Lars Müller wrote:

On Sat, Sep 08, 2012 at 02:04:26AM +0200, Carlos E. R. wrote:

...

I see more often than before spam sent to various opensuse email lists, some of them repeatedly with the same from address.

That's the side effect of being more open.

...

Is this going to be handled?

Any of us list members is able or has to handle this at our individual end.

Making the list configuration less strict makes the openSUSE lists more attective to others. Not only spammers.

You might also check if your mail system provider is able to handle this on the incoming side. Please check your mail headers - they might be hidden by default - if you see a line starting with

X-Spam-Score:

for examlpe. Your message to the list for example had one of -3.74.

...

I also see several "on vacation" posts on the security list.

Such issues are caused by the individual vacation mechanisms. If I get it right the standard mechanism is to send a vacation message if the recipient was addressed via "To:".

A properly implemented auto-responder would not respond to mails containing List- headers, but getting this vacation thing right seems to be a never ending problem. -- Per Jessen, Zürich (21.3°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Sat, Sep 08, 2012 at 04:21:31PM +0200, Carlos E. R. wrote:

On 2012-09-08 15:14, Per Jessen wrote:

...

Lars Müller wrote:

...

...

That's the side effect of being more open.

They should be unsubscribed. Yes, of course I have my own spam handler, but those spams get archived in the web.

...

...

...

I also see several "on vacation" posts on the security list.

Such issues are caused by the individual vacation mechanisms. If I get it right the standard mechanism is to send a vacation message if the recipient was addressed via "To:".

A properly implemented auto-responder would not respond to mails containing List- headers, but getting this vacation thing right seems to be a never ending problem.

Not if you punish them with unsubscription automatically. Specially those that repeat.

Are you willing to do both kind of jobs? I'm sure we all will appreciate your help. Thanks, Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team + SUSE Labs SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany

Von: Peter Maffter

An: "opensuse@opensuse.org" CC: Gesendet: 0:39 Sonntag, 9.September 2012 Betreff: Re: [opensuse] Increasing ammount of spam sent to various opensuse email lists.

In fact I was sending 2 postings today and none of them reached the list. Maybe -if this posting comes through- someone can check the opensuse filters? There seems to be a bug.

Sorry to hijack this thread but the last four times I tried to post this did not work! Please Opensuse people take a look at your filters - there  seems to be a major bug! The question was: How do I tell zypper to download to a certain directory other than the default cache  /var/cache/zypp/packages  ? man page is not quite clear as --reposd-dir, --cache-dir are addressing different aspects. I want to tell zypper to use different directory and put all data there for later update. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

On 2012-09-08 23:53, Lars Müller wrote:

...

Are you willing to do both kind of jobs?

I'm sure we all will appreciate your help.

I doubt that is possible, that person would need access to the mail list software. Can SUSE do that?

Should not be a problem, the infrastructure is accessible. I'm Lars can help you. -- Per Jessen, Zürich (16.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

* Lars Müller [09-09-12 08:07]:

a) This is a community project.

b) Each extra man power SUSE spents on such simple tasks would be missing on more advanced issues the openSUSE team has to work on. And there are many.

An Open Source project like openSUSE also needs people willing to handle things like the list management.

We can't expect from one of the main sponsors to do everything.

Then the next point would be to determine the necessary steps to "appoint" or recruit a "community member" and grant access and responsibility to unsub vacation responders with notice of reason and path to resub and to permanently unsub *spammers* and perhaps those whose civility doesn't pass muster. -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-09-09 14:06, Lars Müller wrote:

On Sun, Sep 09, 2012 at 01:42:00AM +0200, Carlos E. R. wrote:

a) This is a community project.

In the past, I understood that list management was an employees thing only.

b) Each extra man power SUSE spents on such simple tasks would be missing on more advanced issues the openSUSE team has to work on. And there are many.

An Open Source project like openSUSE also needs people willing to handle things like the list management.

Well, if you are sure this can be done, then yes, I'm willing to help. Not full time, but I can try. For instance, at the moment I'm on a trip and my laptop has limited internet access, so I don't know if I could manage this. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAlBM6IwACgkQja8UbcUWM1wzXQEAllgyRZqb9d++BUeaK81T6lUb TxdyhXUAHfZhnwL4BccA/1MsoAr5fOhXHv6xnk4UjiwpppnSx/nusiWgutIlwqZ+ =cj6G -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-09-10 07:51, Per Jessen wrote:

Carlos E. R. wrote:

...

Well, if you are sure this can be done, then yes, I'm willing to help. Not full time, but I can try. For instance, at the moment I'm on a trip and my laptop has limited internet access, so I don't know if I could manage this.

Then you do as well as you can, and maybe find somebody else interested in helping.

I'm back home. - -- Cheers / Saludos, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlBQhX8ACgkQIvFNjefEBxorzgCdFBkuYE24NlbIRuwGMzPwwksR XlQAoMJpyX66UZJAmrfZQx0qyQozYzYJ =llTe -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-09-09 09:31, Per Jessen wrote:

Carlos E. R. wrote:

I wasn't talking about the openSUSE lists, I meant the vacation thing in general. Wrt to the lists, I defnitely do not agree that people should be unsubscribed automatically. That's a very big gun for a very tiny problem.

It teaches them manners >:-) The security mail list is a very low traffic list and every post I assume it is important. These vacation messages cause threads of complaints, and AFAIK, it is the only list affected. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAlBM6VAACgkQja8UbcUWM1yblAD9FyZVHOf3lGx3sX8NFcUkOXlc z+a3gVNRSNNe5xERS3sA/1vuoCcS1BdS0us0VTncYviZ1KSgALhDwL1mFUMgNUai =0q3v -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Per Jessen [10.09.2012 07:55]:

Well, that is interesting - it would perhaps be worth looking into if the security list is different to the rest?

There aren't more morons on the list ;-) than elsewhere, but since there are only a few postings, every moron gets noticed :-) Plus, someone who cares about security should be able to use a *working* autoresponder.

From another list: "AUTO: Chan, Brian is away from the office" is a standard post on the nagios-users mailing list. Sent with a message-ID with invalid domain part.

-- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/08/2012 05:30 AM, Lars M�ller wrote:

On Sat, Sep 08, 2012 at 02:04:26AM +0200, Carlos E. R. wrote:

...

I see more often than before spam sent to various opensuse email lists, some of them repeatedly with the same from address.

I have not seen any spam from the list lately. Are you sure they're from the list and are not forged senders? When in doubt I look at the headers. With regard to lists, more often than not, the messages turn out to be from somewhere other than a list. Except for all the misconfigured, abandoned and unmaintained Yahoo lists. Look at the headers of several authentic list messages, compare with the spam messages. The Received chain should be the same and unbroken. Broken Received chains are indication of spam. Sources other than the suse.org mail servers are also indications of spam. The rest of the headers should be consistent amongst all the messages. If you're certain that the spam comes from the list, let the list maintainer know. The worst that can happen is that you'll be told it's not from the list.

Any of us list members is able or has to handle this at our individual end.

Spammers on a list are the *list maintainer's responsibility*, /not/ the responsibility the user|subscriber. Failure to maintain clean lists can quickly get the list and domain on several blacklists. In turn, a lot of list subscribers will stop receiving list mail. A lot of blacklists are pretty damned difficult to be removed from. It seems to me that SuSE maintains clean lists. I have not seen spam on this list in a while. I have seen occasional spams some time ago and the spammer was dealt with quickly, presumably because the list maintainer actually reads the list. In re vacation autoresponders: Generally it's the user who is to blame for sending vacation/out-of-office autoreplies. Even half-assed autoresponders have it together enough to have the either the user-settable option of not responding to list traffic or know what a list is and suppress autoresponses. It's the user's responsibility to properly configure his autoresponder so that it suppresses unwanted traffic, such as that to lists. Sometimes a user will come across some old, stupid vacation script in a book and thinks how cool it would be to roll his own but fails to consider the havoc wrought by a script that reponds to _every_ mail message received. Here again, the headers tell the story. Look at normal list message headers and compare to the autoresponder message. Pay particular attention to the From, From: and Sender: headers. If the autoresponder message headers are not the same as the list message headers the autoresponder message did not come from the list but directly from the list subscriber himself. If an autoresponder spews to a list, tell the sender to fix it or else be unsubscribed. Then follow through. If, as is more likely the case, the autoresponder is spewing directly to list posters or subscribers, likely based on the From: header, reply directly to the sender with the whole autoreply quoted and _politely_ ask him to fix his autoresponder and suggest that if he doesn't you will have to blocklist him and notify the list. Most list maintainers consider such autoresponder behaviour to be an abuse of the list and will also warn the sender. But if you're getting some rude challenge-response from an autoresponder demanding you prove you're human before a list message (or any message) will be delivered to the recipient, just block them, drop or reject their messages in filters. These things are offensive and are at least as bad as spam. Users of these things aren't thinking very clearly and probably don't have any friends left. Maybe let the list maintainer know as this is also an abuse of the list: Every other sender on the list also gets these things. The recipient doesn't have his act together enough to accept list messages so he doesn't need to receive them. jd -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Just my 2 cents, Note: CAPS - I'm shouting - I'm making a point. I've been tracking spam emails for a long time. My analysis has been - GET OFF OF WEB MAIL AND THEIR ADDRESS BOOKS. Spam email got a jump start - faster - the more people are using WEB MAIL with it's associated ADDRESS BOOKS. Not that I know how, however, it stands to reason by the nature of the beast, that web mail address books can get hacked into much easier than email client address books. For this and, for the principal of it, I NEVER, EVER USE WEB MAIL - AT ALL - NEVER. AND, YOUR - PRIVATE - EMAILS ARE ON - PUBLIC - SERVERS.............. Again, just my 2 cents, Duaine On 09/09/2012 12:15 AM, Werner Flamme wrote:

[09.09.2012 05:01] [j debert]:

...

In re vacation autoresponders:

Generally it's the user who is to blame for sending vacation/out-of-office autoreplies. Even half-assed autoresponders have it together enough to have the either the user-settable option of not responding to list traffic or know what a list is and suppress autoresponses. It's the user's responsibility to properly configure his autoresponder so that it suppresses unwanted traffic, such as that to lists.

Sometimes a user will come across some old, stupid vacation script in a book and thinks how cool it would be to roll his own but fails to consider the havoc wrought by a script that reponds to _every_ mail message received. Sometimes the user reads the mail with his company's mail account. He has to use his company's autoresponder then.

Since there is no "set on hold" and "restart delivering" on the vast majority of mailing lists I read, I have two choices when I go into holiday: unsubscribe from all the mailing list an re-subscribe afterwards or not using an autoresponder. I decided for the latter, but it's annoying for the colleagues who sent mails and do not get any reaction. So I understand those who use "vacation".

Of course, it's right that autoresponders should not answer to mailing lists. However, the bigger a company's mailing solution is, the less is the probability that the autoresponder acts properly :-\

...

If an autoresponder spews to a list, tell the sender to fix it or else be unsubscribed. Then follow through. Ha. How will a single user get the management to pay a bazillion of $currency to upgrade the company's mailing system to a working solution? The management does not subscribe to mailing lists, they don't give a damn. Everything else is a miracle that will sure run through several IT news feeds ;-)

I subscrbed to *this* list with a non-company mail address. But the mail system that handles it is not mine, a and I can't do anything to (or with) the autoresponder (I even do not know what they use). The mail domain email.de is hosted by web.de, a company that belongs to united internet AG, see http://www.united-internet.de/BrandsWebde?__language=en_EN. Their hotline is so dumb, they don't even know what an autoresponder is...

Regards, Werner

-- Duaine Hechler Piano, Player Piano, Pump Organ Tuning, Servicing & Rebuilding Reed Organ Society Member Florissant, MO 63034 (314) 838-5587 dahechler@att.net www.hechlerpianoandorgan.com -- Home & Business user of Linux - 11 years -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

[09.09.2012 09:35] [Duaine Hechler]:

Just my 2 cents,

Note: CAPS - I'm shouting - I'm making a point.

I've been tracking spam emails for a long time.

My analysis has been - GET OFF OF WEB MAIL AND THEIR ADDRESS BOOKS.

Spam email got a jump start - faster - the more people are using WEB MAIL with it's associated ADDRESS BOOKS.

Not that I know how, however, it stands to reason by the nature of the beast, that web mail address books can get hacked into much easier than email client address books.

For this and, for the principal of it, I NEVER, EVER USE WEB MAIL - AT ALL - NEVER.

AND, YOUR - PRIVATE - EMAILS ARE ON - PUBLIC - SERVERS..............

Again, just my 2 cents, Duaine

I really love top osting (as in http://en.wikipedia.org/wiki/Posting_style#Top-posting) since it makes it so easy to see the question before you read the answer, doesn't it? Since you wrote this as a reply to my mail: do you really think that I put my address book in a webmail service? Why? Or is it only a kind of reflex of your fingers? -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-09-09 05:01, j debert wrote:

On 09/08/2012 05:30 AM, Lars M�ller wrote:

...

On Sat, Sep 08, 2012 at 02:04:26AM +0200, Carlos E. R. wrote:

...

I see more often than before spam sent to various opensuse email lists, some of them repeatedly with the same from address.

I have not seen any spam from the list lately. Are you sure they're from the list and are not forged senders?

Received: from lists4.suse.de (localhost [127.0.0.1]) by lists4.suse.de (Postfix) with SMTP id BF03D83CA2C; Fri, 7 Sep 2012 19:03:36 +0000 (GMT) Subject: [opensuse-translation-es] =?GB2312?B?TEVEIG91dGRvb3IgbGlnaHRpbmcgJiBJbnRlcmlvciBsaWdodGluZ9PrxPq5ss/t?= =?GB2312?B?wcvV1cas?= X-Virus-Scanned: by amavisd-new at localhost X-Spam-Status: Yes, score=5.605 tagged_above=-20 required=5 tests=[BAYES_99=5, DEAR_SOMETHING=1.605, RCVD_IN_DNSWL_LOW=-1] X-Spam-Score: 5.605 X-Spam-Level: ***** X-Spam-Flag: YES and that amavis server is upstream of me, probably at suse.

In re vacation autoresponders:

Here again, the headers tell the story. Look at normal list message headers and compare to the autoresponder message. Pay particular attention to the From, From: and Sender: headers. If the autoresponder message headers are not the same as the list message headers the autoresponder message did not come from the list but directly from the list subscriber himself.

Received: from lists4.suse.de ([195.135.221.135]) by IMPmx10.adm.correo with BIZ IMP id rrCE1j00M2vsySB0ArCEp3; Mon, 27 Aug 2012 17:12:14 +0200 Date: 27 Aug 2012 11:10:50 -0400 Message-ID: <20120827151050.11482.qmail@mail.palominosys.com> From: markus@palominosys.com To: opensuse-security@opensuse.org Subject: [opensuse-security] =?utf-8?Q?AWAY:_Re:_[security=2Dannounce]_SUSE=2DSU=2D2012:1043=2D1:_important:_Security_update_for_Xen_and_libvirt?= I am out of the office until August 28 and will not have access to email until then.

If an autoresponder spews to a list, tell the sender to fix it or else be unsubscribed. Then follow through.

You can not tell the sender, they bounce with another vacation message. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAlBM6z4ACgkQja8UbcUWM1yfwAD/YT34liXyWpcfhW/Ir7jWYd5k fvv8q8LWoEesANpFllIA/0ZQWrualmhrUTda5/0wa9SnGc0sy6DzazBlZOUKOobd =rBnP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org