[Coco] Re: How did this spam from an open proxy get through a moderatedlist?

John E. Malmberg wb8tyw at qsl.net
Sat Apr 30 23:03:31 EDT 2005 

Dennis Bathory-Kitsz wrote:
> At 09:01 PM 4/30/05 -0400, John E. Malmberg wrote:
> [snip spam stuff]
> 
> The spam quality is not important, nor is the origin. It is how it got
> through a subscriber-only list where all non-subscribed mail is
> automatically rejected without moderation.

I mainly mentioned that because once a rule is found to determine that a 
message is spam, no further check is needed, and these checks can be 
done very early in the SMTP dialog.

It is in my nature to look at how something can be done in the most 
efficient manner. :-)

>>Looks like a spammer is spoofing that they are coming from a subscribed
>>user.
> 
> Their fake address is not subscribed, and there is no other address in the
> headers but mine. Maybe it's a lucky shot with my address (which is snagged
> a lot) being joe-jobbed and sent to a whole bunch of mailman lists,
> including this one.
> 
> I'll send you the full header if you like.

That might help.  The gateway has mangled them quite a bit.
I would recommend sending them to the malmberg(at)encompasserve.org 
qsl.net has a content filter, and my guess is that would trip it.

I am assuming that your list rejection is blackholing after the SMTP 
message is received, so it is not seeing any headers that are not 
carried through to the list.

I have seen spammers put fake header information in plain text portion 
of the message, but none of this showed up on gmane.

There appears to be a fake header line trying to make the spam appear to 
come from speakeasy.net that is dated in the future, but the I.P. 
address is missing, so the forgery is obvious, and I can not see how 
that would trip a filter rule unless you are specifically whitelisting 
speakeasy.net

As near as I can see, the difference between it and a normal post is 
that with the spam, your e-mail address, which gmane mangled, was one of 
the primary recipients.

I can try to duplicate that with an e-mail address that is not 
subscribed to the list.

-John
wb8tyw(at)qsl.net
Personal Opinion Only

More information about the Coco mailing list