[CentOS] please block user

Sat Aug 29 17:41:55 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Sat, August 29, 2015 12:04 pm, James B. Byrne wrote:
> In consequence of this thread I went looking for a probe script that
> would send individualized email messages to each subscriber of a
> mailman list and found none.  Does such a thing in fact exist?
>
> It seems to me that this would be an invaluable tool in tracking down
> which subscriber is the bot-bait.
>

James, I doubt it is doable, even if you have cooperation of IP block
owner from whose IP(s) individual spam comes. The following is [probably]
the scheme that is implemented [on really small test scale] in case of
abuse of posting subscribers of centos mail list:

1. some e-mail address is subscribed to centos mail list.

2. When that e-mail address receives post to CentOS mail list, actual
sender address is being extracted from the header.

3. this address is passed over to one of zombie machines in some bot net.

4. That particular zombie machine sends signal to host (in our case one of
DigitalOcean (DO) customers assigned IP). Quite likely just through POST
HTML command giving in it recipient address and content of message to be
sent, and quite likely some security code that prevents this chain from
being used by anybody except those who can provide correct security code.

If the scheme is as above, even with full real cooperation of DO you only
can have pointer to one of the zombie computers. To track chain down to
the machine that sent command to zombie computer you at least need to
investigate the content of this zombie computer. Which I'm sceptical is
possible. Things become even worse if the chain of transmitting command
has more that one zombie computer.

The bottom line is: it is quite unlikely that the bad subscriber can be
discovered. (Somebody clever, correct me and tell how).

We probably should stop wasting time of CentOS team who have better things
to do. After all this scheme was probably aimed against CentOS and us
keeping discussing these things is what these rogue people were aiming to
achieve. The only productive way to deal with this spam is to one way or
another block this spam on our own - recipients - side. To do it one can
blacklist DO ranges of IP addresses, or as cleverer that I person
suggested: add them to spam filter configuration with just a notch of
extra spam score. Use cation and be ware that this is purely your own
decision.

And my apologies for continuing this really annoying for some list members
thread.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++