-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi gang, I was just going through the posts in this mailing list, and have come upon (so far) 4 of these weird posts. They're in this mailing list, but the header looks like it's sent just to 'me'. Here's the long headers: Return-Path: <AbuseDept@mail2world.com> Received: from bm8.sec.tds.net ([216.170.230.78]) by bm6.mail.tds.net with ESMTP id <20030903152704.LYRM10385.bm6@bm8.sec.tds.net> for <yonaton@tds.net>; Wed, 3 Sep 2003 10:27:04 -0500 Received: from mwsend02la.mail2world.com (mw157.mail2world.com [66.28.189.157]) by bm8.sec.tds.net (8.12.9/8.12.2) with ESMTP id h83FQwch014797 for <yonaton@tds.net>; Wed, 3 Sep 2003 10:27:00 -0500 (CDT) Received: from mwsend01la.mail2world.com (unverified [10.1.203.17]) by mwsend02la.mail2world.com (Rockliffe SMTPRA 4.5.6) with ESMTP id <B3101304013@mwsend02la.mail2world.com> for <yonaton@tds.net>; Wed, 3 Sep 2003 08:27:14 -0700 Received: from mwsmtp03la.mail2world.com (unverified [10.1.202.11]) by mwsend01la.mail2world.com (Vircom SMTPRS 1.4.232) with ESMTP id <B0034209929@mwsend01la.mail2world.com> for <yonaton@tds.net>; Wed, 3 Sep 2003 08:27:13 -0700 Received: from mwutil03la (unverified [10.1.1.34]) by mwsmtp03la.mail2world.com (Rockliffe SMTPRA 4.5.6) with ESMTP id <B0105925569@mwsmtp03la.mail2world.com> for <yonaton@tds.net>; Wed, 3 Sep 2003 08:27:13 -0700 thread-index: AcNyL9lkMw8HFQ0/QpG676/aKOqMWQ== Thread-Topic: [ABUSE] RE:Re: [SLE] Works in Windoze, NOT in SuSE From: <AbuseDept@mail2world.com> To: <yonaton@tds.net> Cc: Subject: [ABUSE] RE:Re: [SLE] Works in Windoze, NOT in SuSE Date: Wed, 3 Sep 2003 08:27:13 -0700 Message-ID: <028201c3722f$d966fae0$2201010a@mail2world.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0283_01C371F5.2D0822E0" X-Mailer: Microsoft CDO for Exchange 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: Here's a short snip of the body: georgezinsu5@mail2world.com account you reported/emailed has been terminated due to a suspected spamming violation. We are investigating the incident, and depending on the outcome, will take appropriate legal action. mail2world.com does not tolerate the sending of spam (unsolicited bulk or junk email), and will immediately terminate all accounts that violate the strict rules stipulated in the mail2world.com Conduct Policy, the mail2world.com Spam Policy and the mail2world.com Terms of Service Agreement you can view our policies here: http://www.mail2world.com/s/m2wpublic/policies/conduct.asp Is this some kind of spam? If it is, it's the strangest I've ever seen/encountered, and also if it is, it looks like I should never have told Carlos I never got any spam off this list! LOL! You cursed me Carlos, this is all your fault! LOL! John -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) iD8DBQE/Vo4pH5oDXyLKXKQRAqYdAJ92XPjEnSI/ujUu27U8KZ587sag4QCeK67O B0BIQmwjbpw+f6R+ZOnlRHk= =SJy0 -----END PGP SIGNATURE-----
[John]
I was just going through the posts in this mailing list, and have come upon (so far) 4 of these weird posts. [...]
I'm getting such as well.
Is this some kind of spam?
This is indirect. Here is a possible scenario. You sent email to a first someone, at some time in the past. That first someone's machine runs Windows and recently got infected by a computer virus. The virus found your email address into this first Windows machine, and used it to forge the `From:' header of infecting emails broadcasted from the Windows machine to various people, one of which also run Windows and also got infected. But this time, the ISP of this second guy has been aware that he was sending spam (because he was infected as well) and terminated his account. When a message from the first someone was sent to the second someone, it was intercepted by the ISP, and because of the forged From, that ISP sent a message to you explaining that the message from the first Windows machine would not be delivered to the second Windows machine.
If it is, it's the strangest I've ever seen/encountered,
Don't stop breathing. You'll surely see worse. :-) -- François Pinard http://www.iro.umontreal.ca/~pinard
See my earlier post about the mysterious bounce test. -- -ckm
I have also had strange email "your quota has been exceeded" that looks like someone has been using my email address as the "from" when sending spam. The odd thing is the address in question is one I invented this week for use to this mailing list only! I have also had bounce tests apparently from suse.de On Thursday 04 September 2003 3:21 am, Francois Pinard wrote:
[John]
I was just going through the posts in this mailing list, and have come upon (so far) 4 of these weird posts. [...]
I'm getting such as well.
Is this some kind of spam?
This is indirect. Here is a possible scenario. You sent email to a first someone, at some time in the past. That first someone's machine runs Windows and recently got infected by a computer virus. The virus found your email address into this first Windows machine, and used it to forge the `From:' header of infecting emails broadcasted from the Windows machine to various people, one of which also run Windows and also got infected. But this time, the ISP of this second guy has been aware that he was sending spam (because he was infected as well) and terminated his account. When a message from the first someone was sent to the second someone, it was intercepted by the ISP, and because of the forged From, that ISP sent a message to you explaining that the message from the first Windows machine would not be delivered to the second Windows machine.
If it is, it's the strangest I've ever seen/encountered,
Don't stop breathing. You'll surely see worse. :-)
-- François Pinard http://www.iro.umontreal.ca/~pinard
The 03.09.04 at 10:14, david stevenson wrote:
I have also had strange email "your quota has been exceeded" that looks like someone has been using my email address as the "from" when sending spam. The odd thing is the address in question is one I invented this week for use to this mailing list only!
The W32/Sobig.f@MM virus is going around, and it includes a 100Kbyte attachment, something.pif, as a payload. It seems that this virus will - in windows machines, of course, running outlook ;-) - resend itself to the full address bok of its unfortunate user, using different from addreses. If you are a correspondent of him, you will be on the address book, and you may well be on the destination address or the from for some of these emails. This activity, multiplied world wide, may well fill up many mail boxes. This is why I asked on the list about how to reject certain attaches (solved), because I got 30 of them yesterday: that's more than 3 megabytes, probably six.
I have also had bounce tests apparently from suse.de
Yes, it is related, but to the cure. :-) -- Cheers, Carlos Robinson
The 03.09.03 at 19:58, John wrote:
Is this some kind of spam? If it is, it's the strangest I've ever seen/encountered, and also if it is, it looks like I should never have told Carlos I never got any spam off this list! LOL! You cursed me Carlos, this is all your fault! LOL!
X'-) No, it is not spam. The thing is as follows: You sent an email to the list. The list server sent it to the thousand (?) subscribers. One of them has been marked as a spammer by his ISP -- Good job! Praise them! :-) --, and his account was blocked. That ISP sends back a notification to the originator of the email, which is you: at least, you are in the "from" header. maybe it should have bounced to the list server: Christopher could perhaps clarify that, I think. So, everybody that sent email to this list (and the spanish list as well) got one of those. The proper action is to forward one of those, complete, to the list owner, ie: suse-linux-e-owner@suse.com - as documented on the litle confirmation email you received when you susbcribed ;-) And the "owner" had a hard time finding this one: thus the bounce test he comented. By the way: you got that email inside the list mailbox because your mail filter rule is incorrect. If you use procmail, the rule is similar to this: :0f * ^X-Mailinglist: suse-linux-e | /usr/bin/formail -bfi "Reply-To:suse-linux-e@suse.com" :0 a: $HOME/Mail/lists/suse-linux-e The formail part is for adding a "reply-to" header. The important part is that you have to check for the "X-Mailinglist:" header. Then, follow with rules for the other lists you may have. For example: :0 * ^X-Mailinglist: suse-security-announce $HOME/Mail/lists/suse-security-announce Anything that doesn't match, is a direct email to you. :0 $HOME/Mail/lists/in_elresto -- Cheers, Carlos Robinson
* Carlos E. R. (robin1.listas@tiscali.es) [030904 06:58]:
The thing is as follows: You sent an email to the list. The list server sent it to the thousand (?) subscribers. One of them has been marked as a spammer by his ISP -- Good job! Praise them! :-) --, and his account was blocked. That ISP sends back a notification to the originator of the email, which is you: at least, you are in the "from" header. maybe it should have bounced to the list server: Christopher could perhaps clarify that, I think.
Bounces and autoresponses (e.g., vacation messages) should only go to the sender from, not addresses listed in the from or cc header. When that happens the person will eventually get automatically unsubscribed and no one ever sees this garbage. -- -ckm
participants (5)
-
Carlos E. R. -
Christopher Mahmood -
david stevenson -
Francois Pinard -
John