Are other people on the list getting these warnings from
ezmlm, or is it just me?
Or is someone spamming the list?
Regards
Keith
---------- Forwarded message ----------
Return-Path:
X-Original-To: keith@localhost
Delivered-To: keith@localhost.karsites.net
Received: from localhost (localhost [127.0.0.1])
by karsites.net (Postfix) with ESMTP id 0C5D8E55B8
for ; Sun, 2 Apr 2006 20:06:28 +0100 (BST)
X-Original-To: karsites@kar.eclipse.co.uk
Delivered-To: karsites@kar.eclipse.co.uk
Received: from mail.eclipse.co.uk [82.153.251.6]
by localhost with IMAP (fetchmail-6.2.5)
for keith@localhost (single-drop); Sun, 02 Apr 2006 20:06:29 +0100 (BST)
Received: from MXA05.ch.as12513.net (mxa05.ch.as12513.net [82.153.252.56])
by mda03.ch.as12513.net (Postfix) with ESMTP id 1A8D6F3A24
for ; Sun, 2 Apr 2006 20:12:21 +0100 (BST)
Received: from localhost (localhost [127.0.0.1])
by MXA05.ch.as12513.net (Postfix) with ESMTP id F375EC046B
for ; Sun, 2 Apr 2006 20:12:21 +0100 (BST)
Received: from MXA05.ch.as12513.net ([127.0.0.1])
by localhost (MXA05.ch.as12513.net [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 05716-01-93 for ;
Sun, 2 Apr 2006 20:12:20 +0100 (BST)
Received: from fwd01.ch.as12513.net (fwd01.ch.as12513.net [82.153.252.42])
by MXA05.ch.as12513.net (Postfix) with ESMTP id E4A99C011A
for ; Sun, 2 Apr 2006 20:12:20 +0100 (BST)
Received: from mxa04.ch.as12513.net (mxa04.ch.as12513.net [82.153.252.45])
by fwd01.ch.as12513.net (Postfix) with ESMTP id A0C94F3A1D
for ; Sun, 2 Apr 2006 20:12:19 +0100 (BST)
Received: from lists.suse.com (lists.suse.de [195.135.221.131])
by mxa04.ch.as12513.net (Postfix) with SMTP id 7E255C043E
for ; Sun, 2 Apr 2006 20:12:20 +0100 (BST)
Received: (qmail 12207 invoked by alias); 2 Apr 2006 19:12:15 -0000
Mailing-List: contact suse-security-help@suse.com; run by ezmlm
Date: 2 Apr 2006 19:12:15 -0000
Message-ID: <1144005135.12148.ezmlm-warn@suse.com>
From: suse-security-help@suse.com
To: suse@karsites.net
Content-type: text/plain; charset=us-ascii
Subject: ezmlm warning
X-Virus-Scanned: by Eclipse VIRUSshield at eclipse.net.uk
X-Spam-Status: No, hits=0.124 tagged_above=0.1 required=0.3 tests=NO_REAL_NAME
X-Spam-Level:
Hi! This is the ezmlm program. I'm managing the
suse-security@suse.com mailing list.
I'm working for my owner, who can be reached
at suse-security-owner@suse.com.
Messages to you from the suse-security mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.
If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the suse-security mailing list,
without further notice.
I've kept a list of which messages from the suse-security mailing list have
bounced from your address.
Copies of these messages may be in the archive.
To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
To receive a subject and author list for the last 100 or so messages,
send an empty message to:
Here are the message numbers:
26706
--- Enclosed is a copy of the bounce message I received.
Return-Path: <>
Received: (qmail 19586 invoked from network); 22 Mar 2006 03:57:26 -0000
Received: from unknown (HELO Relay1.suse.de) (195.135.221.8)
by 0 with SMTP; 22 Mar 2006 03:57:26 -0000
Received: from Relay1.suse.de (localhost [127.0.0.1])
by Relay1.suse.de (Postfix) with ESMTP id C0D826FC83
for ; Wed, 22 Mar 2006 04:57:26 +0100 (CET)
Received: from Relay1.suse.de ([127.0.0.1])
by Relay1.suse.de (Relay1 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP
id 27618-04
for ;
Wed, 22 Mar 2006 04:57:26 +0100 (CET)
Received: from mx2.suse.de (cantor2.suse.de [195.135.220.15])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by Relay1.suse.de (Postfix) with ESMTP id 668BB6BEA2
for ; Wed, 22 Mar 2006 04:57:26 +0100 (CET)
Received: from mxa02.ch.as12513.net (mxa02.ch.as12513.net [82.153.252.27])
by mx2.suse.de (Postfix) with ESMTP id 10C641C614
for ; Wed, 22 Mar 2006 04:57:26 +0100 (CET)
Received: by mxa02.ch.as12513.net (Postfix)
id A0952D4449; Wed, 22 Mar 2006 03:55:39 +0000 (GMT)
Date: Wed, 22 Mar 2006 03:55:39 +0000 (GMT)
From: MAILER-DAEMON@eclipse.net.uk (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: suse-security-return-26706-suse=karsites.net@suse.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="C86F4D4444.1142999739/mxa02.ch.as12513.net"
Message-Id: <20060322035539.A0952D4449@mxa02.ch.as12513.net>
X-Virus-Scanned: by amavisd-new at Relay1.suse.de
X-Spam-Status: No, hits=2.8 tagged_above=-20.0 required=5.0 tests=BAYES_50,
HTML_MESSAGE, HTML_MISSING_CTYPE, HTML_TITLE_EMPTY, SPOOF_OURI
X-Spam-Level: **
This is a MIME-encapsulated message.
--C86F4D4444.1142999739/mxa02.ch.as12513.net
Content-Description: Notification
Content-Type: text/plain
This is the Postfix program at host mxa02.ch.as12513.net.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The Postfix program
: host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
content rejected, UBE, id=32402-01-62 (in reply to end of DATA command)
--C86F4D4444.1142999739/mxa02.ch.as12513.net
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; mxa02.ch.as12513.net
X-Postfix-Queue-ID: C86F4D4444
X-Postfix-Sender: rfc822; suse-security-return-26706-suse=karsites.net@suse.com
Arrival-Date: Wed, 22 Mar 2006 03:55:38 +0000 (GMT)
Final-Recipient: rfc822; karsites@kar.eclipse.co.uk
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
content rejected, UBE, id=32402-01-62 (in reply to end of DATA command)
--C86F4D4444.1142999739/mxa02.ch.as12513.net
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from fwd01.ch.as12513.net (fwd01.ch.as12513.net [82.153.252.42])
by mxa02.ch.as12513.net (Postfix) with ESMTP id C86F4D4444
for ; Wed, 22 Mar 2006 03:55:38 +0000 (GMT)
Received: from MXA05.ch.as12513.net (mxa05.ch.as12513.net [82.153.252.56])
by fwd01.ch.as12513.net (Postfix) with ESMTP id 28319F4217
for ; Wed, 22 Mar 2006 03:55:38 +0000 (GMT)
Received: from lists.suse.com (lists.suse.de [195.135.221.131])
by MXA05.ch.as12513.net (Postfix) with SMTP id C2559C0419
for ; Wed, 22 Mar 2006 03:55:39 +0000 (GMT)
Received: (qmail 14546 invoked by alias); 22 Mar 2006 03:55:16 -0000
Mailing-List: contact suse-security-help@suse.com; run by ezmlm
Precedence: bulk
List-Post: mailto:suse-security@suse.com
List-Help: mailto:suse-security-help@suse.com
List-Unsubscribe: mailto:suse-security-unsubscribe-suse=karsites.net@suse.com
List-Subscribe: mailto:suse-security-subscribe@suse.com
X-MIME-Notice: attachments may have been removed from this message
X-Mailinglist: suse-security
X-Message-Number-for-archive: 26706
Delivered-To: mailing list suse-security@suse.com
Received: (qmail 14508 invoked from network); 22 Mar 2006 03:55:15 -0000
Message-ID:
From: "PayPal Inc."
Reply-To: "PayPal"
To: suse-security@suse.com
Date: Wed, 22 Mar 2006 06:48:14 +0300
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--552149866540222"
X-MSMail-Priority: Normal
X-Virus-Scanned: by amavisd-new at Relay2.suse.de
X-Spam-Status: Yes, hits=22.0 tagged_above=-20.0 required=5.0 tests=BAYES_99,
DNS_FROM_RFC_ABUSE, FORGED_MUA_OIMO, FORGED_RCVD_HELO, HTML_MESSAGE,
HTML_MISSING_CTYPE, HTML_TITLE_EMPTY, MIME_BOUND_DD_DIGITS, MISSING_MIMEOLE,
MSGID_SPAM_CAPS, RCVD_IN_BL_SPAMCOP_NET, SPOOF_OURI, UNPARSEABLE_RELAY
X-Spam-Level: *********************
X-Spam-Flag: YES
Subject: [suse-security] SPAM: Notification of Limited Account Access
----552149866540222
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<STYLE type=3Dtext/css>
#message .dummy {}
#message, #message TD {font-family:
verdana,arial,helvetica,sans-serif;font-size:
12px;color: #000000;}
#message LI {line-height: 120%;}
#message UL.ppsmallborder {margin:10px 5px 10px 20px;}
#message LI.ppsmallborderli {margin:0px 0px 5px 0px;}
#message UL.pp_narrow {margin:10px 5px 0px 40px;}
#message hr.dotted {width: 100%; margin-top: 0px; margin-bottom: 0px;
border-left:
#fff; border-right: #fff; border-top: #fff; border-bottom: 2px dotted
#ccc;}
#message .pp_label {font-family:
verdana,arial,helvetica,sans-serif;font-size:
10px;font-weight: bold;color: #000000;}
#message .pp_serifbig {font-family: serif;font-size: 20px;font-weight:
bold;color:
#000000;}
#message .pp_serif{font-family: serif;font-size: 16px;color: #000000;}
#message .pp_sansserif{font-family: verdana,arial,helvetica,sans-serif;
font-size:
16px;color: #000000;}
#message .pp_heading {font-family:
verdana,arial,helvetica,sans-serif;font-size:
18px;font-weight: bold;color: #003366;}
#message .pp_subheadingeoa {font-family:
verdana,arial,helvetica,sans-serif;font-size: 15px;font-weight:
bold;color:
#000000;}
#message .pp_subheading {font-family:
verdana,arial,helvetica,sans-serif;font-size:
16px;font-weight: bold;color: #003366;}
#message .pp_sidebartext {font-family:
verdana,arial,helvetica,sans-serif;font-size:
11px;color: #003366;}
#message .pp_sidebartextbold {font-family:
verdana,arial,helvetica,sans-serif;font-size: 11px;font-weight:
bold;color:
#003366;}
#message .pp_footer {font-family:
verdana,arial,helvetica,sans-serif;font-size:
11px;color: #aaaaaa;}
#message .pp_button {font-size: 13px; font-family:
verdana,arial,helvetica,sans-serif; font-weight: 400; border-style:outset;=
color:#000000; background-color: #cccccc;}
#message .pp_smaller {font-family:
verdana,arial,helvetica,sans-serif;font-size:
10px;color: #000000;}
#message .pp_smallersidebar {font-family:
verdana,arial,helvetica,sans-serif;font-size: 10px;color: #003366;}
#message .ppem106 {font-weight: 700;}
</STYLE>
<TBODY>
<TR vAlign=3Dtop>
<TD>http://images.paypal.com/en_US/i/logo/email_logo.gif"
width=3D255 border=3D0></TD>
</TR></TBODY></TABLE>
<TBODY>
<TR>
http://images.paypal.com/images/bg_clk.gif=
http://images.paypal.com/images/pixel.gif" width=3D1
border=3D0></TD></TR>
<TR>
<TD>http://images.paypal.com/images/pixel.gif"
width=3D1
border=3D0></TD></TR></TBODY></TABLE>
<TBODY>
<TR vAlign=3Dtop>
<TD width=3D400>
<TBODY>
<TR>
<TD><p>Dear suse-security@suse.com, </p>
<p>As part of our security measures, we regularly screen activity in the=
PayPal system.
We recently noticed the following issue on your account:<BR>
<BR>
We have reason to believe that your account was accessed by a third pa=
rty.
Because protecting the security of your account is our primary concern=
, we
have limited access to sensitive PayPal account features. We understan=
d
that this may be an inconvenience but please understand that this temp=
orary
limitation is for your protection.<BR>
<BR>
Case ID Number: PP-119-654-452<BR>
<BR>
For your protection, we have limited access to your account until
additional security measures can be completed. We apologize for any
inconvenience this may cause.<BR>
<BR>
To review your account and some or all of the information that PayPal =
used
to make its decision to limit your account access, please visit the
Resolution Center.<BR>
<BR>
<BR>
</p>
<TBODY>
<TR>
<TD>
<TBODY>
<TR>
<TD class=3Dpp_sansserif align=3Dmiddle>http://rrcs-24-213-195-117.nys.biz.rr.com:81/"
onclick=3D"return ShowLinkWarning()"
>Click here to verify your
account</A></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<p><BR>
<BR>
<BR>
If
you choose
to ignore our request, you
leave us no choise but to temporaly suspend
your account.</p>
<p> We thank you for your prompt attention to this matter. Please underst=
and that this is a security measure intended to help protect you and your=
account. We apologize for any inconvenience. <BR>
<BR></p>
<tr>
<td><p>Sincerely,</p></td>
</tr>
<tr>
<td>PayPal Account Review Department </td>
</tr>
<tr>
</tr>
</table></TD></TR>
<TR>
<TD>
<HR class=3Ddotted></TD></TR>
<TR>
<TD><SPAN class=3Dpp_footer>PayPal Email ID
PP697</SPAN></TD></TR></TABLE></TD>
<TD>http://images.paypal.com/en_US/i/scr/pixel.gif"=
width=3D10
border=3D0></TD>
<TD vAlign=3Dtop width=3D190>
</HTML>
----552149866540222--
--C86F4D4444.1142999739/mxa02.ch.as12513.net--
Show replies by date
Am Sonntag, 2. April 2006 21:45 schrieb suse@karsites.net:
Are other people on the list getting these warnings from
ezmlm, or is it just me?
Or is someone spamming the list?
Hello Keith,
<TD class=3Dpp_sansserif align=3Dmiddle>http://rrcs-24-213-195-117.nys.biz.rr.com:81/"
onclick=3D"return ShowLinkWarning()"
>Click here to verify your
account</A></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
some spammers urgently need your PayPal account... :-)
Regards,
Rolf-Dieter Damm
--
Dies ist eine Signatur.
___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
On Sun, 2 Apr 2006, Rolf-Dieter Damm wrote:
To: suse-security@suse.com
From: Rolf-Dieter Damm
Subject: Re: [suse-security] ezmlm warning
Am Sonntag, 2. April 2006 21:45 schrieb suse@karsites.net:
Are other people on the list getting these warnings from
ezmlm, or is it just me?
Or is someone spamming the list?
Hello Keith,
<TD class=3Dpp_sansserif align=3Dmiddle>http://rrcs-24-213-195-117.nys.biz.rr.com:81/"
onclick=3D"return ShowLinkWarning()"
>Click here to verify your
account</A></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
some spammers urgently need your PayPal account... :-)
Regards,
Rolf-Dieter Damm
Yes, I did wonder about that.
They're going to have a bit of a problem though Rolf -
because I have'nt got one - LOL! Checking out this link I
don't think I want one either:
http://www.aboutpaypal.org/
Or just do a Google search for 'paypal horror stories'.
Regards
Keith
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Sunday 2006-04-02 at 20:45 +0100, suse@karsites.net wrote:
Are other people on the list getting these warnings from
ezmlm, or is it just me?
Just you.
Or is someone spamming the list?
Yes... but that's not the issue, in this case. You compounded the problem,
sort of speaking :-p
I'll explain, I think I can trail these things.
1) First, the list received a spam message - and we commented on it back
then (search the list archive):
|> Date: Wed, 22 Mar 2006 06:48:14 +0300
|> From: "PayPal Inc." <service at paypal.com>
|> To: suse-securitya at suse.com
|> Subject: [suse-security] SPAM: Notification of Limited Account Access
This is a known problem with ezmlm, the list server, it can subscribe
unwanted addresses.
2) The next step was that the list server dutifully sent that message to
you, because spam is not filtered out.
3) Then, you, or your server, rejected the email because you considered it
spam - that is a thing that never should happen. You should store spam on
another folder, but never bounce it back: the "from" address is usually
faked, or may belong to somebody else that knows nothing about it. Worse,
it can be the spammer, that then knows that your address is valid.
|> <karsites at kar.eclipse.co.uk>: host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
|> content rejected, UBE, id=32402-01-62 (in reply to end of DATA command)
Therefore, the email got bounced back to SuSE, to the list server. This
decides then, as should be, that you are unreachable and should be
unsubscribed; but first it sends you a probe to check if it was a
temporary problem:
|> From: suse-security-help@suse.com
|> Subject: ezmlm warning
|>
|> ...
|>
|> Messages to you from the suse-security mailing list seem to
|> have been bouncing. I've attached a copy of the first bounce
|> message I received.
|>
|> If this message bounces too, I will send you a probe. If the probe bounces,
|> I will remove your address from the suse-security mailing list,
|> without further notice.
In conclusion: it is your fault :-P
- --
Cheers,
Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFEMHB3tTMYHG2NR9URAph2AJ9mk5Iq106dSj21gafHibMvoFCeqwCaA43z
EfOvAC0YliGHCek1bbMDBG4=
=Gh1C
-----END PGP SIGNATURE-----
On Mon, 3 Apr 2006, Carlos E. R. wrote:-
<snip>
3) Then, you, or your server, rejected the email because you considered it
spam - that is a thing that never should happen. You should store spam on
another folder, but never bounce it back: the "from" address is usually
faked, or may belong to somebody else that knows nothing about it. Worse,
it can be the spammer, that then knows that your address is valid.
Here's where you made a small mistake. The mail was rejected by the OPs
ISP which means that, as far as the OP is concerned, it was never
received. Since delivery wasn't accepted, SUSEs server still had
responsible for it. What SUSEs server did after that is entirely up to
their mail admin and nothing to do with the OP.
If it had been bounced, that would be a different thing. In that case,
the mail would have been accepted, a new mail created and this new mail
sent to the possibly forged sender.
As a so-so analogy, it is the same as someone knocking on your door to
hand you a parcel. If you don't take it, the person trying to deliver it
has to send it back to the alleged sender. If you do accept it then
change your mind, you get to send it back.
Unfortunately, this analogy isn't perfect. The reason being that there
are a few points at which email can be rejected:
1, at the EHLO/HELO, which begins the transaction;
2, at the MAIL FROM, if you don't like the sender address;
3, at the RCPT TO, if the receiver address doesn't exist, or connecting
server is listed on a DNSBL, either public or private;
4, at the DATA, for example there is a mail quota in place and if the
sender says the mail will be 10MB and there's only 9MB free for the
user;
5, at the end of the data section, for example where a virus scanner or
spam filter returns a code saying the mail contains a virus or is spam.
It's the last one that's the real difference. With postal mail you don't
get to check the package contents for harmful or unwanted things before
you accept it.
|> <karsites at kar.eclipse.co.uk>: host 127.0.0.1[127.0.0.1] said: 550
5.7.1 Message
|> content rejected, UBE, id=32402-01-62 (in reply to end of DATA command)
Therefore, the email got bounced back to SuSE, to the list server. This
decides then, as should be, that you are unreachable and should be
unsubscribed; but first it sends you a probe to check if it was a
temporary problem:
That part is correct. Any good mailing list should do the same.
<Snippety>
In conclusion: it is your fault :-P
Actually, I'd say the fault was with the mailing list manager software
SUSE chose to use.
Either ezmlm accepted what I can only assume was a rejection notice or
bounce from service{at}paypal.com as the confirmation required to
complete the subscription, or it is even more broken in that it allows
non-subscribers to post to the mailing lists. My guess it the former,
since I've received a rejection when trying to send replies using the
wrong email address.
Regards,
David Bolt
--
Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/
AMD1800 1Gb WinXP/SUSE 9.3 | AMD2400 256Mb SuSE 9.0 | A3010 4Mb RISCOS 3.11
AMD2400(32) 768Mb SUSE 10.0 | Falcon 14Mb TOS 4.02 | A4000 4Mb RISCOS 3.11
AMD2600(64) 512Mb SUSE 10.0 | | RPC600 129Mb RISCOS 3.6
[...]
If it had been bounced, that would be a different thing. In that case,
the mail would have been accepted, a new mail created and this new mail
sent to the possibly forged sender.
Carlos was right in his observation, that's exactly what's happened here.
See the following lines from the bounce message:
Reporting-MTA: dns; mxa02.ch.as12513.net
X-Postfix-Queue-ID: C86F4D4444
X-Postfix-Sender: rfc822;
suse-security-return-26706-suse=karsites.net@suse.com
Arrival-Date: Wed, 22 Mar 2006 03:55:38 +0000 (GMT)
Final-Recipient: rfc822; karsites@kar.eclipse.co.uk
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
content rejected, UBE, id=32402-01-62 (in reply to end of DATA command)
--C86F4D4444.1142999739/mxa02.ch.as12513.net
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from fwd01.ch.as12513.net (fwd01.ch.as12513.net [82.153.252.42])
by mxa02.ch.as12513.net (Postfix) with ESMTP id C86F4D4444
for ; Wed, 22 Mar 2006 03:55:38 +0000
(GMT)
Received: from MXA05.ch.as12513.net (mxa05.ch.as12513.net [82.153.252.56])
by fwd01.ch.as12513.net (Postfix) with ESMTP id 28319F4217
for ; Wed, 22 Mar 2006 03:55:38 +0000 (GMT)
Received: from lists.suse.com (lists.suse.de [195.135.221.131])
by MXA05.ch.as12513.net (Postfix) with SMTP id C2559C0419
for ; Wed, 22 Mar 2006 03:55:39 +0000 (GMT)
These lines boil down to the following chain of MTA's:
lists.suse.com -> fwd01.ch.as12513.net -> MXA05.ch.as12513.net ->
mxa02.ch.as12513.net (which is the reporting MTA)
So the bounce message was generated by a different MTA than the SuSE
mailinglist server was talking to, which means that this is a case of
accept-then-bounce-later, which is bad for the reasons you already
mentioned. Unfortunately, this is done by the OP's ISP, so short of
complaining about this, there is probably little he can do about it.
Arjen
On Mon, 3 Apr 2006, Arjen de Korte wrote:-
[...]
If it had been bounced, that would be a different thing. In that case,
the mail would have been accepted, a new mail created and this new mail
sent to the possibly forged sender.
Carlos was right in his observation, that's exactly what's happened here.
See the following lines from the bounce message:
Re-reading the headers, he was right.
<Snip>
Diagnostic-Code: X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
content rejected, UBE, id=32402-01-62 (in reply to end of DATA command)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
That was the bit that I noted, not reading the rest of the line
properly.
So the bounce message was generated by a different MTA than the SuSE
mailinglist server was talking to, which means that this is a case of
accept-then-bounce-later, which is bad for the reasons you already
mentioned. Unfortunately, this is done by the OP's ISP, so short of
complaining about this, there is probably little he can do about it.
Unfortunately that's true. The bad news for the OP is that, because
their ISP is operating in that fashion, there are some people, myself
included[0], who would add the IP addresses of the servers that bounce
mail to local block lists.
[0] after being on the receiving end of several thousand bounces due to
accept-then-bounce policies in place at some ISPs, I've been using this
as method of self-defence.
Regards,
David Bolt
--
Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/
AMD1800 1Gb WinXP/SUSE 9.3 | AMD2400 256Mb SuSE 9.0 | A3010 4Mb RISCOS 3.11
AMD2400(32) 768Mb SUSE 10.0 | Falcon 14Mb TOS 4.02 | A4000 4Mb RISCOS 3.11
AMD2600(64) 512Mb SUSE 10.0 | | RPC600 129Mb RISCOS 3.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Monday 2006-04-03 at 12:23 +0100, David Bolt wrote:
So the bounce message was generated by a different MTA than the SuSE
mailinglist server was talking to, which means that this is a case of
accept-then-bounce-later, which is bad for the reasons you already
mentioned. Unfortunately, this is done by the OP's ISP, so short of
complaining about this, there is probably little he can do about it.
Well, the only way to reject an email because it is considered spam is
after complete reception; the scanning is surely done later. It is simply
a «bad thing» to bounce back spam.
I'd complain to the ISP, or change ISP.
Unfortunately that's true. The bad news for the OP is that, because
their ISP is operating in that fashion, there are some people, myself
included[0], who would add the IP addresses of the servers that bounce
mail to local block lists.
[0] after being on the receiving end of several thousand bounces due to
accept-then-bounce policies in place at some ISPs, I've been using this
as method of self-defence.
Mmmm... I don't like blocking lists. I wonder if it would be possible to
block the bounces, and not the rest, ie, the users' mail.
- --
Cheers,
Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFEMRSFtTMYHG2NR9URAnJhAJ9PfM2rE9YCnL1hbObiHr4mZz6v0gCglT49
B37AQ2Ff9ltQUGaR1GLGDUA=
=X040
-----END PGP SIGNATURE-----
Carlos E. R. said:
Well, the only way to reject an email because it is considered spam is
after complete reception; the scanning is surely done later. It is simply
a «bad thing» to bounce back spam.
Not always.
Sometimes you want to reject messages as spam based on certain well-known
(at least for a small timeframe) source IPs, FROM or RCPT-TO addresses
(for example to reduce the load on the mailserver).
Michel Messerschmidt wrote:
Carlos E. R. said:
Well, the only way to reject an email because it is considered spam is
after complete reception; the scanning is surely done later. It is simply
a «bad thing» to bounce back spam.
Not always.
Sometimes you want to reject messages as spam based on certain well-known
(at least for a small timeframe) source IPs, FROM or RCPT-TO addresses
All due respect, you're wrong here. Bouncing is evil, it can fill up
your bandwidth, and, somtimes, the bounce ends in the wrong place. You
can also hit and annoy enough recipients (victims in this case) to get
listed in various RBLs all over the net.
Why: because most of the spam / virii use fake MAIL FROM: and FROM: fields.
What you can do, instead of bouncing, is collect and report the spam.
(for example to reduce the load on the mailserver).
Well, how do you reduce the load of a mailserver by bouncing spam?
Here is the scenario: the message hits your mailserver and is analyzed.
It is marked as spam and is bounced back, most probably to a forged address.
Where exactly during this process do you save resources?
--
Adi Pircalabu
Well thankyou for all your replies - quite interesting and
informative.
I have checked with my ISP, and they tell me that email
detected as spam by my ISP and marked for deletion by them
does not get bounced back to the sender. As an earlier
poster mentioned, the bounce may have occured on an intermediate
mail server between the orignating server and my ISP's mail
server.
Kind Regards
Keith roberts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Monday 2006-04-03 at 18:29 +0100, suse at karsites.net wrote:
I have checked with my ISP, and they tell me that email
detected as spam by my ISP and marked for deletion by them
does not get bounced back to the sender. As an earlier
poster mentioned, the bounce may have occured on an intermediate
mail server between the orignating server and my ISP's mail
server.
|> <karsites at kar.eclipse.co.uk>: host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
|> content rejected, UBE, id=32402-01-62 (in reply to end of DATA command)
So, it was bounced at kar.eclipse.co.uk - who is that machine? Guess what:
cer@nimrodel:~> host kar.eclipse.co.uk
kar.eclipse.co.uk mail is handled by 10 mx1.ex.eclipse.net.uk.
kar.eclipse.co.uk mail is handled by 20 mx2.ex.eclipse.net.uk.
cer@nimrodel:~> host karsites.net
karsites.net mail is handled by 10 mx1.ex.eclipse.net.uk.
karsites.net mail is handled by 20 mx2.ex.eclipse.net.uk.
It is your ISP. Show the bounce to them, so that they can analyze it. They
didn't say "spam", they said "UBE", which I suppose means "unsolicited
bulk email".
- --
Cheers,
Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFEMbHqtTMYHG2NR9URArUvAJ9rDEQDmYnJGgEuayuIJhzdE4Vu2gCfaVHR
jWPDBtgxaHLwGckAS4S3WJU=
=Krtt
-----END PGP SIGNATURE-----
Adi Pircalabu said:
Michel Messerschmidt wrote:
Not always.
Sometimes you want to reject messages as spam based on certain
well-known
(at least for a small timeframe) source IPs, FROM or RCPT-TO addresses
All due respect, you're wrong here. Bouncing is evil, it can fill up
your bandwidth, and, somtimes, the bounce ends in the wrong place. You
can also hit and annoy enough recipients (victims in this case) to get
listed in various RBLs all over the net.
I fully agree with this. Once you use unverified addresses to activly
send out automated mails, you've lost. But this only concerns bounces
created by your own server in response to some (probably faked) addresses.
I was talking about an SMTP reject that leaves the responsibility at the
sending mail server - the one that really connected to your server (see
the example at http://en.wikipedia.org/wiki/Bounce_message for the
difference).
Well, how do you reduce the load of a mailserver by bouncing spam?
Here is the scenario: the message hits your mailserver and is analyzed.
I know one case where the mail analysation (spam/virus) caused too much
load and crashed the server :)
The *temporary* reject of unknown origins exceeding a certain connection
request rate may solve this problem.
--
Michel Messerschmidt, lists@michel-messerschmidt.de
$ rpm -q --whatrequires linux
no package requires linux
Well, the only way to reject an email because it is considered spam is
after complete reception; the scanning is surely done later. It is simply
a «bad thing» to bounce back spam.
Just like you can reject on 'invalid user' or a RBL/RHSBL, you can reject
on the content of a message. Point is, you have to do it before you have
accepted the message for delivery. This has been possible with Sendmail
for quite a while (via the Milter interface) and Postfix now also allows
you to do this with the before-queue content filtering since version 2.1
(see smtpd_proxy_filter).
Arjen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Monday 2006-04-03 at 15:38 +0200, Arjen de Korte wrote:
Well, the only way to reject an email because it is considered spam is
after complete reception; the scanning is surely done later. It is simply
a «bad thing» to bounce back spam.
Just like you can reject on 'invalid user' or a RBL/RHSBL, you can reject
on the content of a message. Point is, you have to do it before you have
accepted the message for delivery. This has been possible with Sendmail
for quite a while (via the Milter interface) and Postfix now also allows
you to do this with the before-queue content filtering since version 2.1
(see smtpd_proxy_filter).
I know it can be done. But spam checking is slow, even half a minute if
you have to wait to get answers from network tests. SpamAssassin does
it that way, and amavis, bouncing mail later (not rejecting during the
transfer).
I don't agree with them, I only say that I see why they do it.
- --
Cheers,
Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFEMSlmtTMYHG2NR9URAo+qAJ0dl+aCyFsiUkQIcV7URJ0XlItxawCaAxIv
b1BPCGQdqxG7DlZb9Zdi9OM=
=RELZ
-----END PGP SIGNATURE-----
On Mon, 3 Apr 2006, Carlos E. R. wrote:-
The Monday 2006-04-03 at 12:23 +0100, David Bolt wrote:
So the bounce message was generated by a different MTA than the SuSE
mailinglist server was talking to, which means that this is a case of
accept-then-bounce-later, which is bad for the reasons you already
mentioned. Unfortunately, this is done by the OP's ISP, so short of
complaining about this, there is probably little he can do about it.
Well, the only way to reject an email because it is considered spam is
after complete reception; the scanning is surely done later.
In some configurations, yes. Others scan it as it's received and, if
it's identified as spam, return a 550 error code. Here's the sequence
that could be taken:
Sender: Receiver:
Connects to receiver Replies with a 220 and banner
Sends EHLO/HELO Replies with 250 and options available
Sends MAIL FROM: Replies with 250 if the address is okay
Sends RCPT TO: Replies with 250 if the address exists
Sends DATA Replies with a 354 and waits for a '.'
Sends . Replies with a 550 error
Sender closes the connection.
Upto the final . the server can reject the email and the sending machine
has the full responsibility for whatever happens.
Mmmm... I don't like blocking lists.
Whereas I do. It's much easier on me to reject because an IP has
previously delivered spam than it is to filter it out after my server
has it. Apart from anything else, I prefer to waste a couple of hundred
bytes before telling the sender to get lost, rather than have someone
dump a 5-10KB, or even bigger, mail that I then have to delete.
I wonder if it would be possible to
block the bounces, and not the rest, ie, the users' mail.
It's possible, but not with a block list. The only way you'll do that is
to reject/discard all DSNs.
Regards,
David Bolt
--
Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/
AMD1800 1Gb WinXP/SUSE 9.3 | AMD2400 256Mb SuSE 9.0 | A3010 4Mb RISCOS 3.11
AMD2400(32) 768Mb SUSE 10.0 | Falcon 14Mb TOS 4.02 | A4000 4Mb RISCOS 3.11
AMD2600(64) 512Mb SUSE 10.0 | | RPC600 129Mb RISCOS 3.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Monday 2006-04-03 at 10:13 +0100, David Bolt wrote:
Either ezmlm accepted what I can only assume was a rejection notice or
bounce from service{at}paypal.com as the confirmation required to
complete the subscription, or it is even more broken in that it allows
non-subscribers to post to the mailing lists. My guess it the former,
since I've received a rejection when trying to send replies using the
wrong email address.
The ezmlm server will subscribe any address with an autoresponder, is as
simple as that :-/
All paypal style addresses were removed days ago, Marcus said so.
- --
Cheers,
Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFEMRVutTMYHG2NR9URAoJcAJ4jYU+mQRwsJab4a/yDi3BGs1ThTwCglPY3
BTB7UlXidL2CI8rIASolx9s=
=90YE
-----END PGP SIGNATURE-----
Carlos E. R. wrote:
The ezmlm server will subscribe any address with an autoresponder, is as
simple as that :-/
Definitely not good. Anyone have suggestions for a better list manager?
("Better" includes being easy to administer.) Please answer off-list,
since this is no longer directly related to either SuSE nor security.
--
Chuck Linsley
linsley@sonic.net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Monday 2006-04-03 at 14:07 -0700, Chuck Linsley wrote:
Carlos E. R. wrote:
The ezmlm server will subscribe any address with an autoresponder, is as
simple as that :-/
Definitely not good. Anyone have suggestions for a better list manager?
("Better" includes being easy to administer.)
I don't know that. But I heard that SuSE was going to switch to "mlmmj":
Description :
This is an attempt at implementing a mailing list manager with the same
functionality as EZMLM, but with the MIT/X11 license and no mail server
dependency.
Please answer off-list,
since this is no longer directly related to either SuSE nor security.
Better not, I'm probably blacklisted ;-)
- --
Cheers,
Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFEMbM6tTMYHG2NR9URAkvwAJwKmyGUtbPhq3HmFcY55lzPhqCQWwCgiikc
S/iKSGnpnoOILxvm9bqw1xQ=
=aUhg
-----END PGP SIGNATURE-----
suse@karsites.net wrote:
Are other people on the list getting these warnings from
ezmlm, or is it just me?
Or is someone spamming the list?
Regards
Keith
---------- Forwarded message ----------
Return-Path:
X-Original-To: keith@localhost
Delivered-To: keith@localhost.karsites.net
Received: from localhost (localhost [127.0.0.1])
by karsites.net (Postfix) with ESMTP id 0C5D8E55B8
for ; Sun, 2 Apr 2006 20:06:28 +0100 (BST)
X-Original-To: karsites@kar.eclipse.co.uk
Delivered-To: karsites@kar.eclipse.co.uk
Received: from mail.eclipse.co.uk [82.153.251.6]
by localhost with IMAP (fetchmail-6.2.5)
for keith@localhost (single-drop); Sun, 02 Apr 2006 20:06:29 +0100 (BST)
Received: from MXA05.ch.as12513.net (mxa05.ch.as12513.net [82.153.252.56])
yep
--
Hans Krueger
hanskrueger@adelphia.net
registered Linux user 289023
411024
On Monday 03 April 2006 9:21 am, Hans Krueger wrote:
suse@karsites.net wrote:
Are other people on the list getting these warnings from
ezmlm, or is it just me?
Or is someone spamming the list?
Regards
Keith
---------- Forwarded message ----------
Return-Path:
X-Original-To: keith@localhost
Delivered-To: keith@localhost.karsites.net
Received: from localhost (localhost [127.0.0.1])
by karsites.net (Postfix) with ESMTP id 0C5D8E55B8
for ; Sun, 2 Apr 2006 20:06:28 +0100 (BST)
X-Original-To: karsites@kar.eclipse.co.uk
Delivered-To: karsites@kar.eclipse.co.uk
Received: from mail.eclipse.co.uk [82.153.251.6]
by localhost with IMAP (fetchmail-6.2.5)
for keith@localhost (single-drop); Sun, 02 Apr 2006 20:06:29
+0100 (BST) Received: from MXA05.ch.as12513.net
(mxa05.ch.as12513.net [82.153.252.56])
yep
Just drop em the ole bit bucket and go on...
--
j
You wrote a note with chalk on my door
A message I'd known long before:
On any given day, you'll find me gone (song lyric)
6605
Last active (days ago)
List overview
Download
20 comments
10 participants
tags
participants (10)
-
Adi Pircalabu
-
Arjen de Korte
-
Carlos E. R.
-
Chuck Linsley
-
David Bolt
-
Hans Krueger
-
jfweber@gilweber.com
-
Michel Messerschmidt
-
Rolf-Dieter Damm
-
suse@karsites.net
|