Some Idiot is spamming the Linux-India mailing list. This guy sends mail using the E-mail id's of well known people in the list (Suresh Ramasubramanian, to be precise!) and is using the AIIMS & IIM mail server for relaying. Currently the LI guys Suresh+thats+Atul & co are trying to track this guy down. There's a lot of interesting activity going on in the Linux-India Maiing list due to this. MANI -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 18, 2000 9:44 AM Subject: Hi guys, Yes, I do know that smtp runs on port 25 :-) Man, my babe in Juno is now into learning Emacs! sigh, we still have not figured out who the spammer is...and the irony is .. aiims is still being nice and helpful for us :-) long live india Suresh Ramasubramaniam Spam Abuse Administrator at Juno.com (!) :-) Visit http://www.NetVarsity.com for online learning
Ravikant K.Rao saw fit to inform LI that: > Actually, How would one define a "Script Kiddie" ? Is it like >a guy who "uses" other peoples "tools" and messes up innocent people's >happiness ... or is it like he writes/codes his own "scripts" or what? This guy used two servers which don't even belong to him (AIIMS Delhi and IIM Bangalore). He spoofed the IP of a Korean university which may get some complaints without having originated the spam ... if that isn't theft of service, what is? As for this, he needn't even _know_ smtp. Lots of cheap-ass software available on "cr4ck / w4r3z" sites like astalavista for spamming / mailbombing whatever. Most likely the idiot who sent this wouldn't even know that smtp listens on port 25. > Actually, yes, Suresh *did* trace them to some korean place >but the 203.something IP doesn't even resolve to anything... I guess >Suresh is way ahead and far more experienced with handling this sort >of a thing ;) Simple really - just use whois, nslookup, traceroute ... as easy as that. > Atul said something about the guy being on aunet.org ? >localhost? hmmm ;) He misread the headers - what he got was a bounce from aunet.org (as he and gopi are not subscribed to the list) > localhost -> a.b.com > a.b.com -> c.d.com > c.d.com -> e.f.org > e.f.org -> g.h.net > g.h.net -> LI With such a huge path, I'd suspect forgery ;) > Can(t) you make mj2 check if each post from each subscriber >had atleast 75% of those hops or so? ... well, in afterthought, that >would be broken .. how about 100% match, or it auto-rejects ... no >forwarding to list-admin or anything ... No, please don't. For example, I am subscribed to LI on two accounts (my office acct gets each post, and one of my personal accts gets a digest). In both cases, I set from: [EMAIL PROTECTED] to avoid confusion. I'm at home now and sending through my ISP's smtp server, not my office server. By the way, I'm also using mutt 1.3.2 and not 1.3 as in my office :) > Or how about something like, if I was subscribed from >[EMAIL PROTECTED] , then I would *have* to have *.bar.com appearing >*somewhere* in the headers for my mail to get relayed by mj2 ... that It is trivial to forge headers. You can't keep track of headers for just this reason. >post itself wont have any *.mailandnews.com on it .. hehehehe >... there oughta be a more foolproof way to this ... duh Only foolproof way - make LI-* 100% moderated, and let Thaths approve all posts (he'll probably chase me with an ax and lart my head off for this) :) The next best way is to hammer any and every spammer who tries these tricks. The AIIMS and IIM-B open relays should ideally have other system logs, which might provide further clues about this idiot. If he's anywhere in VSNL, Satyam or Mantraonline, I know some people who'll nail his ass to the wall as a trophy. [[Gopi - the reason I cc'd you was - can you please check the www.iimb.ernet.in logs and find out, or mail me a copy of the logs?]] -- Suresh Ramasubramanian + [EMAIL PROTECTED] "But what we need to know is, do people want nasally-insertable computers?"
Hi folks, You might have seen a couple of spam emails (with forged 'From' headers) that got through earlier today. This was an attempt by someone (possibly a script kiddie) to bring chaos to this mailing list. The spammer's idea of inflaming people seemed to be to call people (and Linux distributions) names. Luckily, he/she has succeeded in our excercising out analytical skills (in trying to locate the perpetrator). The intent seems to have been to show off skills in cracking and abusing well known posters to this mailing list. Please show restraint. Tens of posts showing your friendship for the abused and hatred for the spammer are not going to help. If you want to help, look at the headers of the spam email and see if you can trace the culprit. Thanks. Your mock-Administrator of LI lists ;-) -- "If there were any justice, my face would be on a bunch of crappy merchandise" -- Homer J. Simpson
The mailing list archives are available at http://lists.linux-india.org/cgi-bin/wilma/linux-delhi/
