Re: More then 2800 spams from the list...

[Brad Rogers]

On Wed, 21 Mar 2018 00:18:55 +
Brian  wrote:

Hello Brian,

>On Tue 20 Mar 2018 at 20:54:47 +0200, Michelle Konzack wrote:
>> Who is still offering pop3?  
>Gmail and gmx and probably lots of others.

Most others, I suspect.

I won't use IMAP at all.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
Well you tried it just the once and found it alright for kicks
Orgasm Addict - Buzzcocks


pgp6hTJlYASHo.pgp
Description: OpenPGP digital signature

Re: More then 2800 spams from the list...

[Brian]

On Tue 20 Mar 2018 at 20:54:47 +0200, Michelle Konzack wrote:

> Am 2018-03-20 hackte Joe in die Tasten:

[...]

> > This has reduced with the decline of small (and
> > large!) businesses running their own private SMTP servers but
> > downloading their mail from a single shared external POP3 account,
> > which used to be a very common practice.
> 
> Who is still offering pop3?

Gmail and gmx and probably lots of others.

-- 
Brian.

Re: More then 2800 spams from the list...

[Greg Wooledge]

On Tue, Mar 20, 2018 at 08:30:50AM -0500, David Wright wrote:
> On Tue 20 Mar 2018 at 08:28:20 (-0400), Greg Wooledge wrote:
> > P.S. someone said that bounces are generated using the Reply-To: header.
> > This is incorrect (or at least, would be a violation of the protocols).
> > Bounces are sent to the envelope sender address (the one given by the
> > sender during the SMTP session), without looking at the message itself.
> > 
> > Of course, the envelope sender is just as easy to forge as the
> > Reply-To: header is.  The sender only needs to lie about who it is.
> > The receiver has no way to verify the address, other than "yeah, that
> > domain exists in DNS".
> 
> But if that IP address sends loads of undeliverable mail,
> why not just block it? I was under the impression that
> that's what IP address blacklisting was all about.

That happens, certainly.  But not everyone is using a blacklist.
The spammer just has to find one system that's vulnerable and keep
hammering it until it, too, gets blacklisted.

Re: More then 2800 spams from the list...

[David Wright]

On Tue 20 Mar 2018 at 08:28:20 (-0400), Greg Wooledge wrote:
> P.S. someone said that bounces are generated using the Reply-To: header.
> This is incorrect (or at least, would be a violation of the protocols).
> Bounces are sent to the envelope sender address (the one given by the
> sender during the SMTP session), without looking at the message itself.
> 
> Of course, the envelope sender is just as easy to forge as the
> Reply-To: header is.  The sender only needs to lie about who it is.
> The receiver has no way to verify the address, other than "yeah, that
> domain exists in DNS".

But if that IP address sends loads of undeliverable mail,
why not just block it? I was under the impression that
that's what IP address blacklisting was all about.

> That's how backscatter (a.k.a. "joe-jobbing") works.  The spammer
> sends mail to an invalid address and lies about the envelope sender
> address.  The receiver generates a bounce to the forged envelope
> sender address.  Voila, spam sent -- by the poor schmuck in the middle
> who was just trying to follow the SMTP protocol properly.  The only
> one who can identify the actual sender is the one who generated the
> bounce, and the only identifying information that system has is the
> IP address from which the message was sent.  Everything else (envelope
> sender, message headers, message body) is fabricated.

Cheers,
David.

Re: More then 2800 spams from the list...

[Greg Wooledge]

On Tue, Mar 20, 2018 at 09:21:03AM +, Joe wrote:
> A SMTP server, by default, accepts email only for recipients which have
> an account on it.

If only.  No, that's part of the problem.  An SMTP server, *by default*,
has no knowledge of which local-recipient-parts are valid and which
are not.  It has to communicate with some other system, process, library,
or whatever, to make that determination.

It's much easier for an SMTP server to validate just the domain-part
(right of the @ sign), and generate bounces when it turns out that
the local-recipient-part (left of the @ sign) is invalid.  This is
how things worked 25 years ago.

Unfortunately, humans being the despicable creatures that they are,
that naive system no longer works.

P.S. someone said that bounces are generated using the Reply-To: header.
This is incorrect (or at least, would be a violation of the protocols).
Bounces are sent to the envelope sender address (the one given by the
sender during the SMTP session), without looking at the message itself.

Of course, the envelope sender is just as easy to forge as the
Reply-To: header is.  The sender only needs to lie about who it is.
The receiver has no way to verify the address, other than "yeah, that
domain exists in DNS".

That's how backscatter (a.k.a. "joe-jobbing") works.  The spammer
sends mail to an invalid address and lies about the envelope sender
address.  The receiver generates a bounce to the forged envelope
sender address.  Voila, spam sent -- by the poor schmuck in the middle
who was just trying to follow the SMTP protocol properly.  The only
one who can identify the actual sender is the one who generated the
bounce, and the only identifying information that system has is the
IP address from which the message was sent.  Everything else (envelope
sender, message headers, message body) is fabricated.

Re: More then 2800 spams from the list...

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, Mar 20, 2018 at 09:21:03AM +, Joe wrote:
> On Tue, 20 Mar 2018 08:52:48 +0100
>  wrote:
> 
> >
> > 
> > "never" is too strong a word. This is a corollary of the fundamental
> > law "all generalizations suck".
> > 
> How do you determine the exceptions? 

With care and measure :-)

> A SMTP server, by default, accepts email only for recipients which have
> an account on it. Aliases can be added, but on the whole, there is no
> mechanism for a 'catch-all' mailbox. Someone has to deliberately add
> some code to make such a thing happen. This has even been true of
> Exchange for the last few versions. It's generally not difficult, but
> it's not there out of the box. 

I, for example, do have a "catch-all" box. That's me.

And I'm not a salesman :-)

But with such a setup you've got to cope with *some* spam, that's
correct.

What you should not do is to accept a mail for forwarding to another
system you don't control (or are somewhat related to): that system
could very well reject that mail, and now you have a problem.

This would be what's called an "open relay". In these times, better
not do that.

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqw1wcACgkQBcgs9XrR2kZaiwCfSeEG7MoiZOViagrxjAFyMdXa
1q4Ani0cS3rSfJmvGYO0As503h1QUnCo
=Vzt2
-END PGP SIGNATURE-

Re: More then 2800 spams from the list...

[Joe]

On Tue, 20 Mar 2018 08:52:48 +0100
 wrote:

>
> 
> "never" is too strong a word. This is a corollary of the fundamental
> law "all generalizations suck".
> 
How do you determine the exceptions? 

A SMTP server, by default, accepts email only for recipients which have
an account on it. Aliases can be added, but on the whole, there is no
mechanism for a 'catch-all' mailbox. Someone has to deliberately add
some code to make such a thing happen. This has even been true of
Exchange for the last few versions. It's generally not difficult, but
it's not there out of the box. 

There won't be any NDR spam if all the invalid email goes into one
particular account for a human to examine. The problem occurs if and
when a later SMTP server attempts to download and deliver this email to
multiple people who don't exist.

A salesman might argue that if only valid accounts are accepted, he
might miss a valuable sale because of a mis-spelled email address. In
other words, no price is too high for the rest of the Internet to pay
for him to get one more lead, no matter how poor. I'm not a salesman, so
I see things differently.

Things aren't as bad as they used to be, probably 90% of what my mail
server refused was once NDR spam. I could see in the logs the same dozen
obviously deliberately incorrect email addresses every day, sometimes
several times a day. This has reduced with the decline of small (and
large!) businesses running their own private SMTP servers but
downloading their mail from a single shared external POP3 account,
which used to be a very common practice.

-- 
Joe

Re: More then 2800 spams from the list...

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Mar 19, 2018 at 10:21:57PM +, Joe wrote:

[...]

> > This is precisely why e-mail server should never send bounces to
> > non-local senders. When sender is spoofed as in this case then is hit
> > with thousands of DSNs.

[delivery status notification]

[...]

> You do it by never accepting email for non-existent users. The problem
> is the use of a mail server which accepts absolutely anything for the
> domain, then finds that the end user rejects the rubbish. Having
> accepted it in the first place, the receiving mail server is then
> required to admit that it can't deliver it, by means of an NDR. It does
> this using the reply-to address, which is easily forged.

"never" is too strong a word. This is a corollary of the fundamental
law "all generalizations suck".

But yes, in general it is a bad idea to bounce a mail automatically
if you don't have control over its provenience.

FWIW, I did the experiment and sent a mail to a random user at one
of Michelle's reported domains: I got no bounce.

This is a strong hint (no proof, mind you!) that the whole bounces
are spoofed in this case. The reported headers in those bounces
do look strange (to me, anyway), but I'm willing to admit that I'm
not smart enough to grok them.

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqwvdAACgkQBcgs9XrR2kYQ+ACfWNYAJyDeT+7vMILqV4MUcTdV
V24An1I7UBTaj6BdeGV5ral2IC68oe+A
=ahYU
-END PGP SIGNATURE-

Re: More then 2800 spams from the list...

[Joe]

On Mon, 19 Mar 2018 18:31:48 +
Karol Augustin  wrote:

> On 2018-03-19 12:58, Michelle Konzack wrote:
> > Hello and Listmaster/owner,
> > 
> > I have send on "Date: Mon, 19 Mar 2018 07:17:40 -0400" a message
> > to the list and now I got already 2800 Spams on one go!
> > 
> > The EMail responsabble for this shit is .
> > 
> > Please can you remove this EMail from the list?
> > 
> > The message is:
> > 
> > 8<--
> > Hello, this is the mail server on frash.longvieace.com.
> > 
> > I am sending you this message to inform you on the delivery status
> > of a message you previously sent.  Immediately below you will find
> > a list of the affected recipients;  also attached is a Delivery
> > Status Notification
> > (DSN) report in standard format, as well as the headers of the
> > original message.
> > 
> >     delivery failed; will not continue trying
> > 8<--
> > 
> > All servers have exactly the same message...
> >   
> 
> > 
> > While writing this EMail, the spam increased to 3118.
> > 
> > Thanks in advance  
> 
> 
> 
> It looks like you are hit by backscatter bounces. Someone uses your
> e-mail (in prepared message) as sender and spams the misconfigured
> servers which send you bounces as they can't deliver spammers message
> to the recipient.
> 
> This is precisely why e-mail server should never send bounces to
> non-local senders. When sender is spoofed as in this case then is hit
> with thousands of DSNs.
> 
> As most of the time people want to get DSNs for emails they sent it is
> hard to mitigate using spam filtering software. You just have bad
> luck/you are targeted.

You do it by never accepting email for non-existent users. The problem
is the use of a mail server which accepts absolutely anything for the
domain, then finds that the end user rejects the rubbish. Having
accepted it in the first place, the receiving mail server is then
required to admit that it can't deliver it, by means of an NDR. It does
this using the reply-to address, which is easily forged.

The fix is that *all* incoming SMTP servers for the domain, primary and
backup, have a list of valid users (spammers often target
lower-priority MX records, as a backup server often doesn't have a user
account list). They must reject all other recipients at SMTP handshake
time, completely ignoring whatever has been forged in the headers. Spam
filtering doesn't do the job at all, the mail has already been accepted
by the time that sees it.

-- 
Joe

Re: More then 2800 spams from the list...

[Karol Augustin]

On 2018-03-19 20:50, Nick Boyce wrote:
> On Mon, 19 Mar 2018 18:31:48 +
> Karol Augustin  wrote:
> 
>> On 2018-03-19 12:58, Michelle Konzack wrote:
>> > Hello and Listmaster/owner,
>> >
>> > I have send on "Date: Mon, 19 Mar 2018 07:17:40 -0400" a message
>> > to the list and now I got already 2800 Spams on one go!
>> >
>> > The EMail responsabble for this shit is .
> [...]
> 8<--
>> > Hello, this is the mail server on frash.longvieace.com.
>> >
>> > I am sending you this message to inform you on the delivery status of a
>> > message you previously sent.  Immediately below you will find a list of
>> > the affected recipients;  also attached is a Delivery Status
>> > Notification
> [...]
>> It looks like you are hit by backscatter bounces. Someone uses your
>> e-mail (in prepared message) as sender and spams the misconfigured
>> servers which send you bounces as they can't deliver spammers message to
>> the recipient.
> 
> +1
> Exactly what Karol said - someone has used your email address as the
> sender for a spamming run, and you're being hit by all the bounces
> from all the receiving mailservers that quite properly reject the
> spam, but quite wrongly send a bounce to the supposed sender instead
> of to the mailserver that established the SMTP connection.
> 
> It's just your bad luck that it was your address that the spammer
> chose.  It's happened to me before now, and it was the most miserable
> period of weeks before the flood of backscatter DSNs slowed and then
> stopped.  There is almost no way of filtering the damn things out,
> because they're coming from all over the Internet and you usually *do*
> want to see such things.  Console yourself with planning what you
> would do to the spammer if you ever got hold of them.
>  
>> This is precisely why e-mail server should never send bounces to
>> non-local senders. When sender is spoofed as in this case then is hit
>> with thousands of DSNs.
> 
> Yes ... sigh.
> 
> Pleasingly, some spammers are being tracked down and are going to jail
> for long periods of time.
> 
> http://www.theregister.co.uk/2005/11/17/spammer_jailed/print.html
> https://usatoday30.usatoday.com/tech/news/computersecurity/2008-04-29-spam-sentencing_N.htm
> https://www.telegraph.co.uk/news/worldnews/northamerica/usa/6653892/Godfather-of-spam-jailed-for-four-years.html
> https://www.independent.co.uk/life-style/gadgets-and-tech/news/spam-emails-millions-us-man-michael-persaud-arizona-jail-time-prison-send-out-spamming-a7577216.html
> 
> Nick

You can use http://www.backscatterer.org/?target=usage
I don't know what is the quality of this list, but if used as described
in what they call "safe mode" it will be only check against if sender is
null or postmaster@, which should stop all DSNs from servers they have
listed.

Have to look into implementing this on my server just in case...
k.

-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: More then 2800 spams from the list...

[Nick Boyce]

On Mon, 19 Mar 2018 18:31:48 +
Karol Augustin  wrote:

> On 2018-03-19 12:58, Michelle Konzack wrote:
> > Hello and Listmaster/owner,
> > 
> > I have send on "Date: Mon, 19 Mar 2018 07:17:40 -0400" a message
> > to the list and now I got already 2800 Spams on one go!
> > 
> > The EMail responsabble for this shit is .
[...]
8<--
> > Hello, this is the mail server on frash.longvieace.com.
> > 
> > I am sending you this message to inform you on the delivery status of a
> > message you previously sent.  Immediately below you will find a list of
> > the affected recipients;  also attached is a Delivery Status
> > Notification
[...]
> It looks like you are hit by backscatter bounces. Someone uses your
> e-mail (in prepared message) as sender and spams the misconfigured
> servers which send you bounces as they can't deliver spammers message to
> the recipient.

+1
Exactly what Karol said - someone has used your email address as the sender for 
a spamming run, and you're being hit by all the bounces from all the receiving 
mailservers that quite properly reject the spam, but quite wrongly send a 
bounce to the supposed sender instead of to the mailserver that established the 
SMTP connection.

It's just your bad luck that it was your address that the spammer chose.  It's 
happened to me before now, and it was the most miserable period of weeks before 
the flood of backscatter DSNs slowed and then stopped.  There is almost no way 
of filtering the damn things out, because they're coming from all over the 
Internet and you usually *do* want to see such things.  Console yourself with 
planning what you would do to the spammer if you ever got hold of them.
 
> This is precisely why e-mail server should never send bounces to
> non-local senders. When sender is spoofed as in this case then is hit
> with thousands of DSNs.

Yes ... sigh.

Pleasingly, some spammers are being tracked down and are going to jail for long 
periods of time.

http://www.theregister.co.uk/2005/11/17/spammer_jailed/print.html
https://usatoday30.usatoday.com/tech/news/computersecurity/2008-04-29-spam-sentencing_N.htm
https://www.telegraph.co.uk/news/worldnews/northamerica/usa/6653892/Godfather-of-spam-jailed-for-four-years.html
https://www.independent.co.uk/life-style/gadgets-and-tech/news/spam-emails-millions-us-man-michael-persaud-arizona-jail-time-prison-send-out-spamming-a7577216.html

Nick
-- 
Never FDISK after midnight.

Re: More then 2800 spams from the list...

[Karol Augustin]

On 2018-03-19 12:58, Michelle Konzack wrote:
> Hello and Listmaster/owner,
> 
> I have send on "Date: Mon, 19 Mar 2018 07:17:40 -0400" a message
> to the list and now I got already 2800 Spams on one go!
> 
> The EMail responsabble for this shit is .
> 
> Please can you remove this EMail from the list?
> 
> The message is:
> 
> 8<--
> Hello, this is the mail server on frash.longvieace.com.
> 
> I am sending you this message to inform you on the delivery status of a
> message you previously sent.  Immediately below you will find a list of
> the affected recipients;  also attached is a Delivery Status
> Notification
> (DSN) report in standard format, as well as the headers of the original
> message.
> 
>     delivery failed; will not continue trying
> 8<--
> 
> All servers have exactly the same message...
> 

> 
> While writing this EMail, the spam increased to 3118.
> 
> Thanks in advance



It looks like you are hit by backscatter bounces. Someone uses your
e-mail (in prepared message) as sender and spams the misconfigured
servers which send you bounces as they can't deliver spammers message to
the recipient.

This is precisely why e-mail server should never send bounces to
non-local senders. When sender is spoofed as in this case then is hit
with thousands of DSNs.

As most of the time people want to get DSNs for emails they sent it is
hard to mitigate using spam filtering software. You just have bad
luck/you are targeted.

k.


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: More then 2800 spams from the list...

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Mar 19, 2018 at 05:54:10PM +, Tony van der Hoff wrote:
> On 19/03/18 17:38, Miles Fidelman wrote:
> >
> > Comments at end.
> >
> Where they should be. If you can avoid the HTML, and change your sig.sep to
> , you're on your way to becoming a hero on this list.

Actually he does and it is (hint: his mail is a mime/multipart
alternative, with one plain text and one HTML alternative, which
is fine. If your MUA does The Right Thing, it'll show you the
text alternative, with dash-dash-space signature separator and
all :-)

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqwAREACgkQBcgs9XrR2kYVQQCfZsiqvQ71mC5ETvumLPA+byLq
ETwAn3KiVjWuoCeRMIWbCcuZ7wwFXIvY
=Enel
-END PGP SIGNATURE-

Re: More then 2800 spams from the list...

[Tony van der Hoff]

On 19/03/18 17:38, Miles Fidelman wrote:
>
> Comments at end.
>
Where they should be. If you can avoid the HTML, and change your sig.sep to
, you're on your way to becoming a hero on this list.

Re: More then 2800 spams from the list...

[Miles Fidelman]

Comments at end.


On 3/19/18 12:22 PM, to...@tuxteam.de wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Mar 19, 2018 at 05:35:04PM +0200, Michelle Konzack wrote:

Hello Richard and *,

Am 2018-03-19 hackte Richard Owlett in die Tasten:

I didn't. But as my ISP has an excellent spam filter I don't see what
many others see. I suspect the key is interpreting the header
information the OP gave. Is there a guide for an average user to
interpreting that information?

It seems, the spamer is on the List and manipulated the Mailinglist
messages b using the original headers removed anything newer then
the  Receied Headers and sent the message to more then 17000
servers.

What do you mean by "the spammer is on the list"? The spam messages
don't go via list. I would get them (my own mail server and no spam
filter beyond the standard Exim header checking, which would never
drop/reject a mail coming from the list).


 is subject of a DOS attack.

Yes, I rather think they are targetting you. The Debian mailing
list headers seem to me (well placed) spoof.


It seems, the Attacker know probably several 10.000 wrong configured
mailservers and now use it, to pull down my server...

Yes, that's how it looks to me. Perhaps they're real bounces,
perhaps they're fake. But I'm pretty sure by now that the
Debian-list related headers are plain fake, to nudge people
into "responding to list" and thus spreading the spam even
more. So folks, don't do that. And if you do, at least strongly
snip the original (as Michelle has done, thankfully) and don't
include the whole kaboodle, top-posting style (you don't top-post,
do you ;-)

FWIW, I've sent a test mesage to (some randomly chosen user name)
at one of the servers in list and am awaiting a bounce message.

Let's see...

@Michelle: could you please send me a *complete* bounce message,
headers and all, as it arrives at your place? I still can't figure
out what kind of headers you sent to this list.




Actually, what's more important are a collection of spam & bounce 
messages - both from Michelle, and anybody else who's seen the spam.


That way we can tell if they're all coming from one place (the list, or 
otherwise) or if they're coming from lots of sites across a botnet.


All we know right now is

1. the mailer (purportedly) at freash.longvieace.com is reporting a ton 
of bounces on a mail that purportedly came from Michelle via 
Debian-user, and


2. the spam (purportedly) got to that mailer from mail.tamay-dogan.net

None of the other headers can be trusted.  Actually, not even that 
message can be trusted - except that spambots don't generally report 
bounces.


One needs more copies of the spam, and more bounce messages, to figure 
out what's going on.


The general assumption here is that some spambot has manufactured 
headers that make it look like a message from Michelle to Debian-User.  
Beyond that, we really don't know anything useful or actionable.


Miles Fidelman (who deals with this sh*t on too many lists that he 
manages, sigh...)








--
In theory, there is no difference between theory and practice.
In practice, there is.   Yogi Berra

Re: More then 2800 spams from the list...

[Curt]

On 2018-03-19, Cindy-Sue Causey  wrote:
>
> Did anyone else receive more than the one very obviously spoofed
> Debian-User email over the weekend?

I received just now, after a followup to Brian in this group via the gmane
service, a bounce:

 Delivery has failed to these recipients or groups:

 kisscoola...@lacabanedeladmin.trickip.net
 Your message couldn't be delivered. The Domain Name System (DNS)
 reported that the recipient's domain
 does not exist.

with my followup message to the list (which arrived here safely) attached.

I admit I don't get it (I mean I got it, but I don't get it).

> Cindy :)


-- 
Bah, the latest news, the latest news is not the last.
Samuel Beckett

Re: More then 2800 spams from the list...

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Mar 19, 2018 at 05:35:04PM +0200, Michelle Konzack wrote:
> Hello Richard and *,
> 
> Am 2018-03-19 hackte Richard Owlett in die Tasten:
> > I didn't. But as my ISP has an excellent spam filter I don't see what
> > many others see. I suspect the key is interpreting the header
> > information the OP gave. Is there a guide for an average user to
> > interpreting that information?
> 
> It seems, the spamer is on the List and manipulated the Mailinglist
> messages b using the original headers removed anything newer then
> the  Receied Headers and sent the message to more then 17000
> servers.

What do you mean by "the spammer is on the list"? The spam messages
don't go via list. I would get them (my own mail server and no spam
filter beyond the standard Exim header checking, which would never
drop/reject a mail coming from the list).

>  is subject of a DOS attack.

Yes, I rather think they are targetting you. The Debian mailing
list headers seem to me (well placed) spoof.

> It seems, the Attacker know probably several 10.000 wrong configured
> mailservers and now use it, to pull down my server...

Yes, that's how it looks to me. Perhaps they're real bounces,
perhaps they're fake. But I'm pretty sure by now that the
Debian-list related headers are plain fake, to nudge people
into "responding to list" and thus spreading the spam even
more. So folks, don't do that. And if you do, at least strongly
snip the original (as Michelle has done, thankfully) and don't
include the whole kaboodle, top-posting style (you don't top-post,
do you ;-)

FWIW, I've sent a test mesage to (some randomly chosen user name)
at one of the servers in list and am awaiting a bounce message.

Let's see...

@Michelle: could you please send me a *complete* bounce message,
headers and all, as it arrives at your place? I still can't figure
out what kind of headers you sent to this list.

Thanks
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqv498ACgkQBcgs9XrR2kYoxwCfaN5x3Zwsa6/PKUsJTKz+cSfY
DukAn2FiLNAOLzMzGGoHAH4CJdN/zQCL
=79xT
-END PGP SIGNATURE-

Re: More then 2800 spams from the list...

[Jim Popovitch]

On Mon, 2018-03-19 at 17:35 +0200, Michelle Konzack wrote:
> I am sure, this attacker is here on the list, because it started with
> my anser to "[LEARNING OUTCOME] Wi-Fi WPA Hacking Tool is Totally
> Useless on New Wireless Routers".
> 

Replying solely because I live/lust for parties like these
(seriously!).

Let's see what kind of "presents" i get.

-Jim P. 

signature.asc
Description: This is a digitally signed message part

Re: More then 2800 spams from the list...

[Michelle Konzack]

Hello Richard and *,

Am 2018-03-19 hackte Richard Owlett in die Tasten:
> I didn't. But as my ISP has an excellent spam filter I don't see what
> many others see. I suspect the key is interpreting the header
> information the OP gave. Is there a guide for an average user to
> interpreting that information?

It seems, the spamer is on the List and manipulated the Mailinglist
messages b using the original headers removed anything newer then
the  Receied Headers and sent the message to more then 17000
servers.

 is subject of a DOS attack.

It seems, the Attacker know probably several 10.000 wrong configured
mailservers and now use it, to pull down my server...

I am sure, this attacker is here on the list, because it started with
my anser to "[LEARNING OUTCOME] Wi-Fi WPA Hacking Tool is Totally
Useless on New Wireless Routers".

Greetings

-- 
Michelle KonzackMiila ITSystems @ TDnet
GNU/Linux Developer 00372-54541400

Re: More then 2800 spams from the list...

[Gene Heskett]

On Monday 19 March 2018 11:07:39 Cindy-Sue Causey wrote:

> On 3/19/18, to...@tuxteam.de  wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > On Mon, Mar 19, 2018 at 10:40:10AM -0400, Gene Heskett wrote:
> >> On Monday 19 March 2018 09:14:19 Jonathan Dowland wrote:
> >> > This does not belong on debian-user (and indeed posting it will
> >> > only make matters worse for you and us)
> >>
> >> Jonathon, why berate the poor user for what may your servers
> >> malperformance, which since I am subscribed and didn't get them,
> >> I'd put the blame on downstream, perhaps even in Michelles own
> >> ISP's server, and do it without telling her where the complaint
> >> should have been sent.
> >
> > No, Jonathan is right. Resending the spam to -user is not productive
> > (and perhaps exactly what the spammers want you to do: multiply by
> > 3000 at no cost to them). Michelle put
> >  already on the cc which *might*
> > be more relevant.
> >
> > You can try to do the best of it and have a go at the header
> > analysis: are they legit or spoof?
>
> Did anyone else receive more than the one very obviously spoofed
> Debian-User email over the weekend?
>
> Cindy :)

I got 2 copies of a msg posted by Tomas, but that was it.


-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: More then 2800 spams from the list...

[Richard Owlett]

On 03/19/2018 10:07 AM, Cindy-Sue Causey wrote:

On 3/19/18, to...@tuxteam.de  wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Mar 19, 2018 at 10:40:10AM -0400, Gene Heskett wrote:

On Monday 19 March 2018 09:14:19 Jonathan Dowland wrote:


This does not belong on debian-user (and indeed posting it will only
make matters worse for you and us)


Jonathon, why berate the poor user for what may your servers
malperformance, which since I am subscribed and didn't get them, I'd put
the blame on downstream, perhaps even in Michelles own ISP's server, and
do it without telling her where the complaint should have been sent.


No, Jonathan is right. Resending the spam to -user is not productive
(and perhaps exactly what the spammers want you to do: multiply by 3000
at no cost to them). Michelle put 
already on the cc which *might* be more relevant.

You can try to do the best of it and have a go at the header analysis:
are they legit or spoof?



Did anyone else receive more than the one very obviously spoofed
Debian-User email over the weekend?

Cindy :)



I didn't. But as my ISP has an excellent spam filter I don't see what 
many others see. I suspect the key is interpreting the header 
information the OP gave. Is there a guide for an average user to 
interpreting that information?

Re: More then 2800 spams from the list...

[Cindy-Sue Causey]

On 3/19/18, to...@tuxteam.de  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Mon, Mar 19, 2018 at 10:40:10AM -0400, Gene Heskett wrote:
>> On Monday 19 March 2018 09:14:19 Jonathan Dowland wrote:
>>
>> > This does not belong on debian-user (and indeed posting it will only
>> > make matters worse for you and us)
>>
>> Jonathon, why berate the poor user for what may your servers
>> malperformance, which since I am subscribed and didn't get them, I'd put
>> the blame on downstream, perhaps even in Michelles own ISP's server, and
>> do it without telling her where the complaint should have been sent.
>
> No, Jonathan is right. Resending the spam to -user is not productive
> (and perhaps exactly what the spammers want you to do: multiply by 3000
> at no cost to them). Michelle put 
> already on the cc which *might* be more relevant.
>
> You can try to do the best of it and have a go at the header analysis:
> are they legit or spoof?


Did anyone else receive more than the one very obviously spoofed
Debian-User email over the weekend?

Cindy :)
-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with duct tape *

Re: More then 2800 spams from the list...

[Richard Owlett]

On 03/19/2018 09:40 AM, Gene Heskett wrote:

On Monday 19 March 2018 09:14:19 Jonathan Dowland wrote:


This does not belong on debian-user (and indeed posting it will only
make matters worse for you and us)


Jonathon, why berate the poor user for what may your servers
malperformance, which since I am subscribed and didn't get them, I'd put
the blame on downstream, perhaps even in Michelles own ISP's server, and
do it without telling her where the complaint should have been sent.



*+1*

Re: More then 2800 spams from the list...

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Mar 19, 2018 at 10:40:10AM -0400, Gene Heskett wrote:
> On Monday 19 March 2018 09:14:19 Jonathan Dowland wrote:
> 
> > This does not belong on debian-user (and indeed posting it will only
> > make matters worse for you and us)
> 
> Jonathon, why berate the poor user for what may your servers 
> malperformance, which since I am subscribed and didn't get them, I'd put 
> the blame on downstream, perhaps even in Michelles own ISP's server, and 
> do it without telling her where the complaint should have been sent. 

No, Jonathan is right. Resending the spam to -user is not productive
(and perhaps exactly what the spammers want you to do: multiply by 3000
at no cost to them). Michelle put 
already on the cc which *might* be more relevant.

You can try to do the best of it and have a go at the header analysis:
are they legit or spoof?

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqvzZ0ACgkQBcgs9XrR2kamHgCfYJ6OGEf7qCMBBOhl9Me1KA8x
azQAniTjCx4IOYA+yAOdJ9zH6l+81ea4
=MV44
-END PGP SIGNATURE-

Re: More then 2800 spams from the list...

[Gene Heskett]

On Monday 19 March 2018 09:14:19 Jonathan Dowland wrote:

> This does not belong on debian-user (and indeed posting it will only
> make matters worse for you and us)

Jonathon, why berate the poor user for what may your servers 
malperformance, which since I am subscribed and didn't get them, I'd put 
the blame on downstream, perhaps even in Michelles own ISP's server, and 
do it without telling her where the complaint should have been sent. 

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: More then 2800 spams from the list...

[Jonathan Dowland]

This does not belong on debian-user (and indeed posting it will only
make matters worse for you and us)


--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

More then 2800 spams from the list...

[Michelle Konzack]

Hello and Listmaster/owner,

I have send on "Date: Mon, 19 Mar 2018 07:17:40 -0400" a message
to the list and now I got already 2800 Spams on one go!

The EMail responsabble for this shit is .

Please can you remove this EMail from the list?

The message is:

8<--
Hello, this is the mail server on frash.longvieace.com.

I am sending you this message to inform you on the delivery status of a
message you previously sent.  Immediately below you will find a list of
the affected recipients;  also attached is a Delivery Status
Notification
(DSN) report in standard format, as well as the headers of the original
message.

    delivery failed; will not continue trying
8<--

All servers have exactly the same message...

The header are:

8<--
Received: from localhost (127.0.0.1) by propt.simptor.net id
hlue5c16lt0i for ; Mon, 19 Mar 2018 07:17:40
-0400 (envelope-from )
Received: from mail.tamay-dogan.net (mail.tamay-dogan.net
[78.47.247.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA
(256/256 bits)) (Client did not present a certificate) by
bendel.debian.org (Postfix) with ESMTPS id D474D57 for
; Mon, 19 Mar 2018 07:17:40 -0400
Received: from localhost (localhost [127.0.0.1])
  (uid 33)
  by mail.tamay-dogan.net with local; Mon, 19 Mar 2018 09:10:30 +0100
  id 1F47.5AAF7076.0EF8
Received: from 37.157.105.227
(SquirrelMail authenticated user michelle.konzack)
by webmail.tamay-dogan.net with HTTP;
Mon, 19 Mar 2018 07:17:40 -0400
Message-ID:
<8fab183a7c01f62340f38f1a9bbe6911.squir...@webmail.tamay-dogan.net>
In-Reply-To:

References:

Date: Mon, 19 Mar 2018 07:17:40 -0400
Subject: diFAy ier871 188.164.196.32
From: Michelle Konzack 
To: debian-user@lists.debian.org
User-Agent: SquirrelMail/1.4.23 [SVN]
Mime-Version: 1.0
OpenPGP: id=A5957FD8834573E2;
url=http://michelle.konzack.tdhome.net/public.gpg
X-Mime-Autoconverted: from 8bit to 7bit by courier 0.68
X-Rc-Virus: 2007-09-13_01
X-Rc-Spam: 2008-11-04_01
Resent-Message-ID: <6M7pfiS7BiG.A.GlG.HC3raB@bendel>
Resent-From: debian-user@lists.debian.org
X-Mailing-List:  archive/latest/733721
X-Loop: debian-user@lists.debian.org
List-Id: 
List-URL: 
List-Post: 
List-Help: 
List-Subscribe:

List-Unsubscribe:

Precedence: list
Resent-Sender: debian-user-requ...@lists.debian.org
List-Archive:
https://lists.debian.org/msgid-search/8fab183a7c01f62340f38f1a9bbe6911.squir...@webmail.tamay-dogan.net
Resent-Date: Mon, 19 Mar 2018 08:10:47 + (UTC)
Content-Type: text/html
8<--

This how it looks like in squirrelmail:

8<--
>From sort   Received sort  Subject sort
postmas...@midr.longvieace.com  Mar 19, 2018Delivery report
postmas...@frash.longvieace.com Mar 19, 2018Delivery report
postmas...@picao.staoration.com Mar 19, 2018Delivery report
postmas...@zem.templrch.com Mar 19, 2018Delivery report
postmas...@smpx.rockweional.net Mar 19, 2018Delivery report
postmas...@frasca.accemix.com   Mar 19, 2018Delivery report
postmas...@wbbuzz.accemix.com   Mar 19, 2018Delivery report
postmas...@prope.diversiags.net Mar 19, 2018Delivery report
postmas...@bleza.diversiags.net Mar 19, 2018Delivery report
postmas...@khabhi.diversiags.netMar 19, 2018Delivery report
postmas...@atl161.firenus.net   Mar 19, 2018Delivery report
postmas...@frasca.regarun.net   Mar 19, 2018Delivery report
postmas...@frasca.pueting.net   Mar 19, 2018Delivery report
postmas...@ninbun.northtion.net Mar 19, 2018Delivery report
postmas...@laera.bridgesunstone.com Mar 19, 2018Delivery report
postmas...@iclp.bridgesunstone.com  Mar 19, 2018Delivery report
postmas...@vedl.fishetants.net  Mar 19, 2018Delivery report
postmas...@exchange.moestates.net   Mar 19, 2018Delivery report
postmas...@picmy.renrs.net  Mar 19, 2018Delivery report
postmas...@renrs.netMar 19, 2018Delivery report
postmas...@zem.renrs.net