Thread: Testing mail list
I'm receiving bogus bounce messages like this (which are malformed even, the Subject isn't properly encoded). I'm not sure what list is generating them or what address but if we can figure out who could we drop whoever it is from the list please? -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Ask me about EnterpriseDB's RemoteDBA services!
Attachment
Gregory Stark wrote: > I'm receiving bogus bounce messages like this (which are malformed even, the > Subject isn't properly encoded). I'm not sure what list is generating them or > what address but if we can figure out who could we drop whoever it is from the > list please? > > > ------------------------------------------------------------------------ > > Subject: > Confirmação de envio / Sending confirmation (captchaid:1324333124c3) > From: > <postmaster@infotecnica.com.br> > > > > The email message sent to dev@archonet.com requires a confirmation to > be delivered. Please, answer this email informing the characters that > you see in the image below > > > Receipt of messages like this is guaranteed an immediate entry in my junk filter. Use of this braindead software is bad enough, but being so clueless as not to whitelist a technical mailing list you subscribe to is truly horrible. cheers andrew
"Andrew Dunstan" <andrew@dunslane.net> writes: > Receipt of messages like this is guaranteed an immediate entry in my junk > filter. Use of this braindead software is bad enough, but being so clueless as > not to whitelist a technical mailing list you subscribe to is truly horrible. It's worse than that in this case. This is an *impressively* broken configuration. What appears to be happening is that the mail server at this university is looking at the To and From headers and treating it as a personal email between those two addresses. It sends this captcha to the From header claiming that the person in the To header is insisting on the captcha being filled out. The first such bounce I looked at actually claimed it was on Tom's behalf! If I were the list maintainer here I would ban infotecnica.com.br addresses from subscribing to any of our lists. Ideally with a message saying "as a result of misconfigured mail software addreses from infotecnica.com.br are banned from pgsql mailing lists. Please contact your postmaster to request they fix the problems" -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Ask me about EnterpriseDB's Slony Replication support!
On Wed, Dec 19, 2007 at 01:09:39PM +0000, Gregory Stark wrote: > If I were the list maintainer here I would ban infotecnica.com.br addresses > from subscribing to any of our lists. Ideally with a message saying "as a > result of misconfigured mail software addreses from infotecnica.com.br are > banned from pgsql mailing lists. Please contact your postmaster to request > they fix the problems" Right. Problem is, I checked and I found no infotecnica.com.br addresses subscribed to pgsql-hackers. Are you sure it was mail from -hackers that caused the problem? I have seen the bounce myself but never made much of it (even though I agreed it was quite broken). -- Alvaro Herrera http://www.amazon.com/gp/registry/DXLWNGRJD34J La web junta la gente porque no importa que clase de mutante sexual seas, tienes millones de posibles parejas. Pon "buscar gente que tengan sexo con ciervos incendiándose", y el computador dirá "especifique el tipo de ciervo" (Jason Alexander)
Alvaro Herrera wrote: > On Wed, Dec 19, 2007 at 01:09:39PM +0000, Gregory Stark wrote: > > >> If I were the list maintainer here I would ban infotecnica.com.br addresses >> from subscribing to any of our lists. Ideally with a message saying "as a >> result of misconfigured mail software addreses from infotecnica.com.br are >> banned from pgsql mailing lists. Please contact your postmaster to request >> they fix the problems" >> > > Right. Problem is, I checked and I found no infotecnica.com.br > addresses subscribed to pgsql-hackers. > > Are you sure it was mail from -hackers that caused the problem? I have > seen the bounce myself but never made much of it (even though I agreed > it was quite broken). > > It could be via some mail <-> news or list <-> list gateway. cheers andrew
Gregory Stark <stark@enterprisedb.com> writes:
> It's worse than that in this case. This is an *impressively* broken
> configuration.
Understatement of the week. The mail includes absolutely no evidence
about what message is allegedly being filtered. Are you sure that
this is really a filtering engine at all, and not just random spam
hoping to draw responses from careless people? I've heard of web
comment-spammers who try to get other people to decode captchas
for them this way.
Adding to my suspicion is that I don't recall having seen one of these
personally, and if it were really tied to posting on any of the PG
lists, I shoulda seen a lot ;-)
regards, tom lane
Tom Lane wrote: > Gregory Stark <stark@enterprisedb.com> writes: > > It's worse than that in this case. This is an *impressively* broken > > configuration. > > Understatement of the week. The mail includes absolutely no evidence > about what message is allegedly being filtered. Are you sure that > this is really a filtering engine at all, and not just random spam > hoping to draw responses from careless people? I've heard of web > comment-spammers who try to get other people to decode captchas > for them this way. > > Adding to my suspicion is that I don't recall having seen one of these > personally, and if it were really tied to posting on any of the PG > lists, I shoulda seen a lot ;-) Yeah, I think it comes from pgsql-performance. I just got one mentioning an address to which I had responded some minutes before. -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc.
On Wed, Dec 19, 2007 at 11:15:37AM -0500, Tom Lane wrote: > hoping to draw responses from careless people? I've heard of web > comment-spammers who try to get other people to decode captchas > for them this way. Yes. This is the latest spammer trick. They get people all over the globe to decode the captchas. It's way easier than programming to decode the captchas (which itself isn't that hard -- there are plenty of toolkits out there that will decode such things for you). A
I wrote:
> Adding to my suspicion is that I don't recall having seen one of these
> personally,
I take that back --- some digging in my mail logs shows that I have
gotten a few of these, but they went straight to /dev/null because
my spam filters thought they were a virus. Have you checked whether
that "gif" is really an image, rather than a bit of malware?
The mail-log trace of the last such attempt is pretty interesting too:
Dec 16 13:05:16 sss2 sm-mta[27362]: lBGI5G1g027362: infotecnica.com.br [201.35.247.5] did not issue MAIL/EXPN/VRFY/ETRN
duringconnection to MTA
Dec 16 13:05:16 sss2 sm-mta[27363]: lBGI5GFn027363: infotecnica.com.br [201.35.247.5] did not issue MAIL/EXPN/VRFY/ETRN
duringconnection to MTA
Dec 16 13:05:17 sss2 sm-mta[27365]: lBGI5HIe027365: infotecnica.com.br [201.35.247.5] did not issue MAIL/EXPN/VRFY/ETRN
duringconnection to MTA
Dec 16 13:05:52 sss2 sm-mta[27368]: lBGI5n2G027368: from=<root@infotecnica.com.br>, size=27892, class=0, nrcpts=1,
msgid=<200712161805.lBGI59uu016307@infotecnica.com.b
r>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=infotecnica.com.br [201.35.247.5]
Dec 16 13:05:52 sss2 sm-mta[27369]: lBGI5n2G027368: to="|/usr/local/bin/procmail -tYf- || exit 75 #tgl",
ctladdr=<tgl@sss.pgh.pa.us>(301/20), delay=00:00:02, xdelay=0
0:00:00, mailer=prog, pri=58095, dsn=2.0.0, stat=Sent
Since 11 December there are consistently three no-op connections before
anything actually happens, which adds a whole new layer of incompetence
that could be charged against whoever is running this, if it actually is
a mail server --- which I grow increasingly dubious of. I also see a
whole lot of connection attempts in the preceding months in which
nothing was *ever* sent, just "did not issue MAIL" reports in bursts of
three.
Looks like spamhaus.org was blocking them for portions of last month,
too, so other people have been unhappy about this as well.
Whoever these people are, I've seen enough; I'm off to add this IP
address to my local permanent blacklist.
regards, tom lane