julie70773 [at] loverhearts.com
Responded off-list to message on the list, spam with content that is not suitable for minors.
It is possible subscribed under different address.
IP of offending spam :
Received: from mx2.loverhearts.com (mx2.loverhearts.com [45.55.128.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPS id C4871C5B for alice@domblogger.net; Tue, 25 Aug 2015 18:29:11 +0000 (UTC)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 25/08/15 20:39, Alice Wonder wrote:
julie70773 [at] loverhearts.com
Responded off-list to message on the list, spam with content that is not suitable for minors.
It is possible subscribed under different address.
IP of offending spam :
Received: from mx2.loverhearts.com (mx2.loverhearts.com [45.55.128.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPS id C4871C5B for alice@domblogger.net; Tue, 25 Aug 2015 18:29:11 +0000 (UTC)
Thanks for the notification, and for not having forwarded the mail to the list (which some people did on other lists ...) Please note that such user (or multiple ones from that domain) isn't/aren't subscribed to the list. In fact, I see a bunch of mails rejected at our level, from that domain, but from a *bunch* of different IP addresses, and so directly bounced back .. It seems someone/some bot is tracking the mail lists and answering to both the reply-to *and* the originator (but bounced by mailman, so no mail on the list[s])
Under investigation to see how to help stopping the flood, even if not originating from/passing through the centos.org servers ...
- -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 25/08/15 23:09, Fabian Arrotin wrote:
On 25/08/15 20:39, Alice Wonder wrote:
julie70773 [at] loverhearts.com
Responded off-list to message on the list, spam with content that is not suitable for minors.
It is possible subscribed under different address.
IP of offending spam :
Received: from mx2.loverhearts.com (mx2.loverhearts.com [45.55.128.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPS id C4871C5B for alice@domblogger.net; Tue, 25 Aug 2015 18:29:11 +0000 (UTC)
Thanks for the notification, and for not having forwarded the mail to the list (which some people did on other lists ...) Please note that such user (or multiple ones from that domain) isn't/aren't subscribed to the list. In fact, I see a bunch of mails rejected at our level, from that domain, but from a *bunch* of different IP addresses, and so directly bounced back .. It seems someone/some bot is tracking the mail lists and answering to both the reply-to *and* the originator (but bounced by mailman, so no mail on the list[s])
Under investigation to see how to help stopping the flood, even if not originating from/passing through the centos.org servers ...
Just a quick status update : we've identified (from the mails bounced/rejected by our server) 14 IPs addresses used to send those mails. All those IPs are originating from DigitalOcean, so we reported the abuse so that they can investigate on their side.
Cheers,
- -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
On Wed, August 26, 2015 1:12 am, Fabian Arrotin wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 25/08/15 23:09, Fabian Arrotin wrote:
On 25/08/15 20:39, Alice Wonder wrote:
julie70773 [at] loverhearts.com
Responded off-list to message on the list, spam with content that is not suitable for minors.
It is possible subscribed under different address.
IP of offending spam :
Received: from mx2.loverhearts.com (mx2.loverhearts.com [45.55.128.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPS id C4871C5B for alice@domblogger.net; Tue, 25 Aug 2015 18:29:11 +0000 (UTC)
Thanks for the notification, and for not having forwarded the mail to the list (which some people did on other lists ...) Please note that such user (or multiple ones from that domain) isn't/aren't subscribed to the list. In fact, I see a bunch of mails rejected at our level, from that domain, but from a *bunch* of different IP addresses, and so directly bounced back .. It seems someone/some bot is tracking the mail lists and answering to both the reply-to *and* the originator (but bounced by mailman, so no mail on the list[s])
Under investigation to see how to help stopping the flood, even if not originating from/passing through the centos.org servers ...
Just a quick status update : we've identified (from the mails bounced/rejected by our server) 14 IPs addresses used to send those mails. All those IPs are originating from DigitalOcean, so we reported the abuse so that they can investigate on their side.
Thanks a lot! The most difficult part of this I noticed is to make sure they responded with report of what discovered and which actions were taken, and if this didn't happen to have the whole block of IPs registered to them blocked off (at least this is what I am doing where I can).
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Wed, 2015-08-26 at 09:53 -0500, Valeri Galtsev wrote:
Thanks a lot! The most difficult part of this I noticed is to make sure they responded with report of what discovered and which actions were taken, and if this didn't happen to have the whole block of IPs registered to them blocked off (at least this is what I am doing where I can).
(1) Not all complaints about spam are acknowledged. (2) Usually no information is provided on what, specifically, was done to rectify the problem.
I run Exim on C5 and C6. If there is
(something wrong with the sender's host name including no rDNS) + (sender's HELO/EHLO name defective) + (recipient is non-existent or sender is defective) = blocked at the firewall until the end of the month.
Monthly if there are no more attempts, meaning the count is zero, then the IP is removed from the monthly banned list else the count is reset to zero (flushed -F) and ignored until reinspected at the next month's end.
I have other anti-junk defences including rejecting spammers' hosts.
We received a junk email once every 6 to 12 weeks.
I am NOT going to be a willing victim of spam.
On Thu, 2015-08-27 at 00:44 +0100, Always Learning wrote:
This is a typical internal message:
REJECTED
Sender's IP : 14.215.136.13 => (no host name) Sender's HELO : gmail.com => 173.194.116.118 Sender's port : 18168 Our server : abc.def.ghi Date : Wednesday, 23:19:33, 26 August 2015 (+00:00) SMTP sender : hfxdgdsggfvfg@gmail.com SMTP recipient : aaaaaa@bbbbbb.cccccc Message-ID : (not yet downloaded) Subject : (not yet downloaded) Location : Guangzhou, Guangdong, China Firewall ban : Yes E2# : 888
Report : [8C93] IP blocked for abuse.
We received a junk email once every 6 to 12 weeks.
Whoops. Lovehearts just arrived. They don't look like 'hearts' to me.
Have complained to lovehearts.com owner = Swizzels Matlow Ltd, an English company.
On 8/26/2015 5:09 PM, Always Learning wrote:
Whoops. Lovehearts just arrived. They don't look like 'hearts' to me.
Have complained to lovehearts.com owner = Swizzels Matlow Ltd, an English company.
its loverhearts.com, and they are also using heartslover.com for web links. the first domain is registered to someone claiming to be in Miami Florida, while the 2nd is registered to some organization in Bangladesh. yeah, right. Both domains were initially registered about a month ago.
On Wed, 2015-08-26 at 17:22 -0700, John R Pierce wrote:
its loverhearts.com, and they are also using heartslover.com for web links. the first domain is registered to someone claiming to be in Miami Florida, while the 2nd is registered to some organization in Bangladesh. yeah, right. Both domains were initially registered about a month ago.
You are correct. Now to apologise to lovehearts.com
Easier just to block Digital Ocean for port 25 - as I have previously done for all port 80 traffic.
Thanks.
On 8/26/2015 5:30 PM, Always Learning wrote:
Easier just to block Digital Ocean for port 25 - as I have previously done for all port 80 traffic.
you realize Digital Ocean is a rather large virtual private server provider? wikipedia says they host over 190,000 sites, and last year surpassed Rackspace to become the 4th largest hosting provider.
a blanket block of /16 subnets is usually not good policy just because of one bad customer.
On Wed, 2015-08-26 at 17:37 -0700, John R Pierce wrote:
you realize Digital Ocean is a rather large virtual private server provider? wikipedia says they host over 190,000 sites, and last year surpassed Rackspace to become the 4th largest hosting provider.
a blanket block of /16 subnets is usually not good policy just because of one bad customer.
Digital Ocean is remaining blocked for all port 80 traffic.
I'm tired. Thanks for your good advice again. Have added loverhearts.com to my Exim's hosts.spammer file.
On 08/26/2015 08:22 PM, John R Pierce wrote:
On 8/26/2015 5:09 PM, Always Learning wrote:
Whoops. Lovehearts just arrived. They don't look like 'hearts' to me.
Have complained to lovehearts.com owner = Swizzels Matlow Ltd, an English company.
its loverhearts.com, and they are also using heartslover.com for web links. the first domain is registered to someone claiming to be in Miami Florida, while the 2nd is registered to some organization in Bangladesh. yeah, right. Both domains were initially registered about a month ago
digital ocean finally replied (at least to me):
Hi there,
I'm sorry about this. We gave our customer time to resolve the issue, and he hasn't done so, so we've blocked his ability to send email, pending further action if necessary to ensure this never occurs again.
If you get or hear about ANY further spam like this, please let me know immediately so we can take further action on it.
Regards, Cash, Trust & Safety Specialist Digital Ocean Support
Perhaps it's fixed if only for a little while.
On Wed, August 26, 2015 7:40 pm, zep wrote:
On 08/26/2015 08:22 PM, John R Pierce wrote:
On 8/26/2015 5:09 PM, Always Learning wrote:
Whoops. Lovehearts just arrived. They don't look like 'hearts' to me.
Have complained to lovehearts.com owner = Swizzels Matlow Ltd, an English company.
its loverhearts.com, and they are also using heartslover.com for web links. the first domain is registered to someone claiming to be in Miami Florida, while the 2nd is registered to some organization in Bangladesh. yeah, right. Both domains were initially registered about a month ago
digital ocean finally replied (at least to me):
Hi there, I'm sorry about this. We gave our customer time to resolve the issue,and he hasn't done so, so we've blocked his ability to send email, pending further action if necessary to ensure this never occurs again.
If you get or hear about ANY further spam like this, please let meknow immediately so we can take further action on it.
Regards, Cash, Trust & Safety Specialist Digital Ocean SupportPerhaps it's fixed if only for a little while.
Good to hear that. At least they are not as arrogant as big guys often are. Happily unblocked their blocks of IP addresses (as they do not need this sort of pressure to hear out about the trouble with their customer). This message will inadvertedly serve as a test if what is said is done ;-)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Wed, 2015-08-26 at 19:54 -0500, Valeri Galtsev wrote:
Happily unblocked their blocks of IP addresses (as they do not need this sort of pressure to hear out about the trouble with their customer). This message will inadvertedly serve as a test if what is said is done ;-)
I've blocked the spammer's host name (*.loverhearts.com) on my Exim. Shouldn't your organisation, and others too, do the same or similar ?
Otherwise what is to stop subsequent receipts of junk sent from MX *.loverhearts.com ?
On 08/26/2015 09:01 PM, Always Learning wrote:
I've blocked the spammer's host name (*.loverhearts.com) on my Exim. Shouldn't your organisation, and others too, do the same or similar ?
That is of course up to the individual organization. I use several DNSBLs, and I did not receive any of the spam. Actually, I've gotten more unwanted messages about the spam than actual spam from any source yesterday..... :-|
Otherwise what is to stop subsequent receipts of junk sent from MX *.loverhearts.com ?
MX is intended to point to the server a domain uses to receive e-mail; the sending server for a domain does not have to be the MX. I set that up for one organization who was using an anti-spam service; the MX pointed to the anti-spam server, and the sending server was different and on that organization's own subnet. I believe gmail does this, using multiple MXs and a massive subnet full of sending servers. Gmail is not alone. Gmail even wreaks havoc with greylisting, since the send retry is not guaranteed to come from the same sending server as the initial try.
I have gone down the road of blocking large subnets at the border router level; down this road lie false positives in spades.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 27/08/15 02:54, Valeri Galtsev wrote:
On Wed, August 26, 2015 7:40 pm, zep wrote:
On 08/26/2015 08:22 PM, John R Pierce wrote:
On 8/26/2015 5:09 PM, Always Learning wrote:
Whoops. Lovehearts just arrived. They don't look like 'hearts' to me.
Have complained to lovehearts.com owner = Swizzels Matlow Ltd, an English company.
its loverhearts.com, and they are also using heartslover.com for web links. the first domain is registered to someone claiming to be in Miami Florida, while the 2nd is registered to some organization in Bangladesh. yeah, right. Both domains were initially registered about a month ago
digital ocean finally replied (at least to me):
Hi there,
I'm sorry about this. We gave our customer time to resolve the issue, and he hasn't done so, so we've blocked his ability to send email, pending further action if necessary to ensure this never occurs again.
If you get or hear about ANY further spam like this, please let me know immediately so we can take further action on it.
Regards, Cash, Trust & Safety Specialist Digital Ocean Support
Perhaps it's fixed if only for a little while.
Good to hear that. At least they are not as arrogant as big guys often are. Happily unblocked their blocks of IP addresses (as they do not need this sort of pressure to hear out about the trouble with their customer). This message will inadvertedly serve as a test if what is said is done ;-)
Valeri
I wanted to confirm the previous mail that we've received from DigitalOcean too, and the fact that they blocked outgoing mails from the originating IPs. Let me thank you their support for having reacted on our abuse complaint.
Now let's close that thread and have focus back on CentOS (and related tech) instead :-)
Have a nice day !
- -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
On Thursday 27 August 2015 01:40:21 zep wrote:
digital ocean finally replied (at least to me):
Hi there, I'm sorry about this. We gave our customer time to resolve the issue,and he hasn't done so, so we've blocked his ability to send email, pending further action if necessary to ensure this never occurs again.
If you get or hear about ANY further spam like this, please let me knowimmediately so we can take further action on it.
Regards, Cash, Trust & Safety Specialist Digital Ocean SupportPerhaps it's fixed if only for a little while.
I can confirm that I haven't received anything since midnight yesterday morning so fingers crossed
----- Original Message ----- | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | On 25/08/15 23:09, Fabian Arrotin wrote: | > On 25/08/15 20:39, Alice Wonder wrote: | >> julie70773 [at] loverhearts.com | > | >> Responded off-list to message on the list, spam with content | >> that is not suitable for minors. | > | >> It is possible subscribed under different address. | > | >> IP of offending spam : | > | >> Received: from mx2.loverhearts.com (mx2.loverhearts.com | >> [45.55.128.151]) (using TLSv1.2 with cipher | >> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client | >> certificate requested) by mail.domblogger.net (Postfix) with | >> ESMTPS id C4871C5B for alice@domblogger.net; Tue, 25 Aug 2015 | >> 18:29:11 +0000 (UTC) | > | > Thanks for the notification, and for not having forwarded the mail | > to the list (which some people did on other lists ...) Please note | > that such user (or multiple ones from that domain) isn't/aren't | > subscribed to the list. In fact, I see a bunch of mails rejected at | > our level, from that domain, but from a *bunch* of different IP | > addresses, and so directly bounced back .. It seems someone/some | > bot is tracking the mail lists and answering to both the reply-to | > *and* the originator (but bounced by mailman, so no mail on the | > list[s]) | > | > Under investigation to see how to help stopping the flood, even if | > not originating from/passing through the centos.org servers ... | > | | Just a quick status update : we've identified (from the mails | bounced/rejected by our server) 14 IPs addresses used to send those | mails. All those IPs are originating from DigitalOcean, so we reported | the abuse so that they can investigate on their side. | | Cheers, | | - -- | Fabian Arrotin | The CentOS Project | http://www.centos.org | gpg key: 56BEC54E | twitter: @arrfab | -----BEGIN PGP SIGNATURE----- | Version: GnuPG v2.0.22 (GNU/Linux) | | iEYEARECAAYFAlXdWL0ACgkQnVkHo1a+xU4ylgCfcJcHdOw1vhUtmfUYiFWpefji | yhcAnRChmlbYNG8efqx9uZZCrOWpqtD1 | =VvHI | -----END PGP SIGNATURE----- | _______________________________________________ | CentOS mailing list | CentOS@centos.org | http://lists.centos.org/mailman/listinfo/centos |
I told my wife (yes awkward) that I thought that the list would be removing content of this type (images), since likely it is of little value to the list for helping people. I was shocked (for many reasons) that it is not.
On 8/26/2015 10:55 AM, James A. Peltier wrote:
I told my wife (yes awkward) that I thought that the list would be removing content of this type (images), since likely it is of little value to the list for helping people. I was shocked (for many reasons) that it is not.
the spammer was NOT emailing via the listserver. rather, they have a different account (or more than one) subscribed, and it was replying directly to list posters using the spammers own network of email servers.
On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote:
----- Original Message ----- | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | On 25/08/15 23:09, Fabian Arrotin wrote: | > On 25/08/15 20:39, Alice Wonder wrote: | >> julie70773 [at] loverhearts.com | > | >> Responded off-list to message on the list, spam with content | >> that is not suitable for minors. | > | >> It is possible subscribed under different address. | > | >> IP of offending spam : | > | >> Received: from mx2.loverhearts.com (mx2.loverhearts.com | >> [45.55.128.151]) (using TLSv1.2 with cipher
As you see from this your header spam was not delivered through centos mail list, but comes from one of the IPs of digitalocean.com IP block: 45.55.0.0/16. As Fabian told centos mail list server admins contacted digitalocean.com about abuse (even though indirect, but with apparent misuse of centos list servers for collecting e-mails of posters). And the moment I received my copy of this spam _after_ Fabian mentioned they contacted digitalocean.com, I just blocked mail from their block of IP addresses (45.55.0.0/16) on my servers as digitalocean apparently didn't react to abuse notice promptly. Others may want to do the same, thus we will pass the message with all seriousness to digitalocean.com.
Just my $0.02
Valeri
| >> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client | >> certificate requested) by mail.domblogger.net (Postfix) with | >> ESMTPS id C4871C5B for alice@domblogger.net; Tue, 25 Aug 2015 | >> 18:29:11 +0000 (UTC) | > | > Thanks for the notification, and for not having forwarded the mail | > to the list (which some people did on other lists ...) Please note | > that such user (or multiple ones from that domain) isn't/aren't | > subscribed to the list. In fact, I see a bunch of mails rejected at | > our level, from that domain, but from a *bunch* of different IP | > addresses, and so directly bounced back .. It seems someone/some | > bot is tracking the mail lists and answering to both the reply-to | > *and* the originator (but bounced by mailman, so no mail on the | > list[s]) | > | > Under investigation to see how to help stopping the flood, even if | > not originating from/passing through the centos.org servers ... | > | | Just a quick status update : we've identified (from the mails | bounced/rejected by our server) 14 IPs addresses used to send those | mails. All those IPs are originating from DigitalOcean, so we reported | the abuse so that they can investigate on their side. | | Cheers, | | - -- | Fabian Arrotin | The CentOS Project | http://www.centos.org | gpg key: 56BEC54E | twitter: @arrfab | -----BEGIN PGP SIGNATURE----- | Version: GnuPG v2.0.22 (GNU/Linux) | | iEYEARECAAYFAlXdWL0ACgkQnVkHo1a+xU4ylgCfcJcHdOw1vhUtmfUYiFWpefji | yhcAnRChmlbYNG8efqx9uZZCrOWpqtD1 | =VvHI | -----END PGP SIGNATURE----- | _______________________________________________ | CentOS mailing list | CentOS@centos.org | http://lists.centos.org/mailman/listinfo/centos |
I told my wife (yes awkward) that I thought that the list would be removing content of this type (images), since likely it is of little value to the list for helping people. I was shocked (for many reasons) that it is not.
-- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 604-365-6432 Fax : 778-782-3045 E-Mail : jpeltier@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 08/26/15 13:11, Valeri Galtsev wrote:
On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote:
<<>>
something no one seems to have mentioned, so i will..
| >> Received: from mx2.loverhearts.com (mx2.loverhearts.com
loverhearts.com is a single page that seems to do nothing. and there is nothing in page source to do anything.
validator.w3.org shows 1 error and 1 warning showing that page was poorly written.
so the only harm is spam, which i now have going to my Junk folder.
so, to all of you, i pass along a much more loving 'love' link;
enjoy.
On 08/26/2015 12:11 PM, g wrote:
On 08/26/15 13:11, Valeri Galtsev wrote:
On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote:
<<>>
something no one seems to have mentioned, so i will..
| >> Received: from mx2.loverhearts.com (mx2.loverhearts.com
loverhearts.com is a single page that seems to do nothing. and there is nothing in page source to do anything.
validator.w3.org shows 1 error and 1 warning showing that page was poorly written.
so the only harm is spam, which i now have going to my Junk folder.
so, to all of you, i pass along a much more loving 'love' link;
enjoy.
If you look at the SPF record for loverhearts.com (where they are coming from for me) there are a whole slew of servers permitted to send on their behalf.
So I took all those IP addresses specified and added them to my blacklist, it appears spammers are learning that SPF records can be a path to filter avoidance.
Maybe I'll start blocking any server with an SPF record that includes more than 5 IP addresses, or servers where any host in the SPF record is in a DNS blacklist.
On 08/26/15 14:29, Alice Wonder wrote: <<>>
If you look at the SPF record for loverhearts.com (where they are coming from for me) there are a whole slew of servers permitted to send on their behalf.
So I took all those IP addresses specified and added them to my blacklist, it appears spammers are learning that SPF records can be a path to filter avoidance.
Maybe I'll start blocking any server with an SPF record that includes more than 5 IP addresses, or servers where any host in the SPF record is in a DNS blacklist.
. that can work. but is more than i care to bother with.
because i have filters and folders for what i want to read, everything else hits my "Local Folders/Inbox" where i mark them as spam.
reason is that there is a lot of spam content that is repeated by other spammers so the spam filters learn not only addresses, they also learn content.
anyway, as i always say, "what ever churns your butter". ;-)
On Wed, August 26, 2015 2:29 pm, Alice Wonder wrote:
On 08/26/2015 12:11 PM, g wrote:
On 08/26/15 13:11, Valeri Galtsev wrote:
On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote:
<<>> something no one seems to have mentioned, so i will..
| >> Received: from mx2.loverhearts.com (mx2.loverhearts.com
loverhearts.com is a single page that seems to do nothing. and there is
nothing in page source to do anything.
validator.w3.org shows 1 error and 1 warning showing that page was
poorly written.
so the only harm is spam, which i now have going to my Junk folder. so,
to all of you, i pass along a much more loving 'love' link;
http://lovehearts.com enjoy.
If you look at the SPF record for loverhearts.com (where they are coming
from for me) there are a whole slew of servers permitted to send on their behalf.
This way you may block good people. SPF records you used are owned by bad guys: loverhearts.com allows others resend e-mail for themselves, but they do not need permissions of whomever they add to their SPF records to do so. In other words, one shouldn't trust anything what is in the records created by bad guys.
I did nasty thing myself, but what I did at least IMHO is more or less justified. As I received bad e-mail after Fabian contacted IP block owner (digitalocean.com; 45.55.0.0/16), then I concluded IP block owner didn't act promptly on abuse complaint, so I blocked e-mail from this whole block owned by digitalocean.com IPs. This way their other clients will start asking their provider questions why their e-mail is being blocked (by some...)
Just my $0.02
Valeri
So I took all those IP addresses specified and added them to my blacklist, it appears spammers are learning that SPF records can be a
path to filter avoidance.
Maybe I'll start blocking any server with an SPF record that includes
more than 5 IP addresses, or servers where any host in the SPF record is in a DNS blacklist.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 08/26/2015 02:07 PM, Valeri Galtsev wrote:
On Wed, August 26, 2015 2:29 pm, Alice Wonder wrote:
On 08/26/2015 12:11 PM, g wrote:
On 08/26/15 13:11, Valeri Galtsev wrote:
On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote:
<<>> something no one seems to have mentioned, so i will..
| >> Received: from mx2.loverhearts.com (mx2.loverhearts.com
loverhearts.com is a single page that seems to do nothing. and there is
nothing in page source to do anything.
validator.w3.org shows 1 error and 1 warning showing that page was
poorly written.
so the only harm is spam, which i now have going to my Junk folder. so,
to all of you, i pass along a much more loving 'love' link;
http://lovehearts.comenjoy.
If you look at the SPF record for loverhearts.com (where they are coming
from for me) there are a whole slew of servers permitted to send on their behalf.
This way you may block good people. SPF records you used are owned by bad guys: loverhearts.com allows others resend e-mail for themselves, but they do not need permissions of whomever they add to their SPF records to do so. In other words, one shouldn't trust anything what is in the records created by bad guys.
No what I mean is - I get e-mail from example.net
If example.net has an SPF record, I then check all the IPs in the SPF record against blacklists and if two or more match, I reject the message as spam.
That way if the MTA they are using isn't on a blacklist but others they specify in the SPF record are, they get identified as spammer and blocked.
It doesn't matter if they add IP addresses to SPF from others, it wouldn't block every IP in the SPF - just check if 2 or more IPs in their SPF are on blacklists.
I probably would have to write a custom filter to do that, but it may be worth doing.
On Wed, August 26, 2015 4:23 pm, Alice Wonder wrote:
On 08/26/2015 02:07 PM, Valeri Galtsev wrote:
On Wed, August 26, 2015 2:29 pm, Alice Wonder wrote:
On 08/26/2015 12:11 PM, g wrote:
On 08/26/15 13:11, Valeri Galtsev wrote:
On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote:
<<>> something no one seems to have mentioned, so i will..
| >> Received: from mx2.loverhearts.com (mx2.loverhearts.com
loverhearts.com is a single page that seems to do nothing. and there is
nothing in page source to do anything.
validator.w3.org shows 1 error and 1 warning showing that page was
poorly written.
so the only harm is spam, which i now have going to my Junk folder. so,
to all of you, i pass along a much more loving 'love' link;
http://lovehearts.comenjoy.
If you look at the SPF record for loverhearts.com (where they are coming
from for me) there are a whole slew of servers permitted to send on their behalf.
This way you may block good people. SPF records you used are owned by bad guys: loverhearts.com allows others resend e-mail for themselves, but they do not need permissions of whomever they add to their SPF records to do so. In other words, one shouldn't trust anything what is in the records created by bad guys.
No what I mean is - I get e-mail from example.net
If example.net has an SPF record, I then check all the IPs in the SPF record against blacklists and if two or more match, I reject the message as spam.
That way if the MTA they are using isn't on a blacklist but others they specify in the SPF record are, they get identified as spammer and blocked.
It doesn't matter if they add IP addresses to SPF from others, it wouldn't block every IP in the SPF - just check if 2 or more IPs in their SPF are on blacklists.
I probably would have to write a custom filter to do that, but it may be worth doing.
Oh, then I apparently didn't read your e-mail carefully... which is my usual mistake ;-)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 08/27/2015 07:29 AM, Alice Wonder wrote:
Maybe I'll start blocking any server with an SPF record that includes more than 5 IP addresses,
That's not a very good idea. major ESPs (eg: gmail.com) have way more IPs listed than that.
or servers where any host in the SPF record is in a DNS blacklist.
That could work better, but I would still say be careful, you could certainly end up wih false positives doing this.
Peter
On 08/26/2015 03:38 PM, Peter wrote:
On 08/27/2015 07:29 AM, Alice Wonder wrote:
Maybe I'll start blocking any server with an SPF record that includes more than 5 IP addresses,
That's not a very good idea. major ESPs (eg: gmail.com) have way more IPs listed than that.
Yeah, I thought about that.
or servers where any host in the SPF record is in a DNS blacklist.
That could work better, but I would still say be careful, you could certainly end up wih false positives doing this.
I would try to count 2 before rejecting I think.
Valid SPF reduces spam score with a lot of filter systems, but snowshoe spammers can just modify the record at will to add whatever smtp servers they currently are using.
If they are going to use SPF records to lower their score then I will use SPF records to try to identify them.
False positives are a risk with any automated filter, but whitelists like dnswl.org can help reduce that problem.
I suspect if somesite.tld has MTAs in the SPF list that it actually uses and are on blacklists then somesite.tld already has mail delivery problems it needs to address.
On Wednesday 26 August 2015 20:11:20 g wrote:
so the only harm is spam, which i now have going to my Junk folder.
That is not the only harm. These people are very good and very effective confidence tricksters and are experts at getting vulnerable people to send them money which they usually cannot affort to lose in the first place.
Bad news Guys, they've just moved the emails to somewhere else and have started again:
Return-path: 0000014f6ef4427c-8079d442-fc1e-4116-841a-ba157163def8-000000@amazonses.com Envelope-to: gary@ringways.co.uk Delivery-date: Thu, 27 Aug 2015 12:39:10 +0100 Received: from a8-81.smtp-out.amazonses.com ([54.240.8.81]) by mail.ringways.co.uk with esmtps (TLSv1:AES128-SHA:128) (Exim 4.84) (envelope-from 0000014f6ef4427c-8079d442-fc1e-4116-841a-ba157163def8-000000@amazonses.com) id 1ZUvWO-000OYv-WE for gary@ringways.co.uk; Thu, 27 Aug 2015 12:39:10 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1440675545; h=Date:To:From:Reply-To:Subject:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=fVEJhWs8Q7XcrcFzcgBz4XutQlRwasAG6LBk6AIcMXk=; b=sLK9RxQFIiu3wpu8v9mmIVYJcoXkVBacgYyzSYbkYbK/oZidKkKY/qDJWTDYKrCY ksDKQs7UBpcSp4Sqog0hbDkK2DkkZiHT1kvzSb3qqkAnX3Ducm2AkOctxdRF9z76Pj1 4tXWWopJjegOWIw8kgqR9gCRHqwv+eBxjlQlZnuA= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=koy5qxgfr6wvd7nlse57372ojbusvxt2; d=enjoylovef**k.com; t=1440675545; h=Date:To:From:Reply-To:Subject:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=fVEJhWs8Q7XcrcFzcgBz4XutQlRwasAG6LBk6AIcMXk=; b=bbmKwgB0hG2rPrgHwUes63nmRozyqrLi7VVW4qmLC6019nRt0Cf4enbC60kJQzZw Qx/UaYetwOkCm4LUObL7zw+uP0JJYzNXVooAZD7NdB1Dzs5gwT5B5ltM2sv0xxA11ev vnxdKiIUER2QKOcFOkYczDJV6QYtpOj3yr7cPYMM= Date: Thu, 27 Aug 2015 11:39:05 +0000 To: "Gary Stainburn gary@ringways.co.uk" gary@ringways.co.uk From: Caylian Curtis <caylian@enjoylovef**k.com> Reply-To: caylian@enjoylovef**k.com Subject: Re: Re: [CentOS] please block user Message-ID: 0000014f6ef4427c-8079d442-fc1e-4116-841a-ba157163def8-000000@email.amazonses.com X-Priority: 3 X-Mailer: PHPMailer 5.2.10 (https://github.com/PHPMailer/PHPMailer/) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_51d7d61107a8c78e364939b05ceed99b" Content-Transfer-Encoding: 8bit X-SES-Outgoing: 2015.08.27-54.240.8.81 Feedback-ID: 1.us-east-1.dCINwTXKWoGdJVCeRWe4yCPvzru4XXSdsNzu7qbGWgA=:AmazonSES
On 08/27/15 07:11, Gary Stainburn wrote:> Bad news Guys, they've just moved the emails to somewhere else and have
started again:
<>
From: Caylian Curtis <caylian@enjoylovef**k.com>
<>
not true. she has been at that site for a while.
i received 1st email from her and Julie Anna just after i posted to this thread.
i will say emailing Julie Anna was more fun than with Caylian.
Julie Anna is much better looking than Caylian, btw. :-b
g wrote:
On 08/27/15 07:11, Gary Stainburn wrote:> Bad news Guys, they've just moved the emails to somewhere else and have started again: <>
From: Caylian Curtis <caylian@enjoylovef**k.com>
<> not true. she has been at that site for a while.
i received 1st email from her and Julie Anna just after i posted to this thread.
i will say emailing Julie Anna was more fun than with Caylian.
Julie Anna is much better looking than Caylian, btw. :-b
*sigh* And they're probably sent by a script running on the PC of a fat, 47 yr old guy living in a basement and making money this way....
mark
On 08/27/15 09:31, m.roth@5-cent.us wrote: <>
*sigh* And they're probably sent by a script running on the PC of a fat, 47 yr old guy living in a basement and making money this way....
. i seriously doubt it.
several of the responses could not have been from a fat 47 yo guy.
On 08/27/2015 08:58 AM, g wrote:
On 08/27/15 09:31, m.roth@5-cent.us wrote: <>
*sigh* And they're probably sent by a script running on the PC of a fat, 47 yr old guy living in a basement and making money this way....
. i seriously doubt it.
several of the responses could not have been from a fat 47 yo guy.
Whoever he is, is using both valid SPF records and DKIM signatures, they've figured out using those reduces spam score on some systems.
Most spam seems to come from a small group of spammers that operate out of South Florida, why there I don't know.
But they aren't the under-achieving geek many imagine them to be. It's serious business for them. Dirty business but serious.
On 08/27/15 12:12, Alice Wonder wrote:
On 08/27/2015 08:58 AM, g wrote:
On 08/27/15 09:31, m.roth@5-cent.us wrote: <>
*sigh* And they're probably sent by a script running on the PC of a fat, 47 yr old guy living in a basement and making money this way....
. i seriously doubt it.
several of the responses could not have been from a fat 47 yo guy.
Whoever he is, is using both valid SPF records and DKIM signatures, they've figured out using those reduces spam score on some systems.
. as i wrote;
several of the responses could not have been from a fat 47 yo guy.
the responses were too quick. no fat 47 yog could have enough photos to respond to request that i made. and i made them to see if who i was writing to was in fact live and real.
Julie Anna showed a very goodly attitude and even a bit of maturity about her. very much unlike yours. ;-)
Most spam seems to come from a small group of spammers that operate out of South Florida, why there I don't know.
. i would not call her a spammer in the full sense of the meaning of spamming. i say this because if i had not responded, i seriously doubt that i would have received any more emails.
we had a vary serious and meaningful intercourse that only someone of a high amount of education and intelligence would have been able to maintain.
in fact, i found it to be an enjoyable time, until you started your griping about it.
as for some of the pix that she sent, yes, she bared her breast, but so what, i have seen bare breast from my childhood years and i do still admire and enjoy seeing them.
in fact, the city where i live had a 'topless fest' at the local city park. it was a most enjoyable event. all had a good time, no one got raped, molested, or arrested. at least i was not aware that there were of or see any.
i did see many beautiful women with beautiful breast and they had every right to be proud of them.
to shun and condemn children knowledge of human anatomy and not give them a proper education of anatomy and sex is tending to point them into a life of perversion, molestation and homosexuality.
when my daughter was was old enough to understand, comprehend, and reason, i started explaining life, anatomy, sexual differences, and why men and women are different. i started with basics and as she grew older and could understand more, i explained more to her. the results of all of it were well worth it because she grew up to be a well adjusted normal woman.
why did i do it? simple.
it was written in several of the child psychology books that i have read. basically, teach them young and not have to worry about them when they are older.
this is getting very "off topic". if you would like to continue this with opinions of others, join the mozilla general news. that is unless you are afraid to because i am sure that there many subscribers of the group that will agree with me.
On 08/27/2015 10:56 AM, g wrote:
On 08/27/15 12:12, Alice Wonder wrote:
On 08/27/2015 08:58 AM, g wrote:
On 08/27/15 09:31, m.roth@5-cent.us wrote: <>
*sigh* And they're probably sent by a script running on the PC of a fat, 47 yr old guy living in a basement and making money this way....
. i seriously doubt it.
several of the responses could not have been from a fat 47 yo guy.
Whoever he is, is using both valid SPF records and DKIM signatures, they've figured out using those reduces spam score on some systems.
. as i wrote;
several of the responses could not have been from a fat 47 yo guy.the responses were too quick. no fat 47 yog could have enough photos to respond to request that i made.
Okay, um, I have done some work related to that industry - never for a company that spams.
For about $10 you can buy photosets, usually of Eastern European models, with hundreds of photos in different settings.
So no, the photos are most certainly not an indication of who you were communicating with.
But enough off-topic. Those kind of e-mails should only be sent to people who specifically opt-in to receive them. That's the bottom line.
On 08/27/15 13:00, Alice Wonder wrote:
On 08/27/2015 10:56 AM, g wrote:
On 08/27/15 12:12, Alice Wonder wrote:
On 08/27/2015 08:58 AM, g wrote:
On 08/27/15 09:31, m.roth@5-cent.us wrote: <>
*sigh* And they're probably sent by a script running on the PC of a fat, 47 yr old guy living in a basement and making money this way....
. i seriously doubt it.
several of the responses could not have been from a fat 47 yo guy.
Whoever he is, is using both valid SPF records and DKIM signatures, they've figured out using those reduces spam score on some systems.
. as i wrote;
several of the responses could not have been from a fat 47 yo guy.the responses were too quick. no fat 47 yog could have enough photos to respond to request that i made.
Okay, um, I have done some work related to that industry - never for a company that spams.
. i will be polite and not ask what company. :-)
For about $10 you can buy photosets, usually of Eastern European models, with hundreds of photos in different settings.
. yes, i have seen them. but i believe, why should i pay for what i can see for free and live.
So no, the photos are most certainly not an indication of who you were communicating with.
. very true.
But enough off-topic. Those kind of e-mails should only be sent to people who specifically opt-in to receive them. That's the bottom line.
. i agree.
one should always have choice of what pleasure one receives, or gives. tho the mystery of yet to come can make pleasures greater.
also, i do like to see the change in your attitude. a good indication of maturity.
i still believe moz gen would be a good place to continue because of the additional input.
AND With that all said, I am UNSUBSCRIBING FROM THIS LIST! I came to this list hoping to LEARN and get HELP with CentOS, but instead, I am getting plagued with this damn garbage. 30+ emails daily in the last week or so is way too much. Maybe I can find more INTELLIGENT conversation in the forums.
On 8/27/2015 2:00 PM, Alice Wonder wrote:
On 08/27/2015 10:56 AM, g wrote:
On 08/27/15 12:12, Alice Wonder wrote:
On 08/27/2015 08:58 AM, g wrote:
On 08/27/15 09:31, m.roth@5-cent.us wrote: <>
*sigh* And they're probably sent by a script running on the PC of a fat, 47 yr old guy living in a basement and making money this way....
. i seriously doubt it.
several of the responses could not have been from a fat 47 yo guy.
Whoever he is, is using both valid SPF records and DKIM signatures, they've figured out using those reduces spam score on some systems.
. as i wrote;
several of the responses could not have been from a fat 47 yo guy.the responses were too quick. no fat 47 yog could have enough photos to respond to request that i made.
Okay, um, I have done some work related to that industry - never for a company that spams.
For about $10 you can buy photosets, usually of Eastern European models, with hundreds of photos in different settings.
So no, the photos are most certainly not an indication of who you were communicating with.
But enough off-topic. Those kind of e-mails should only be sent to people who specifically opt-in to receive them. That's the bottom line. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I apologize for continuing in the off-topic discussion.
On 08/28/2015 06:08 PM, Marc Chubbuck wrote:
AND With that all said, I am UNSUBSCRIBING FROM THIS LIST! I came to this list hoping to LEARN and get HELP with CentOS, but instead, I am getting plagued with this damn garbage. 30+ emails daily in the last week or so is way too much. Maybe I can find more INTELLIGENT conversation in the forums.
On 8/27/2015 2:00 PM, Alice Wonder wrote:
*snip*
On 08/28/15 20:18, Alice Wonder wrote:
I apologize for continuing in the off-topic discussion.
On 08/28/2015 06:08 PM, Marc Chubbuck wrote:
AND With that all said, I am UNSUBSCRIBING FROM THIS LIST! I came to this list hoping to LEARN and get HELP with CentOS, but instead, I am getting plagued with this damn garbage. 30+ emails daily in the last week or so is way too much. Maybe I can find more INTELLIGENT conversation in the forums.
<<>>
actual, Marc, counting today, it is a total of 49 emails.
the 25th = 02, 26th = 23, 27th = 22. 28th = 02
had you not posted, causing Alice to post to pacify you, it would have been 47 and done with.
On 8/27/2015 10:56 AM, g wrote:
we had a vary serious and meaningful intercourse that only someone of a high amount of education and intelligence would have been able to maintain.
PLEASE tell me this whole post is tongue-in-cheek.
nayways, none of this has ANYthing to do with CENTOS and really, is totally off topic for this list.
On 08/27/15 13:07, John R Pierce wrote:
On 8/27/2015 10:56 AM, g wrote:
we had a vary serious and meaningful intercourse that only someone of a high amount of education and intelligence would have been able to maintain.
PLEASE tell me this whole post is tongue-in-cheek.
. that is one place for a tongue. ;-)
look at the meaning of the word.
https://en.wiktionary.org/wiki/intercourse
it does not only mean coitus.
nayways, none of this has ANYthing to do with CENTOS and really, is totally off topic for this list.
. true. and i thank moderate for his understanding.
i have invited Alice to continue this on moz gen. how about you?
On 08/27/15 13:32, John R Pierce wrote:
On 8/27/2015 11:30 AM, g wrote:
i have invited Alice to continue this on moz gen. how about you?
I am neither on that list nor have any interest in joining it.
. fine. end of discussion.
have a great day.
mine has been most enjoyable so far.
g wrote:
On 08/27/15 13:07, John R Pierce wrote:
On 8/27/2015 10:56 AM, g wrote:
we had a vary serious and meaningful intercourse that only someone of a high amount of education and intelligence would have been able to maintain.
PLEASE tell me this whole post is tongue-in-cheek.
that is one place for a tongue. ;-)
look at the meaning of the word.
https://en.wiktionary.org/wiki/intercourse
it does not only mean coitus.
nayways, none of this has ANYthing to do with CENTOS and really, is totally off topic for this list.
. true. and i thank moderate for his understanding.
i have invited Alice to continue this on moz gen. how about you?
PLEASE DO NOT RESPOND TO THIS EMAIL, g, AND PLEASE TAKE IT OFFLIST. This isn't even a discussion of Poettering and systemd, this is just *not* the place for this kind of conversation.
I will note that people far more on topic have been banned, temporarily or permanently, including me, for things deemed inappropriate.
Besides we all have other venues for such conversations.
Just stop. Resist the temptation to get in the last word.
mark
Gary Stainburn wrote:
Bad news Guys, they've just moved the emails to somewhere else and have started again:
<snip>
A suggestion: there should be a way to filter using *domain* AND mailhost; that is, if emails come from a domain, and through one mailhost, then block the domain. If many domains, and the same mailhost, only then block the mailhost.
I've been thinking about this since yesterday, when I got back from vacation, to hear from my manager that he had to screw with mailman, because we were getting a lot of emails from elsewhere, subscribing to one or more of our lists... and having the target be one of three gmail accounts - a DDoS against them (and we assume that they're doing it to a lot of other places).
Anyway, given the number of times I've been blocked by nixspam (which I found is run by IX, a German IT mag, and that they don't answer emails to *them*, either), I've been trying to think of a *reasonable* way to block that doesn't do collective punishment to the many domains of a huge hosting provider, and that's my best thought so far.
mark
Now see, I run a spam filter (run on CentOS, by the way *smiles*) and I have several friends' domain emails running through it. It has a pretty good filter rate, too for being all open source.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of m.roth@5-cent.us Sent: Thursday, August 27, 2015 9:30 AM To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] please block user
Gary Stainburn wrote:
Bad news Guys, they've just moved the emails to somewhere else and have started again:
<snip>
A suggestion: there should be a way to filter using *domain* AND mailhost; that is, if emails come from a domain, and through one mailhost, then block the domain. If many domains, and the same mailhost, only then block the mailhost.
I've been thinking about this since yesterday, when I got back from vacation, to hear from my manager that he had to screw with mailman, because we were getting a lot of emails from elsewhere, subscribing to one or more of our lists... and having the target be one of three gmail accounts - a DDoS against them (and we assume that they're doing it to a lot of other places).
Anyway, given the number of times I've been blocked by nixspam (which I found is run by IX, a German IT mag, and that they don't answer emails to *them*, either), I've been trying to think of a *reasonable* way to block that doesn't do collective punishment to the many domains of a huge hosting provider, and that's my best thought so far.
mark
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Thu, August 27, 2015 9:29 am, m.roth@5-cent.us wrote:
Gary Stainburn wrote:
Bad news Guys, they've just moved the emails to somewhere else and have
started again:
<snip>
A suggestion: there should be a way to filter using *domain* AND
mailhost;
that is, if emails come from a domain, and through one mailhost, then
block the domain. If many domains, and the same mailhost, only then block
the mailhost.
Me too: I started receiving them from different IP (with much longer delay, so they do add "improvements" to their setup). This IP, has neither DNS A record nor DNS PTR record, but has DNS MX record. One can use these (have your MX stop talking to anything having broken DNS records). I however am tempted to block digitalocean's whole blocks of IP addresses again (after all, I bet I've seen the whole collection of these images already ;-). This is not trouble with their customer IMHO. This is trouble with themselves: how come the IP that is not registered in DNS can have DNS MX record, and can be accessed by somebody?!
I've been thinking about this since yesterday, when I got back from
vacation, to hear from my manager that he had to screw with mailman, because we were getting a lot of emails from elsewhere, subscribing to one
or more of our lists... and having the target be one of three gmail
accounts - a DDoS against them (and we assume that they're doing it to a lot of other places).
That is another side of you being famous ;-) We are not, so no one is trying to abuse somebody else by means of subscribing them to our mail lists (that said, it would be our list admins who would be abused as all lists - based on mailman - require approval and confirmation, the last comes after approval if I remember correctly).
Thanks. Valeri
Anyway, given the number of times I've been blocked by nixspam (which I
found is run by IX, a German IT mag, and that they don't answer emails to
*them*, either), I've been trying to think of a *reasonable* way to
block
that doesn't do collective punishment to the many domains of a huge
hosting provider, and that's my best thought so far.
mark
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Thu, 2015-08-27 at 10:35 -0500, Valeri Galtsev wrote:
Me too: I started receiving them from different IP (with much longer delay, so they do add "improvements" to their setup). This IP, has neither DNS A record nor DNS PTR record, but has DNS MX record. One can use these (have your MX stop talking to anything having broken DNS records).
Exim is available from EPEL.
In Exim:
(1) I set one indicator if the host name does not fully resolve (IP to name to IP)
(2) I set another indicator if there is something wrong with the HELO/EHLO name or the name does not resolve to the sender's IP address
(3) I set a third indicator if the SMTP sender = SMTP recipient; or the SMTP recipient is an email address disused because of spam; or the SMTP recipient's host is *not* one of ours
(4) If all 3 indicators set, then:-
* then the email attempt is rejected before the email body (DATA) is received
* a PHP sub-routine is called which creates a fully descriptive internal email and SUDO is invoked to add the IP address to the firewall's monthly blocking list.
Otherwise if the sender = recipient or the recipient is 'wrong' the connection is rejected *before* the message body is accepted from the sender.
-------------
Meanwhile, every incoming email's sender's host is checked against a file containing banned senders' host names and the occasional IP address.
Fight spam by *not* being a passive victim.
Regards,
Paul.
On 08/27/2015 07:29 AM, m.roth@5-cent.us wrote:
Gary Stainburn wrote:
Bad news Guys, they've just moved the emails to somewhere else and have started again:
<snip>
A suggestion: there should be a way to filter using *domain* AND mailhost; that is, if emails come from a domain, and through one mailhost, then block the domain. If many domains, and the same mailhost, only then block
Here's a sure way to block this kind of spam, though there is a price for doing so. For each mailing list that I subscribe to (or for all of the mailing lists on a particular mailman server) I create a unique email address that I use to subscribe to that list. That userid forwards to my real email address.
I then run some software capable of whitelisting/blacklisting at the smtp level. The one I run can whitelist or blacklist based on the following (regular expressions are supported):
* envelope sender * envelope recipient * helo name * remote ip address * remote hostname
So I create the following two rules (which must be processed in the specified order): Whitelist remotehostname: *mail.centos.org* Blacklist envelope recipient: <unique email address>
This method works 100% of the time. The price of doing this is:
1) You can't receive private emails from list members with out having some type of on list exchange or adding their email to your whitelist. 2) You must post to the list using the address that you used to subscribe.
This has stopped all of the spam that I was getting from spammers that harvest email addresses on mailing lists.
My whitelisting and blacklisting is done using vpostmaster (which is no longer maintained), but I believe there are other packages which can be used with postfix or exim to do this type of thing.
Nataraj
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 26/08/15 20:11, Valeri Galtsev wrote:
On Wed, August 26, 2015 12:55 pm, James A. Peltier wrote:
----- Original Message ----- | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | On 25/08/15 23:09, Fabian Arrotin wrote: | > On 25/08/15 20:39, Alice Wonder wrote: | >> julie70773 [at] loverhearts.com | > | >> Responded off-list to message on the list, spam with content | >> that is not suitable for minors. | > | >> It is possible subscribed under different address. | > | >> IP of offending spam : | > | >> Received: from mx2.loverhearts.com (mx2.loverhearts.com | >> [45.55.128.151]) (using TLSv1.2 with cipher
As you see from this your header spam was not delivered through centos mail list, but comes from one of the IPs of digitalocean.com IP block: 45.55.0.0/16. As Fabian told centos mail list server admins contacted digitalocean.com about abuse (even though indirect, but with apparent misuse of centos list servers for collecting e-mails of posters). And the moment I received my copy of this spam _after_ Fabian mentioned they contacted digitalocean.com, I just blocked mail from their block of IP addresses (45.55.0.0/16) on my servers as digitalocean apparently didn't react to abuse notice promptly. Others may want to do the same, thus we will pass the message with all seriousness to digitalocean.com.
Just my $0.02
Valeri
Still no news from DigitalOcean since multiple people complained to them about that issue. There are also some other IPs used to send those mails, and from CIDR: 104.236.0.0/16 too.
I can try to ask again the status about those IPs, but I also guess that the more people complain about it, the more they'll look at it. If you still receive such mail (I personally never had *any* of those offending/spam mails myself), feel free to report that to https://www.digitalocean.com/company/contact/#tab_abusetrigger
Kind Regards,
- -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
-
Alice Wonder -
Always Learning -
Fabian Arrotin -
g -
Gary Stainburn -
James A. Peltier -
John R Pierce -
Lamar Owen -
m.roth@5-cent.us -
Marc Chubbuck -
Nataraj -
Peter -
Robert Wolfe -
Valeri Galtsev -
zep