53 thoughts on - Please Block User

• Thanks for the notification, and for not having forwarded the mail to the list (which some people did on other lists …)
  Please note that such user (or multiple ones from that domain)
  isn’t/aren’t subscribed to the list. In fact, I see a bunch of mails rejected at our level, from that domain, but from a *bunch* of different IP addresses, and so directly bounced back .. It seems someone/some bot is tracking the mail lists and answering to both the reply-to *and* the originator (but bounced by mailman, so no mail on the list[s])

  Under investigation to see how to help stopping the flood, even if not originating from/passing through the CentOS.org servers …

  –

• Just a quick status update : we’ve identified (from the mails bounced/rejected by our server) 14 IPs addresses used to send those mails. All those IPs are originating from DigitalOcean, so we reported the abuse so that they can investigate on their side.

  Cheers,

  –

• Thanks a lot! The most difficult part of this I noticed is to make sure they responded with report of what discovered and which actions were taken, and if this didn’t happen to have the whole block of IPs registered to them blocked off (at least this is what I am doing where I can).

  Valeri

  ++++++++++++++++++++++++++++++++++++++++
  Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
  ++++++++++++++++++++++++++++++++++++++++

• —– Original Message —

• the spammer was NOT emailing via the listserver. rather, they have a different account (or more than one) subscribed, and it was replying directly to list posters using the spammers own network of email servers.

• As you see from this your header spam was not delivered through CentOS
  mail list, but comes from one of the IPs of digitalocean.com IP block:
  45.55.0.0/16. As Fabian told CentOS mail list server admins contacted digitalocean.com about abuse (even though indirect, but with apparent misuse of CentOS list servers for collecting e-mails of posters). And the moment I received my copy of this spam _after_ Fabian mentioned they contacted digitalocean.com, I just blocked mail from their block of IP
  addresses (45.55.0.0/16) on my servers as digitalocean apparently didn’t react to abuse notice promptly. Others may want to do the same, thus we will pass the message with all seriousness to digitalocean.com.

  Just my $0.02

  Valeri

  ++++++++++++++++++++++++++++++++++++++++
  Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
  ++++++++++++++++++++++++++++++++++++++++

• <<>>

  something no one seems to have mentioned, so i will..

  loverhearts.com is a single page that seems to do nothing. and there is nothing in page source to do anything.

  validator.w3.org shows 1 error and 1 warning showing that page was poorly written.

  so the only harm is spam, which i now have going to my Junk folder.

  so, to all of you, i pass along a much more loving ‘love’ link;

  http://lovehearts.com

  enjoy.

• If you look at the SPF record for loverhearts.com (where they are coming from for me) there are a whole slew of servers permitted to send on their behalf.

  So I took all those IP addresses specified and added them to my blacklist, it appears spammers are learning that SPF records can be a path to filter avoidance.

  Maybe I’ll start blocking any server with an SPF record that includes more than 5 IP addresses, or servers where any host in the SPF record is in a DNS blacklist.

• <<>>

  . that can work. but is more than i care to bother with.

  because i have filters and folders for what i want to read, everything else hits my “Local Folders/Inbox” where i mark them as spam.

  reason is that there is a lot of spam content that is repeated by other spammers so the spam filters learn not only addresses, they also learn content.

  anyway, as i always say, “what ever churns your butter”. ;-)

• nothing in page source to do anything. poorly written. to all of you, i pass along a much more loving ‘love’ link;
  from for me) there are a whole slew of servers permitted to send on their behalf.

  This way you may block good people. SPF records you used are owned by bad guys: loverhearts.com allows others resend e-mail for themselves, but they do not need permissions of whomever they add to their SPF records to do so. In other words, one shouldn’t trust anything what is in the records created by bad guys.

  I did nasty thing myself, but what I did at least IMHO is more or less justified. As I received bad e-mail after Fabian contacted IP block owner
  (digitalocean.com; 45.55.0.0/16), then I concluded IP block owner didn’t act promptly on abuse complaint, so I blocked e-mail from this whole block owned by digitalocean.com IPs. This way their other clients will start asking their provider questions why their e-mail is being blocked (by some…)

  Just my $0.02

  Valeri

  path to filter avoidance. more than 5 IP addresses, or servers where any host in the SPF record is in a DNS blacklist.

  ++++++++++++++++++++++++++++++++++++++++
  Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
  ++++++++++++++++++++++++++++++++++++++++

• Still no news from DigitalOcean since multiple people complained to them about that issue. There are also some other IPs used to send those mails, and from CIDR: 104.236.0.0/16 too.

  I can try to ask again the status about those IPs, but I also guess that the more people complain about it, the more they’ll look at it. If you still receive such mail (I personally never had *any* of those offending/spam mails myself), feel free to report that to https://www.digitalocean.com/company/contact/#tab_abusetrigger

  Kind Regards,

  –

• No what I mean is – I get e-mail from example.net

  If example.net has an SPF record, I then check all the IPs in the SPF
  record against blacklists and if two or more match, I reject the message as spam.

  That way if the MTA they are using isn’t on a blacklist but others they specify in the SPF record are, they get identified as spammer and blocked.

  It doesn’t matter if they add IP addresses to SPF from others, it wouldn’t block every IP in the SPF – just check if 2 or more IPs in their SPF are on blacklists.

  I probably would have to write a custom filter to do that, but it may be worth doing.

• Oh, then I apparently didn’t read your e-mail carefully… which is my usual mistake ;-)

  Valeri

  ++++++++++++++++++++++++++++++++++++++++
  Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
  ++++++++++++++++++++++++++++++++++++++++

• That’s not a very good idea. major ESPs (eg: gmail.com) have way more IPs listed than that.

  That could work better, but I would still say be careful, you could certainly end up wih false positives doing this.

  Peter

• Yeah, I thought about that.

  I would try to count 2 before rejecting I think.

  Valid SPF reduces spam score with a lot of filter systems, but snowshoe spammers can just modify the record at will to add whatever SMTP servers they currently are using.

  If they are going to use SPF records to lower their score then I will use SPF records to try to identify them.

  False positives are a risk with any automated filter, but whitelists like dnswl.org can help reduce that problem.

  I suspect if somesite.tld has MTAs in the SPF list that it actually uses and are on blacklists then somesite.tld already has mail delivery problems it needs to address.

• (1) Not all complaints about spam are acknowledged.
  (2) Usually no information is provided on what, specifically, was done to rectify the problem.

  I run Exim on C5 and C6. If there is

  (something wrong with the sender’s host name including no rDNS)
  +
  (sender’s HELO/EHLO name defective)
  +
  (recipient is non-existent or sender is defective)
  blocked at the firewall until the end of the month.

  Monthly if there are no more attempts, meaning the count is zero, then the IP is removed from the monthly banned list else the count is reset to zero (flushed -F) and ignored until reinspected at the next month’s end.

  I have other anti-junk defences including rejecting spammers’ hosts.

  We received a junk email once every 6 to 12 weeks.

  I am NOT going to be a willing victim of spam.

• This is a typical internal message:

  REJECTED

  Sender’s IP : 14.215.136.13 => (no host name)
  Sender’s HELO : gmail.com => 173.194.116.118
  Sender’s port : 18168
  Our server : abc.def.ghi Date : Wednesday, 23:19:33, 26 August 2015 (+00:00)
  SMTP sender : hfxdgdsggfvfg@gmail.com SMTP recipient : aaaaaa@bbbbbb.cccccc Message-ID : (not yet downloaded)
  Subject : (not yet downloaded)
  Location : Guangzhou, Guangdong, China Firewall ban : Yes E2# : 888

  Report : [8C93] IP blocked for abuse.

  Whoops. Lovehearts just arrived. They don’t look like ‘hearts’ to me.

  Have complained to lovehearts.com owner = Swizzels Matlow Ltd, an English company.

• its loverhearts.com, and they are also using heartslover.com for web links. the first domain is registered to someone claiming to be in Miami Florida, while the 2nd is registered to some organization in Bangladesh. yeah, right. Both domains were initially registered about a month ago.

• You are correct. Now to apologise to lovehearts.com

  Easier just to block Digital Ocean for port 25 – as I have previously done for all port 80 traffic.

  Thanks.

• you realize Digital Ocean is a rather large virtual private server provider? wikipedia says they host over 190,000 sites, and last year surpassed Rackspace to become the 4th largest hosting provider.

  a blanket block of /16 subnets is usually not good policy just because of one bad customer.

• digital ocean finally replied (at least to me):

  Hi there,

  I’m sorry about this. We gave our customer time to resolve the issue, and he hasn’t done so, so we’ve blocked his ability to send email, pending further action if necessary to ensure this never occurs again.

  If you get or hear about ANY further spam like this, please let me know immediately so we can take further action on it.

  Regards,
  Cash, Trust & Safety Specialist
  Digital Ocean Support

  Perhaps it’s fixed if only for a little while.

• Digital Ocean is remaining blocked for all port 80 traffic.

  I’m tired. Thanks for your good advice again. Have added loverhearts.com to my Exim’s hosts.spammer file.

• Good to hear that. At least they are not as arrogant as big guys often are. Happily unblocked their blocks of IP addresses (as they do not need this sort of pressure to hear out about the trouble with their customer). This message will inadvertedly serve as a test if what is said is done ;-)

  Valeri

  ++++++++++++++++++++++++++++++++++++++++
  Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
  ++++++++++++++++++++++++++++++++++++++++

• I’ve blocked the spammer’s host name (*.loverhearts.com) on my Exim. Shouldn’t your organisation, and others too, do the same or similar ?

  Otherwise what is to stop subsequent receipts of junk sent from MX
  *.loverhearts.com ?

• I wanted to confirm the previous mail that we’ve received from DigitalOcean too, and the fact that they blocked outgoing mails from the originating IPs. Let me thank you their support for having reacted on our abuse complaint.

  Now let’s close that thread and have focus back on CentOS (and related tech) instead :-)

  Have a nice day !

  –

• I can confirm that I haven’t received anything since midnight yesterday morning so fingers crossed

• That is not the only harm. These people are very good and very effective confidence tricksters and are experts at getting vulnerable people to send them money which they usually cannot affort to lose in the first place.

• Bad news Guys, they’ve just moved the emails to somewhere else and have started again:

  Return-path:
  <0000014f6ef4427c-8079d442-fc1e-4116-841a-ba157163def8-000000@amazonses.com>
  Envelope-to: gary@ringways.co.uk Delivery-date: Thu, 27 Aug 2015 12:39:10 +0100
  Received: from a8-81.smtp-out.amazonses.com ([54.240.8.81])
  by mail.ringways.co.uk with esmtps (TLSv1:AES128-SHA:128)
  (Exim 4.84)
  (envelope-from
  <0000014f6ef4427c-8079d442-fc1e-4116-841a-ba157163def8-000000@amazonses.com>)
  id 1ZUvWO-000OYv-WE
  for gary@ringways.co.uk; Thu, 27 Aug 2015 12:39:10 +0100
  DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
  s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t40675545;

  h

• On 08/27/15 07:11, Gary Stainburn wrote:> Bad news Guys, they’ve just moved the emails to somewhere else and have
  <>
  <>

  not true. she has been at that site for a while.

  i received 1st email from her and Julie Anna just after i posted to this thread.

  i will say emailing Julie Anna was more fun than with Caylian.

  Julie Anna is much better looking than Caylian, btw. :-b

• That is of course up to the individual organization. I use several DNSBLs, and I did not receive any of the spam. Actually, I’ve gotten more unwanted messages about the spam than actual spam from any source yesterday….. :-|

  MX is intended to point to the server a domain uses to receive e-mail;
  the sending server for a domain does not have to be the MX. I set that up for one organization who was using an anti-spam service; the MX
  pointed to the anti-spam server, and the sending server was different and on that organization’s own subnet. I believe gmail does this, using multiple MXs and a massive subnet full of sending servers. Gmail is not alone. Gmail even wreaks havoc with greylisting, since the send retry is not guaranteed to come from the same sending server as the initial try.

  I have gone down the road of blocking large subnets at the border router level; down this road lie false positives in spades.

• Gary Stainburn wrote:
  

  A suggestion: there should be a way to filter using *domain* AND mailhost;
  that is, if emails come from a domain, and through one mailhost, then block the domain. If many domains, and the same mailhost, only then block the mailhost.

  I’ve been thinking about this since yesterday, when I got back from vacation, to hear from my manager that he had to screw with mailman, because we were getting a lot of emails from elsewhere, subscribing to one or more of our lists… and having the target be one of three gmail accounts – a DDoS against them (and we assume that they’re doing it to a lot of other places).

  Anyway, given the number of times I’ve been blocked by nixspam (which I
  found is run by IX, a German IT mag, and that they don’t answer emails to
  *them*, either), I’ve been trying to think of a *reasonable* way to block that doesn’t do collective punishment to the many domains of a huge hosting provider, and that’s my best thought so far.

  mark

• g wrote:
  *sigh*
  And they’re probably sent by a script running on the PC of a fat, 47 yr old guy living in a basement and making money this way….

  mark

• Now see, I run a spam filter (run on CentOS, by the way *smiles*) and I have several friends’ domain emails running through it. It has a pretty good filter rate, too for being all open source.

  —–Original Message—

• started again:
  mailhost;
  block the domain. If many domains, and the same mailhost, only then block

  Me too: I started receiving them from different IP (with much longer delay, so they do add “improvements” to their setup). This IP, has neither DNS A record nor DNS PTR record, but has DNS MX record. One can use these
  (have your MX stop talking to anything having broken DNS records). I
  however am tempted to block digitalocean’s whole blocks of IP addresses again (after all, I bet I’ve seen the whole collection of these images already ;-). This is not trouble with their customer IMHO. This is trouble with themselves: how come the IP that is not registered in DNS can have DNS MX record, and can be accessed by somebody?!

  vacation, to hear from my manager that he had to screw with mailman, because we were getting a lot of emails from elsewhere, subscribing to one accounts – a DDoS against them (and we assume that they’re doing it to a lot of other places).

  That is another side of you being famous ;-) We are not, so no one is trying to abuse somebody else by means of subscribing them to our mail lists (that said, it would be our list admins who would be abused as all lists – based on mailman – require approval and confirmation, the last comes after approval if I remember correctly).

  Thanks. Valeri

  found is run by IX, a German IT mag, and that they don’t answer emails to block hosting provider, and that’s my best thought so far.

  ++++++++++++++++++++++++++++++++++++++++
  Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
  ++++++++++++++++++++++++++++++++++++++++

• Exim is available from EPEL.

  In Exim:

  (1) I set one indicator if the host name does not fully resolve (IP to name to IP)

  (2) I set another indicator if there is something wrong with the HELO/EHLO name or the name does not resolve to the sender’s IP address

  (3) I set a third indicator if the SMTP sender = SMTP recipient; or the SMTP recipient is an email address disused because of spam; or the SMTP recipient’s host is *not* one of ours

  (4) If all 3 indicators set, then:-

  * then the email attempt is rejected before the email body (DATA) is received

  * a PHP sub-routine is called which creates a fully descriptive internal email and SUDO is invoked to add the IP address to the firewall’s monthly blocking list.

  Otherwise if the sender = recipient or the recipient is ‘wrong’ the connection is rejected *before* the message body is accepted from the sender.

  ———–

• <>

  . i seriously doubt it.

  several of the responses could not have been from a fat 47 yo guy.

• Whoever he is, is using both valid SPF records and DKIM signatures, they’ve figured out using those reduces spam score on some systems.

  Most spam seems to come from a small group of spammers that operate out of South Florida, why there I don’t know.

  But they aren’t the under-achieving geek many imagine them to be. It’s serious business for them. Dirty business but serious.

• . as i wrote;

  several of the responses could not have been from a fat 47 yo guy.

  the responses were too quick. no fat 47 yog could have enough photos to respond to request that i made. and i made them to see if who i was writing to was in fact live and real.

  Julie Anna showed a very goodly attitude and even a bit of maturity about her. very much unlike yours. ;-)

  . i would not call her a spammer in the full sense of the meaning of spamming. i say this because if i had not responded, i seriously doubt that i would have received any more emails.

  we had a vary serious and meaningful intercourse that only someone of a high amount of education and intelligence would have been able to maintain.

  in fact, i found it to be an enjoyable time, until you started your griping about it.

  as for some of the pix that she sent, yes, she bared her breast, but so what, i have seen bare breast from my childhood years and i do still admire and enjoy seeing them.

  in fact, the city where i live had a ‘topless fest’ at the local city park. it was a most enjoyable event. all had a good time, no one got raped, molested, or arrested. at least i was not aware that there were of or see any.

  i did see many beautiful women with beautiful breast and they had every right to be proud of them.

  to shun and condemn children knowledge of human anatomy and not give them a proper education of anatomy and sex is tending to point them into a life of perversion, molestation and homosexuality.

  when my daughter was was old enough to understand, comprehend, and reason, i started explaining life, anatomy, sexual differences, and why men and women are different. i started with basics and as she grew older and could understand more, i explained more to her. the results of all of it were well worth it because she grew up to be a well adjusted normal woman.

  why did i do it? simple.

  it was written in several of the child psychology books that i have read. basically, teach them young and not have to worry about them when they are older.

  this is getting very “off topic”. if you would like to continue this with opinions of others, join the mozilla general news. that is unless you are afraid to because i am sure that there many subscribers of the group that will agree with me.

• Okay, um, I have done some work related to that industry – never for a company that spams.

  For about $10 you can buy photosets, usually of Eastern European models, with hundreds of photos in different settings.

  So no, the photos are most certainly not an indication of who you were communicating with.

  But enough off-topic. Those kind of e-mails should only be sent to people who specifically opt-in to receive them. That’s the bottom line.

• PLEASE tell me this whole post is tongue-in-cheek.

  nayways, none of this has ANYthing to do with CentOS and really, is totally off topic for this list.

• . i will be polite and not ask what company. :-)

  . yes, i have seen them. but i believe, why should i pay for what i can see for free and live.

  . very true.

  . i agree.

  one should always have choice of what pleasure one receives, or gives. tho the mystery of yet to come can make pleasures greater.

  also, i do like to see the change in your attitude. a good indication of maturity.

  i still believe moz gen would be a good place to continue because of the additional input.

• . that is one place for a tongue. ;-)

  look at the meaning of the word.

  https://en.wiktionary.org/wiki/intercourse

  it does not only mean coitus.

  . true. and i thank moderate for his understanding.

  i have invited Alice to continue this on moz gen. how about you?

• I am neither on that list nor have any interest in joining it.

• . fine. end of discussion.

  have a great day.

  mine has been most enjoyable so far.

• Here’s a sure way to block this kind of spam, though there is a price for doing so. For each mailing list that I subscribe to (or for all of the mailing lists on a particular mailman server) I create a unique email address that I use to subscribe to that list. That userid forwards to my real email address.

  I then run some software capable of whitelisting/blacklisting at the smtp level. The one I run can whitelist or blacklist based on the following (regular expressions are supported):

  * envelope sender
  * envelope recipient
  * helo name
  * remote ip address
  * remote hostname

  So I create the following two rules (which must be processed in the specified order):
  Whitelist remotehostname: *mail.CentOS.org*
  Blacklist envelope recipient:

  This method works 100% of the time. The price of doing this is:

  1) You can’t receive private emails from list members with out having some type of on list exchange or adding their email to your whitelist.
  2) You must post to the list using the address that you used to subscribe.

  This has stopped all of the spam that I was getting from spammers that harvest email addresses on mailing lists.

  My whitelisting and blacklisting is done using vpostmaster (which is no longer maintained), but I believe there are other packages which can be used with postfix or exim to do this type of thing.

  Nataraj

• AND With that all said, I am UNSUBSCRIBING FROM THIS LIST! I came to this list hoping to LEARN and get HELP with CentOS, but instead, I am getting plagued with this damn garbage. 30+ emails daily in the last week or so is way too much. Maybe I can find more INTELLIGENT
  conversation in the forums.

• I apologize for continuing in the off-topic discussion.

• <<>>

  actual, Marc, counting today, it is a total of 49 emails.

  the 25th = 02, 26th = 23, 27th = 22. 28th = 02

  had you not posted, causing Alice to post to pacify you, it would have been 47 and done with.

• In consequence of this thread I went looking for a probe script that would send individualized email messages to each subscriber of a mailman list and found none. Does such a thing in fact exist?

  It seems to me that this would be an invaluable tool in tracking down which subscriber is the bot-bait.

• . it seems to me that you could have used a new “Subject:” line instead of using what you did.

  to increase possible amount of replies/answers, you should repost with a different “Subject:” line as what you chose may well be filtered by list readers.

• James, I doubt it is doable, even if you have cooperation of IP block owner from whose IP(s) individual spam comes. The following is [probably]
  the scheme that is implemented [on really small test scale] in case of abuse of posting subscribers of CentOS mail list:

  1. some e-mail address is subscribed to CentOS mail list.

  2. When that e-mail address receives post to CentOS mail list, actual sender address is being extracted from the header.

  3. this address is passed over to one of zombie machines in some bot net.

  4. That particular zombie machine sends signal to host (in our case one of DigitalOcean (DO) customers assigned IP). Quite likely just through POST
  HTML command giving in it recipient address and content of message to be sent, and quite likely some security code that prevents this chain from being used by anybody except those who can provide correct security code.

  If the scheme is as above, even with full real cooperation of DO you only can have pointer to one of the zombie computers. To track chain down to the machine that sent command to zombie computer you at least need to investigate the content of this zombie computer. Which I’m sceptical is possible. Things become even worse if the chain of transmitting command has more that one zombie computer.

  The bottom line is: it is quite unlikely that the bad subscriber can be discovered. (Somebody clever, correct me and tell how).

  We probably should stop wasting time of CentOS team who have better things to do. After all this scheme was probably aimed against CentOS and us keeping discussing these things is what these rogue people were aiming to achieve. The only productive way to deal with this spam is to one way or another block this spam on our own – recipients – side. To do it one can blacklist DO ranges of IP addresses, or as cleverer that I person suggested: add them to spam filter configuration with just a notch of extra spam score. Use cation and be ware that this is purely your own decision.

  And my apologies for continuing this really annoying for some list members thread.

  Valeri

  ++++++++++++++++++++++++++++++++++++++++
  Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
  ++++++++++++++++++++++++++++++++++++++++

• What might work, although the task is potentially daunting, is to examine the MX for each list member’s domain name and from that derive the IP address. A quantity, much less than the list’s total membership, of possible suspects would result.

  The quantity gets divided into groups of 5 or 10 email addresses; then each group is sent a message with a fake email address (I can supply suitable and currently unused domain names). When a junk mail is sent to a fake email address the 5 or 10 members of the group receiving the fake email address are potential suspects. 10 more ‘fake’ email addresses from a different domain can be used to isolate the culprit.

  As this nuisance started very recently, the joining dates of recent subscribers could identify the possible culprit.

  Reading our emails could encourage the culprit to subscribe again using different credentials. However, if Mailman retains the joining date, that could be easy to identity.

  The pest is a brain-dead moron, male, lonely with no girl-friend (or even a boy-friend). Pitiful personality who deserves our sympathy.

• I think people are missing the fact that you don’t need to subscribe to the mailing list to just grab the email addresses out of the archives, which are public.

  This isn’t the first spammer who has harvested live email addresses off of email lists, and is likely not to be the last.