Comments at end.
On 3/19/18 12:22 PM, firstname.lastname@example.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Mar 19, 2018 at 05:35:04PM +0200, Michelle Konzack wrote:Hello Richard and *, Am 2018-03-19 hackte Richard Owlett in die Tasten:I didn't. But as my ISP has an excellent spam filter I don't see what many others see. I suspect the key is interpreting the header information the OP gave. Is there a guide for an average user to interpreting that information?It seems, the spamer is on the List and manipulated the Mailinglist messages b using the original headers removed anything newer then the <bendel> Receied Headers and sent the message to more then 17000 servers.What do you mean by "the spammer is on the list"? The spam messages don't go via list. I would get them (my own mail server and no spam filter beyond the standard Exim header checking, which would never drop/reject a mail coming from the list).<mail.tamay-dogan.net> is subject of a DOS attack.Yes, I rather think they are targetting you. The Debian mailing list headers seem to me (well placed) spoof.It seems, the Attacker know probably several 10.000 wrong configured mailservers and now use it, to pull down my server...Yes, that's how it looks to me. Perhaps they're real bounces, perhaps they're fake. But I'm pretty sure by now that the Debian-list related headers are plain fake, to nudge people into "responding to list" and thus spreading the spam even more. So folks, don't do that. And if you do, at least strongly snip the original (as Michelle has done, thankfully) and don't include the whole kaboodle, top-posting style (you don't top-post, do you ;-) FWIW, I've sent a test mesage to (some randomly chosen user name) at one of the servers in list and am awaiting a bounce message. Let's see... @Michelle: could you please send me a *complete* bounce message, headers and all, as it arrives at your place? I still can't figure out what kind of headers you sent to this list.
Actually, what's more important are a collection of spam & bounce messages - both from Michelle, and anybody else who's seen the spam.
That way we can tell if they're all coming from one place (the list, or otherwise) or if they're coming from lots of sites across a botnet.
All we know right now is
1. the mailer (purportedly) at freash.longvieace.com is reporting a ton of bounces on a mail that purportedly came from Michelle via Debian-user, and
2. the spam (purportedly) got to that mailer from mail.tamay-dogan.net
None of the other headers can be trusted. Actually, not even that message can be trusted - except that spambots don't generally report bounces.
One needs more copies of the spam, and more bounce messages, to figure out what's going on.
The general assumption here is that some spambot has manufactured headers that make it look like a message from Michelle to Debian-User. Beyond that, we really don't know anything useful or actionable.
Miles Fidelman (who deals with this sh*t on too many lists that he manages, sigh...)
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra