailman list and found none. Does such a thing in fact exist?
It seems to me that this would be an invaluable tool in tracking down which subscriber is the bot-bait.
James, I doubt it is doable, even if you have cooperation of IP block owner from whose IP(s) individual spam comes. The following is [probably] the scheme that is implemented [on really small test scale] in case of abuse of posting subscribers of centos mail list:
1. some e-mail address is subscribed to centos mail list.
2. When that e-mail address receives post to CentOS mail list, actual sender address is being extracted from the header.
3. this address is passed over to one of zombie machines in some bot net.
4. That particular zombie machine sends signal to host (in our case one of DigitalOcean (DO) customers assigned IP). Quite likely just through POST HTML command giving in it recipient address and content of message to be sent, and quite likely some security code that prevents this chain from being used by anybody except those who can provide correct security code.
If the scheme is as above, even with full real cooperation of DO you only can have pointer to one of the zombie computers. To track chain down to the machine that sent command to zombie computer you at least need to investigate the content of this zombie computer. Which I'm sceptical is possible. Things become even worse if the chain of transmitting command has more that one zombie computer.
The bottom line is: it is quite unlikely that the bad subscriber can be discovered. (Somebody clever, correct me and tell how).
We probably should stop wasting time of CentOS team who have better things to do. After all this scheme was probably aimed against CentOS and us keeping discussing these things is what these rogue people were aiming to achieve. The only productive way to deal with this spam is to one way or another block this spam on our own - recipients - side. To do it one can blacklist DO ranges of IP addresses, or as cleverer that I person suggested: add them to spam filter configuration with just a notch of extra spam score. Use cation and be ware that this is purely your own decision.
And my apologies for continuing this really annoying for some list members thread.
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++