Thread: Testing mail list

Testing mail list

From
Gregory Stark
Date:
I'm receiving bogus bounce messages like this (which are malformed even, the
Subject isn't properly encoded). I'm not sure what list is generating them or
what address but if we can figure out who could we drop whoever it is from the
list please?



--
  Gregory Stark
  EnterpriseDB          http://www.enterprisedb.com
  Ask me about EnterpriseDB's RemoteDBA services!

Attachment

Re: Testing mail list

From
Andrew Dunstan
Date:

Gregory Stark wrote:
> I'm receiving bogus bounce messages like this (which are malformed even, the
> Subject isn't properly encoded). I'm not sure what list is generating them or
> what address but if we can figure out who could we drop whoever it is from the
> list please?
>
>   
> ------------------------------------------------------------------------
>
> Subject:
> Confirmação de envio / Sending confirmation (captchaid:1324333124c3)
> From:
> <postmaster@infotecnica.com.br>
>
>
>
> The email message sent to dev@archonet.com requires a confirmation to 
> be delivered. Please, answer this email informing the characters that 
> you see in the image below
>
>
>   

Receipt of messages like this is guaranteed an immediate entry in my 
junk filter. Use of this braindead software is bad enough, but being so 
clueless as not to whitelist a technical mailing list you subscribe to 
is truly horrible.

cheers

andrew


Re: Testing mail list

From
Gregory Stark
Date:
"Andrew Dunstan" <andrew@dunslane.net> writes:

> Receipt of messages like this is guaranteed an immediate entry in my junk
> filter. Use of this braindead software is bad enough, but being so clueless as
> not to whitelist a technical mailing list you subscribe to is truly horrible.

It's worse than that in this case. This is an *impressively* broken
configuration. What appears to be happening is that the mail server at this
university is looking at the To and From headers and treating it as a personal
email between those two addresses. It sends this captcha to the From header
claiming that the person in the To header is insisting on the captcha being
filled out. The first such bounce I looked at actually claimed it was on Tom's
behalf!

If I were the list maintainer here I would ban infotecnica.com.br addresses
from subscribing to any of our lists. Ideally with a message saying "as a
result of misconfigured mail software addreses from infotecnica.com.br are
banned from pgsql mailing lists. Please contact your postmaster to request
they fix the problems"

--  Gregory Stark EnterpriseDB          http://www.enterprisedb.com Ask me about EnterpriseDB's Slony Replication
support!


Re: Testing mail list

From
Alvaro Herrera
Date:
On Wed, Dec 19, 2007 at 01:09:39PM +0000, Gregory Stark wrote:

> If I were the list maintainer here I would ban infotecnica.com.br addresses
> from subscribing to any of our lists. Ideally with a message saying "as a
> result of misconfigured mail software addreses from infotecnica.com.br are
> banned from pgsql mailing lists. Please contact your postmaster to request
> they fix the problems"

Right.  Problem is, I checked and I found no infotecnica.com.br
addresses subscribed to pgsql-hackers.

Are you sure it was mail from -hackers that caused the problem?  I have
seen the bounce myself but never made much of it (even though I agreed
it was quite broken).

-- 
Alvaro Herrera                 http://www.amazon.com/gp/registry/DXLWNGRJD34J
La web junta la gente porque no importa que clase de mutante sexual seas,
tienes millones de posibles parejas. Pon "buscar gente que tengan sexo con
ciervos incendiándose", y el computador dirá "especifique el tipo de ciervo"
(Jason Alexander)


Re: Testing mail list

From
Andrew Dunstan
Date:

Alvaro Herrera wrote:
> On Wed, Dec 19, 2007 at 01:09:39PM +0000, Gregory Stark wrote:
>
>   
>> If I were the list maintainer here I would ban infotecnica.com.br addresses
>> from subscribing to any of our lists. Ideally with a message saying "as a
>> result of misconfigured mail software addreses from infotecnica.com.br are
>> banned from pgsql mailing lists. Please contact your postmaster to request
>> they fix the problems"
>>     
>
> Right.  Problem is, I checked and I found no infotecnica.com.br
> addresses subscribed to pgsql-hackers.
>
> Are you sure it was mail from -hackers that caused the problem?  I have
> seen the bounce myself but never made much of it (even though I agreed
> it was quite broken).
>
>   

It could be via some mail <-> news or list <-> list gateway.

cheers

andrew


Re: Testing mail list

From
Tom Lane
Date:
Gregory Stark <stark@enterprisedb.com> writes:
> It's worse than that in this case. This is an *impressively* broken
> configuration.

Understatement of the week.  The mail includes absolutely no evidence
about what message is allegedly being filtered.  Are you sure that
this is really a filtering engine at all, and not just random spam
hoping to draw responses from careless people?  I've heard of web
comment-spammers who try to get other people to decode captchas
for them this way.

Adding to my suspicion is that I don't recall having seen one of these
personally, and if it were really tied to posting on any of the PG
lists, I shoulda seen a lot ;-)
        regards, tom lane


Re: Testing mail list

From
Alvaro Herrera
Date:
Tom Lane wrote:
> Gregory Stark <stark@enterprisedb.com> writes:
> > It's worse than that in this case. This is an *impressively* broken
> > configuration.
> 
> Understatement of the week.  The mail includes absolutely no evidence
> about what message is allegedly being filtered.  Are you sure that
> this is really a filtering engine at all, and not just random spam
> hoping to draw responses from careless people?  I've heard of web
> comment-spammers who try to get other people to decode captchas
> for them this way.
> 
> Adding to my suspicion is that I don't recall having seen one of these
> personally, and if it were really tied to posting on any of the PG
> lists, I shoulda seen a lot ;-)

Yeah, I think it comes from pgsql-performance.  I just got one
mentioning an address to which I had responded some minutes before.

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.


Re: Testing mail list

From
Andrew Sullivan
Date:
On Wed, Dec 19, 2007 at 11:15:37AM -0500, Tom Lane wrote:
> hoping to draw responses from careless people?  I've heard of web
> comment-spammers who try to get other people to decode captchas
> for them this way.

Yes.  This is the latest spammer trick.  They get people all over the globe
to decode the captchas.  It's way easier than programming to decode the
captchas (which itself isn't that hard -- there are plenty of toolkits out
there that will decode such things for you).

A



Re: Testing mail list

From
Tom Lane
Date:
I wrote:
> Adding to my suspicion is that I don't recall having seen one of these
> personally,

I take that back --- some digging in my mail logs shows that I have
gotten a few of these, but they went straight to /dev/null because
my spam filters thought they were a virus.  Have you checked whether
that "gif" is really an image, rather than a bit of malware?

The mail-log trace of the last such attempt is pretty interesting too:

Dec 16 13:05:16 sss2 sm-mta[27362]: lBGI5G1g027362: infotecnica.com.br [201.35.247.5] did not issue MAIL/EXPN/VRFY/ETRN
duringconnection to MTA
 
Dec 16 13:05:16 sss2 sm-mta[27363]: lBGI5GFn027363: infotecnica.com.br [201.35.247.5] did not issue MAIL/EXPN/VRFY/ETRN
duringconnection to MTA
 
Dec 16 13:05:17 sss2 sm-mta[27365]: lBGI5HIe027365: infotecnica.com.br [201.35.247.5] did not issue MAIL/EXPN/VRFY/ETRN
duringconnection to MTA
 
Dec 16 13:05:52 sss2 sm-mta[27368]: lBGI5n2G027368: from=<root@infotecnica.com.br>, size=27892, class=0, nrcpts=1,
msgid=<200712161805.lBGI59uu016307@infotecnica.com.b
r>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=infotecnica.com.br [201.35.247.5]
Dec 16 13:05:52 sss2 sm-mta[27369]: lBGI5n2G027368: to="|/usr/local/bin/procmail -tYf- || exit 75 #tgl",
ctladdr=<tgl@sss.pgh.pa.us>(301/20), delay=00:00:02, xdelay=0
 
0:00:00, mailer=prog, pri=58095, dsn=2.0.0, stat=Sent

Since 11 December there are consistently three no-op connections before
anything actually happens, which adds a whole new layer of incompetence
that could be charged against whoever is running this, if it actually is
a mail server --- which I grow increasingly dubious of.  I also see a
whole lot of connection attempts in the preceding months in which
nothing was *ever* sent, just "did not issue MAIL" reports in bursts of
three.

Looks like spamhaus.org was blocking them for portions of last month,
too, so other people have been unhappy about this as well.

Whoever these people are, I've seen enough; I'm off to add this IP
address to my local permanent blacklist.
        regards, tom lane