Re: [Evolution] [OT / Meta] Evolution list as source of spam
On Wed, 2019-01-16 at 02:26 +0100, Ángel wrote: > For what it's worth… I am too receiving such msgid spam. > > Prompted by this thread, I did some analysis on the origin of these > spams. Basically, extracting *camel* > /tmp/spam-msgids.txt > sed -i "s/$/@bar>/;s/^/Message-ID: > Plus a bunch of fgrep -f /tmp/spam-msgids.txt -r . > and modifying that file with > cut -d: -f 3- /tmp/a | sort -u | sed 's#^M.*#sed -i "s/&/bash\t&/" > /tmp/spam-msgids.txt#e' > > The original emails come from several lists and, I should note, > evolution list is *not* the one from which more message-ids were > harvested (only three email addresses, they stopped being sent spam on > 2017). > > poc mentioned the possibility that the emails were being harvested > from the archives. While GNOME lists don't directly link to a mbox > that would be easily findable to a naive email address crawler, I find > evidence that some of these spammers are using archives from somewhere > rather than subscribing a bot that adds people to the list on real > time. > > For instance, there is the 727451.11377.1.camel "email address", which > is a truncation of 1459727451.11377.1.camel sent to a ietf list on > April 2016. The "short" email started being used on August *2018* for > "investing in your country" scams, and the long one… on December 2018. > > I find unlikely that someone harvesting email addresses with a > subscribed bot would have waited several years before starting to > spam. > > That's not always the case, obviously. A Dec 14 message-id started > getting spammed on Jan 1, and already "received" 84 spam mails by now. > However, a "sibling" message-id from that same list also started > getting spammed on Jan 1, but only a couple mails. (fwiw, the 86 mails > are from @qq.com addresses) Interesting. I primarily see these coming from posts I make to the Mailman and Debian lists. > This can be due to bots prepared for it, or, simply, that certain > archive of this list was crawled more often (or at the right time). > I would expect that if someone took the (not-that-big) effort of > building a subscription bot, he should at least get the email > addresses right! > > It has been interesting to look at these spams, their use of > message-ids, given their role as identifiers, allows gathering some > interesting information that would not be possible without them > stupidly interpreting message-ids as if they were email addresses, and > cannot be used with normal addresses, that are generally used in more > contexts. > > > In the context of this discussion, I am including the email-like > strings 1547601230.4258.6.t...@16bits.net as well as > 1547601405.8896.3.t...@16bits.net for the 'benefit' of those spambots > reading us. :) ;-) -Jim P. ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] [OT / Meta] Evolution list as source of spam
For what it's worth… I am too receiving such msgid spam. Prompted by this thread, I did some analysis on the origin of these spams. Basically, extracting *camel* > /tmp/spam-msgids.txt sed -i "s/$/@bar>/;s/^/Message-ID: https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] [OT / Meta] Evolution list as source of spam
On Mon, 2019-01-14 at 23:25 +, Pete Biggs wrote: > Well, sort of a source of spam. > > At times I've mentioned that I seem to see an increase in spam when I > post to the evo list - mostly it's subjective and others have not seen > it and I'm certainly willing to accept it is coincidental. > > However, recently I've seen lots of failed delivery attempts on my mail > server. Nothing new about that, it's a regular occurrence. But these > failed addresses are message IDs that have, obviously, been harvested > from somewhere. Specifically, I'm getting log messages of the type: > > 2019-01-14 20:57:31 H=(mail.rentautos.eu) [85.14.240.55] > F= rejected RCPT > <1421662613.17426.6.ca...@biggs.org.uk>: Unknown user > > (I don't think there's anything there that needs to be redacted! The > hosts and From addresses change frequently.) > > Every single one of those message-ID type addresses are from mails I > have sent to the Evolution mailing list. They are from a while ago - > 2015 to be precise - but still, someone is obviously harvesting > anything that even vaguely looks like an email address from an evo > mailing list archive somewhere. > > I know there's absolutely nothing anyone can do about it, and these > things are just noise in my logs, it's just interesting that it is > evidence that someone/something has been harvesting the list and no > doubt our real addresses have got themselves on a list somewhere. I've seen a few of those, though only very occasionally. Possibly my spam filter (Gmail) is trapping them, though I'd need to look to be sure. The archives are of course on-line, and even though they don't directly the poster's address is (trivially) obscured it would not be difficult to write a script to harvest this info. And of course anyone who keeps a private archive could also be a source. Even storing old list traffic (as I do myself) would be be vulnerable to intrusions. poc ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
[Evolution] [OT / Meta] Evolution list as source of spam
Well, sort of a source of spam. At times I've mentioned that I seem to see an increase in spam when I post to the evo list - mostly it's subjective and others have not seen it and I'm certainly willing to accept it is coincidental. However, recently I've seen lots of failed delivery attempts on my mail server. Nothing new about that, it's a regular occurrence. But these failed addresses are message IDs that have, obviously, been harvested from somewhere. Specifically, I'm getting log messages of the type: 2019-01-14 20:57:31 H=(mail.rentautos.eu) [85.14.240.55] F= rejected RCPT <1421662613.17426.6.ca...@biggs.org.uk>: Unknown user (I don't think there's anything there that needs to be redacted! The hosts and From addresses change frequently.) Every single one of those message-ID type addresses are from mails I have sent to the Evolution mailing list. They are from a while ago - 2015 to be precise - but still, someone is obviously harvesting anything that even vaguely looks like an email address from an evo mailing list archive somewhere. I know there's absolutely nothing anyone can do about it, and these things are just noise in my logs, it's just interesting that it is evidence that someone/something has been harvesting the list and no doubt our real addresses have got themselves on a list somewhere. P. ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list