[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: More then 2800 spams from the list...

Comments at end.

On 3/19/18 12:22 PM, tomas@tuxteam.de wrote:

Hash: SHA1

On Mon, Mar 19, 2018 at 05:35:04PM +0200, Michelle Konzack wrote:
Hello Richard and *,

Am 2018-03-19 hackte Richard Owlett in die Tasten:
I didn't. But as my ISP has an excellent spam filter I don't see what
many others see. I suspect the key is interpreting the header
information the OP gave. Is there a guide for an average user to
interpreting that information?
It seems, the spamer is on the List and manipulated the Mailinglist
messages b using the original headers removed anything newer then
the <bendel> Receied Headers and sent the message to more then 17000
What do you mean by "the spammer is on the list"? The spam messages
don't go via list. I would get them (my own mail server and no spam
filter beyond the standard Exim header checking, which would never
drop/reject a mail coming from the list).

<mail.tamay-dogan.net> is subject of a DOS attack.
Yes, I rather think they are targetting you. The Debian mailing
list headers seem to me (well placed) spoof.

It seems, the Attacker know probably several 10.000 wrong configured
mailservers and now use it, to pull down my server...
Yes, that's how it looks to me. Perhaps they're real bounces,
perhaps they're fake. But I'm pretty sure by now that the
Debian-list related headers are plain fake, to nudge people
into "responding to list" and thus spreading the spam even
more. So folks, don't do that. And if you do, at least strongly
snip the original (as Michelle has done, thankfully) and don't
include the whole kaboodle, top-posting style (you don't top-post,
do you ;-)

FWIW, I've sent a test mesage to (some randomly chosen user name)
at one of the servers in list and am awaiting a bounce message.

Let's see...

@Michelle: could you please send me a *complete* bounce message,
headers and all, as it arrives at your place? I still can't figure
out what kind of headers you sent to this list.

Actually, what's more important are a collection of spam & bounce messages - both from Michelle, and anybody else who's seen the spam.

That way we can tell if they're all coming from one place (the list, or otherwise) or if they're coming from lots of sites across a botnet.

All we know right now is

1. the mailer (purportedly) at freash.longvieace.com is reporting a ton of bounces on a mail that purportedly came from Michelle via Debian-user, and

2. the spam (purportedly) got to that mailer from mail.tamay-dogan.net

None of the other headers can be trusted.  Actually, not even that message can be trusted - except that spambots don't generally report bounces.

One needs more copies of the spam, and more bounce messages, to figure out what's going on. 

The general assumption here is that some spambot has manufactured headers that make it look like a message from Michelle to Debian-User.  Beyond that, we really don't know anything useful or actionable.

Miles Fidelman (who deals with this sh*t on too many lists that he manages, sigh...)


In theory, there is no difference between theory and practice.
In practice, there is.  .... Yogi Berra

Reply to: