[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
address@hidden: [Savannah-help-public] Fw: [Groff] Spam apparently from
|
From: |
Sylvain Beucler |
|
Subject: |
address@hidden: [Savannah-help-public] Fw: [Groff] Spam apparently from list -- again] |
|
Date: |
Fri, 3 Jun 2005 23:03:39 +0200 |
|
User-agent: |
Mutt/1.5.6+20040907i |
Sysadmins,
Could you deal with this spam issue?
--
Sylvain
----- Forwarded message from Werner LEMBERG <address@hidden> -----
Date: Fri, 03 Jun 2005 21:25:29 +0200 (CEST)
To: address@hidden
From: Werner LEMBERG <address@hidden>
X-Mailer: Mew version 4.2.50 on Emacs 22.0.50.1 / Mule 5.0 (SAKAKI)
Subject: [Savannah-help-public] Fw: [Groff] Spam apparently from list --
again
Since the last internet worm there is again a bunch of spam emails
sent to the groff list (and archived consequently) where only the
contents are removed but not the emails themselves. Ted Harding's and
my own email addresses are abused for that -- isn't it possible to
suppress such emails?
[...]
Here an analysis of the spam problem. Maybe it is helpful.
Werner
X-Mailer: XFMail 1.3-alpha-031298 [p0] on Linux
Date: Fri, 03 Jun 2005 18:21:02 +0100 (BST)
From: Ted Harding <address@hidden>
To: Peter Schaffter <address@hidden>
Subject: RE: [Groff] Spam apparently from list -- again
Cc: address@hidden
On 03-Jun-05 Peter Schaffter wrote:
> I received six porno-spam emails today, apparently originating from
> list members (Werner and Ted). Three yesterday. As before, when
> this happened, the attachment is stripped off the email before I
> receive it, but the message still comes though.
>
> Here's a sample envelope+header, in case someone can make use of it.
You're not alone!
I've been saving these for a while, and the one thing that you
can definitely determine from the headers is that
a) Almost all of them "helo" as a machine on gnu.org (often
monty-python.gnu.org, occasionally others), usually by
IP address rather than name. However, this is easily forged,
so there's no clue here (except that the originator knows
about FQDNs/IP addresses on gnu.org).
b) Just about all of them are "Received from 194.2.22.250".
This resolves to nat.isep.fr which has also been a source
of previous waves of these things. Presumably this is picked
up as the IP address of the connecting machine through which
these mails are sent. I don't know if this item can be forged.
(The above summary covers mails going back to January 2005).
The domain isep.fr is the Institut Supérieur d'Électronique
de Paris.
Since the "nat" in "nat.isep.fr" could refer to a machine
on the ISEP network which does NAT (Network Address Translation)
it may not be possible to go further back down the line to
the true source.
I can only think of two suggestions.
1. Does our list have a subscriber from the domain "isep.fr"?
If so, then contacting that person may take the matter forward.
2. It could be worth while to contact the Net administrators
at isep.fr on the grounds that we are getting persistent
(and very specific) spam from that domain.
I'm no expert on the inner workings of all this sort of thing,
and not being list administrator I can't foind out about #1.
So I can only suggest ... !
Best wishes,
Ted.
--------------------------------------------------------------------
E-Mail: (Ted Harding) <address@hidden>
Fax-to-email: +44 (0)870 094 0861
Date: 03-Jun-05 Time: 18:12:16
------------------------------ XFMail ------------------------------
_______________________________________________
Groff mailing list
address@hidden
http://lists.gnu.org/mailman/listinfo/groff
_______________________________________________
Savannah-help-public mailing list
address@hidden
http://lists.gnu.org/mailman/listinfo/savannah-hackers
----- End forwarded message -----
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- address@hidden: [Savannah-help-public] Fw: [Groff] Spam apparently from list -- again],
Sylvain Beucler <=