-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi gang,
I was just going through the posts in this mailing list, and have come upon
(so far) 4 of these weird posts. They're in this mailing list, but the header
looks like it's sent just to 'me'. Here's the long headers:
Return-Path:
[John]
I was just going through the posts in this mailing list, and have come upon (so far) 4 of these weird posts. [...]
I'm getting such as well.
Is this some kind of spam?
This is indirect. Here is a possible scenario. You sent email to a first someone, at some time in the past. That first someone's machine runs Windows and recently got infected by a computer virus. The virus found your email address into this first Windows machine, and used it to forge the `From:' header of infecting emails broadcasted from the Windows machine to various people, one of which also run Windows and also got infected. But this time, the ISP of this second guy has been aware that he was sending spam (because he was infected as well) and terminated his account. When a message from the first someone was sent to the second someone, it was intercepted by the ISP, and because of the forged From, that ISP sent a message to you explaining that the message from the first Windows machine would not be delivered to the second Windows machine.
If it is, it's the strangest I've ever seen/encountered,
Don't stop breathing. You'll surely see worse. :-) -- François Pinard http://www.iro.umontreal.ca/~pinard
See my earlier post about the mysterious bounce test. -- -ckm
I have also had strange email "your quota has been exceeded" that looks like someone has been using my email address as the "from" when sending spam. The odd thing is the address in question is one I invented this week for use to this mailing list only! I have also had bounce tests apparently from suse.de On Thursday 04 September 2003 3:21 am, Francois Pinard wrote:
[John]
I was just going through the posts in this mailing list, and have come upon (so far) 4 of these weird posts. [...]
I'm getting such as well.
Is this some kind of spam?
This is indirect. Here is a possible scenario. You sent email to a first someone, at some time in the past. That first someone's machine runs Windows and recently got infected by a computer virus. The virus found your email address into this first Windows machine, and used it to forge the `From:' header of infecting emails broadcasted from the Windows machine to various people, one of which also run Windows and also got infected. But this time, the ISP of this second guy has been aware that he was sending spam (because he was infected as well) and terminated his account. When a message from the first someone was sent to the second someone, it was intercepted by the ISP, and because of the forged From, that ISP sent a message to you explaining that the message from the first Windows machine would not be delivered to the second Windows machine.
If it is, it's the strangest I've ever seen/encountered,
Don't stop breathing. You'll surely see worse. :-)
-- François Pinard http://www.iro.umontreal.ca/~pinard
The 03.09.04 at 10:14, david stevenson wrote:
I have also had strange email "your quota has been exceeded" that looks like someone has been using my email address as the "from" when sending spam. The odd thing is the address in question is one I invented this week for use to this mailing list only!
The W32/Sobig.f@MM virus is going around, and it includes a 100Kbyte attachment, something.pif, as a payload. It seems that this virus will - in windows machines, of course, running outlook ;-) - resend itself to the full address bok of its unfortunate user, using different from addreses. If you are a correspondent of him, you will be on the address book, and you may well be on the destination address or the from for some of these emails. This activity, multiplied world wide, may well fill up many mail boxes. This is why I asked on the list about how to reject certain attaches (solved), because I got 30 of them yesterday: that's more than 3 megabytes, probably six.
I have also had bounce tests apparently from suse.de
Yes, it is related, but to the cure. :-) -- Cheers, Carlos Robinson
The 03.09.03 at 19:58, John wrote:
Is this some kind of spam? If it is, it's the strangest I've ever seen/encountered, and also if it is, it looks like I should never have told Carlos I never got any spam off this list! LOL! You cursed me Carlos, this is all your fault! LOL!
X'-) No, it is not spam. The thing is as follows: You sent an email to the list. The list server sent it to the thousand (?) subscribers. One of them has been marked as a spammer by his ISP -- Good job! Praise them! :-) --, and his account was blocked. That ISP sends back a notification to the originator of the email, which is you: at least, you are in the "from" header. maybe it should have bounced to the list server: Christopher could perhaps clarify that, I think. So, everybody that sent email to this list (and the spanish list as well) got one of those. The proper action is to forward one of those, complete, to the list owner, ie: suse-linux-e-owner@suse.com - as documented on the litle confirmation email you received when you susbcribed ;-) And the "owner" had a hard time finding this one: thus the bounce test he comented. By the way: you got that email inside the list mailbox because your mail filter rule is incorrect. If you use procmail, the rule is similar to this: :0f * ^X-Mailinglist: suse-linux-e | /usr/bin/formail -bfi "Reply-To:suse-linux-e@suse.com" :0 a: $HOME/Mail/lists/suse-linux-e The formail part is for adding a "reply-to" header. The important part is that you have to check for the "X-Mailinglist:" header. Then, follow with rules for the other lists you may have. For example: :0 * ^X-Mailinglist: suse-security-announce $HOME/Mail/lists/suse-security-announce Anything that doesn't match, is a direct email to you. :0 $HOME/Mail/lists/in_elresto -- Cheers, Carlos Robinson
* Carlos E. R. (robin1.listas@tiscali.es) [030904 06:58]:
The thing is as follows: You sent an email to the list. The list server sent it to the thousand (?) subscribers. One of them has been marked as a spammer by his ISP -- Good job! Praise them! :-) --, and his account was blocked. That ISP sends back a notification to the originator of the email, which is you: at least, you are in the "from" header. maybe it should have bounced to the list server: Christopher could perhaps clarify that, I think.
Bounces and autoresponses (e.g., vacation messages) should only go to the sender from, not addresses listed in the from or cc header. When that happens the person will eventually get automatically unsubscribed and no one ever sees this garbage. -- -ckm
participants (5)
-
Carlos E. R.
-
Christopher Mahmood
-
david stevenson
-
Francois Pinard
-
John