Thread: Stopping link spam on the lists
Seems like we are getting several of these per day now. Can't we
moderate them away? I'd humbly suggest that anything with
X-Pg-Spam-Score above about 3 ought to be held for moderation.
And another thing I'd be in favor of is forcibly unsubscribing any
account seen to have sent one of these.
regards, tom lane
------- Forwarded Message
Return-Path: pgsql-jdbc-owner+M22815@postgresql.org
Delivery-Date: Fri Apr 6 12:18:03 2012
Received: from mx1.hub.org (mx1.hub.org [200.46.208.106])
by sss.pgh.pa.us (8.14.2/8.14.2) with ESMTP id q36GI208001317
for <tgl@sss.pgh.pa.us>; Fri, 6 Apr 2012 12:18:03 -0400 (EDT)
Received: from postgresql.org (mail.postgresql.org [200.46.204.86])
by mx1.hub.org (Postfix) with ESMTP id 6FCB41EE899;
Fri, 6 Apr 2012 13:18:01 -0300 (ADT)
Received: from makus.postgresql.org (makus.postgresql.org [98.129.198.125])
by mail.postgresql.org (Postfix) with ESMTP id 700611BFF91C
for <pgsql-jdbc@postgresql.org>; Fri, 6 Apr 2012 13:17:54 -0300 (ADT)
Received: from nm5.bullet.mail.ird.yahoo.com ([77.238.189.62])
by makus.postgresql.org with smtp (Exim 4.72)
(envelope-from <sezmillenium@yahoo.es>)
id 1SGBrE-0004yp-KJ
for pgsql-jdbc@postgresql.org; Fri, 06 Apr 2012 16:17:54 +0000
Received: from [77.238.189.233] by nm5.bullet.mail.ird.yahoo.com with NNFMP; 06 Apr 2012 16:17:39 -0000
Received: from [212.82.108.122] by tm14.bullet.mail.ird.yahoo.com with NNFMP; 06 Apr 2012 16:17:39 -0000
Received: from [127.0.0.1] by omp1031.mail.ird.yahoo.com with NNFMP; 06 Apr 2012 16:17:39 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 2498.22349.bm@omp1031.mail.ird.yahoo.com
Received: (qmail 22333 invoked by uid 60001); 6 Apr 2012 16:17:38 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s1024; t=1333729058;
bh=1t0HkCaH1lmxe3f2DgNapGL/pqR9egXnWLtSCAGsDx0=;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:To:MIME-Version:Content-Type;
b=fSuyBzDiiTewhs/3Tm8GOgGLDZ+fxOXhsCy3WNyLY7wbAYRjZIF++t4/gdKIIhlArqRus8hncfRnvi3l+gEoQbMLDu856xBHVpX1HZDZc0dEjHNw9SlgMVc5riU+Io0LXT09737bPzNMdiKhITwsqMmyn5RHPw3ueRVnaGQs4f0=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.es;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:To:MIME-Version:Content-Type;
b=j9RfyHgQCtvWslJUYT3DU1VFeMGj9ldtWfv5XeG3X7oMrRM5OZmjMRd4EYMIMFTRwZQL+pomoHMyTagC1zJ7/jl/gBowE7EySnQYJL4o3izhSWvs1T+tjnljTiiWHCzqD9maYz9m0gz5EfY1c5vM8FxY8jB7eNvtClzY9xXOHAU=;
X-YMail-OSG: vYGMatMVM1nwE9YI_RSr_HLAFE53es0BaYDOH_vXzWUCbvK
RerfQeqvusgc3BPyjGEwLTT1izOCfiioHCFii6nR2_eYrLyDOGGip8UcEdQJ
N8JcX8dtIJ98EBc5q5m7VXfpQDG42kx9A.2uHXPM6ITvskbN7q62S4spanVi
wOPkl8A7PGMOxyLHPTV_SnDn4uzAKOU4YU9Cng5u6NRkHMZw0rXOmKzy0d1P
V8X3Oepx4qnRD19SJ03fnsQ3GWdLPNUONy_dRUiDG5EqNwrk9JGWZSVKP_3q
bCbo6hRKTPUBCG7Ha2pUU26niC73VQyfEP7ugiPju_1KC5hmgk9lpvt33.BK
qB5Uq8xs2qL5Nf3SygHoEP.NkRDtLwN0_DjhTTmYBN3nuKGQnb6jbAgTh61W
fVlgwMPMX3v7BsADVm_yD9ao4bVPlL9JkoToiL5BwpImlwFsup4ViV.XpbUS
kQ7zyynRPZQKtov8jY3nG_8BMJ3pAJY70rpnxZycQwbcCbfAeCG6.3AiG5DA
oi5FfYPZKYvFv3uIiCm.UaZR1ISUUiTA5mSZdkmG3PrFY
Received: from [41.143.20.111] by web29010.mail.ird.yahoo.com via HTTP; Fri, 06 Apr 2012 17:17:38 BST
X-Mailer: YahooMailWebService/0.8.117.340979
Message-ID: <1333729058.91235.YahooMailMobile@web29010.mail.ird.yahoo.com>
Date: Fri, 6 Apr 2012 17:17:38 +0100 (BST)
From: Sez Sez <sezmillenium@yahoo.es>
To: pgsql-jdbc@postgresql.org, commons-user@jakarta.apache.org,
bulmailing@bulma.net, torque-user@db.apache.org,
poptop-server@lists.sourceforge.net, squid-users@squid-cache.org,
jetspeed-user@jakarta.apache.org, nekohtml-user@lists.sourceforge.net
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1758879879-1396127397-1333729058=:91235"
X-Pg-Spam-Score: 4.2 (++++)
X-Mailing-List: pgsql-jdbc
List-Archive: <http://archives.postgresql.org/pgsql-jdbc>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgsql-jdbc.postgresql.org>
List-Owner: <mailto:pgsql-jdbc-owner@postgresql.org>
List-Post: <mailto:pgsql-jdbc@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgsql-jdbc>
List-Unsubscribe: <mailto:majordomo@postgresql.org?body=unsub%20pgsql-jdbc>
Precedence: bulk
Sender: pgsql-jdbc-owner@postgresql.org
Subject: [JDBC]
---1758879879-1396127397-1333729058=:91235
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<a href=3D"http://demo.fearphage.com/installation-should-be-removed/rmngl.h=
tml"> http://demo.fearphage.com/installation-should-be-removed/rmngl.html</=
a>
---1758879879-1396127397-1333729058=:91235
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0"><tr><td valign=3D"t=
op" style=3D"font: inherit;"><div><a href=3D"http://demo.fearphage.com/inst=
allation-should-be-removed/rmngl.html"> http://demo.fearphage.com/installat=
ion-should-be-removed/rmngl.html</a></div></td></tr></table>
---1758879879-1396127397-1333729058=:91235--
------- End of Forwarded Message
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > Seems like we are getting several of these per day now. Can't we > moderate them away? I'd humbly suggest that anything with > X-Pg-Spam-Score above about 3 ought to be held for moderation. +1 > And another thing I'd be in favor of is forcibly unsubscribing any > account seen to have sent one of these. +1, but I wonder if that matters - are these compromised accounts, or simply throwaway ones? I wonder if the low level of complaints is because other people are filtering these out. For example, I've not seen any spam from the lists in years, due to the filtering that happens betwixt postgresql.org -> turnstep.com. :) - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 201204061648 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAk9/VpQACgkQvJuQZxSWSshk9ACg0ZjYcnCmDu+HBqW1IQa6n3Zm 6TYAoMEYroTqGL6ovq0/ICQnmjNaR5kl =wPYK -----END PGP SIGNATURE-----
On 04/06/2012 01:48 PM, Greg Sabino Mullane wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > >> Seems like we are getting several of these per day now. Can't we >> moderate them away? I'd humbly suggest that anything with >> X-Pg-Spam-Score above about 3 ought to be held for moderation. > > +1 I would +1 this, "if" an HTML email doesn't trigger above 3. JD -- Command Prompt, Inc. - http://www.commandprompt.com/ PostgreSQL Support, Training, Professional Services and Development The PostgreSQL Conference - http://www.postgresqlconference.org/ @cmdpromptinc - @postgresconf - 509-416-6579
"Greg Sabino Mullane" <greg@turnstep.com> writes:
>> And another thing I'd be in favor of is forcibly unsubscribing any
>> account seen to have sent one of these.
> +1, but I wonder if that matters - are these compromised accounts,
> or simply throwaway ones?
Does it matter? As long as they're spamming us more than once --- and
they are --- zapping them would be worth doing, I think.
regards, tom lane
Excerpts from Tom Lane's message of vie abr 06 18:05:17 -0300 2012: > "Greg Sabino Mullane" <greg@turnstep.com> writes: > >> And another thing I'd be in favor of is forcibly unsubscribing any > >> account seen to have sent one of these. > > > +1, but I wonder if that matters - are these compromised accounts, > > or simply throwaway ones? > > Does it matter? As long as they're spamming us more than once --- and > they are --- zapping them would be worth doing, I think. I always immediately unregister (which is to say, unsubscribe from all lists and remove access to postgresql.org's Majordomo) any account from which I see one of these link spam messages. The thing is, I'm not subscribed to all lists, and I don't even read all those that I am subscribed to. So many of these messages are passing unseen by me, and the accounts are not unsubscribed until later. As far as I see these accounts are all inactive accounts that subscribed many years ago but are no longer receiving any list. This is common in Yahoo accounts because they tend to cause a lot of bounces and so are unsubscribed by Majordomo automatically. The idea of moderating emails with a high spam score is probably worth trying out. I'll have to research a bit how it's done though. -- Álvaro Herrera <alvherre@commandprompt.com> The PostgreSQL Company - Command Prompt, Inc. PostgreSQL Replication, Consulting, Custom Development, 24x7 support
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 >> +1, but I wonder if that matters - are these compromised accounts, >> or simply throwaway ones? > Does it matter? As long as they're spamming us more than once --- and > they are --- zapping them would be worth doing, I think. Well, if they were only doing it once, then it wouldn't matter. If they were not established accounts, we could also look into hardening our subscription process a bit. Since they appear to not be newly minted accounts, it's a moot point. Of course, as usual, all of this talk is pretty pointless as the main person who should be involved here, Marc, is not subscribed to -www, last I heard. :( - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 201204071254 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAk+AcWAACgkQvJuQZxSWSshhpQCfUc0oMtOc6YPswSaBk+ALKjDf IAcAoLCSHPj/LPKtJfZoEjTo5c2uUpbA =MSqq -----END PGP SIGNATURE-----
On Sat, Apr 7, 2012 at 18:55, Greg Sabino Mullane <greg@turnstep.com> wrote: > > >>> +1, but I wonder if that matters - are these compromised accounts, >>> or simply throwaway ones? > >> Does it matter? As long as they're spamming us more than once --- and >> they are --- zapping them would be worth doing, I think. > > Well, if they were only doing it once, then it wouldn't matter. If > they were not established accounts, we could also look into > hardening our subscription process a bit. Since they appear to > not be newly minted accounts, it's a moot point. > > Of course, as usual, all of this talk is pretty pointless as the > main person who should be involved here, Marc, is not subscribed > to -www, last I heard. :( He's not, but our incoming email no longer passes through the hub.org antispam, and Alvaro has a decent clue on how the remaining pieces are stitched together. (Work in progress to clean it up further, of course, just currently on hold as alvaro has been busy with the CF work) -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Excerpts from Magnus Hagander's message of sáb abr 07 13:59:57 -0300 2012: > On Sat, Apr 7, 2012 at 18:55, Greg Sabino Mullane <greg@turnstep.com> wrote: > > Of course, as usual, all of this talk is pretty pointless as the > > main person who should be involved here, Marc, is not subscribed > > to -www, last I heard. :( > > He's not, but our incoming email no longer passes through the hub.org > antispam, and Alvaro has a decent clue on how the remaining pieces are > stitched together. (Work in progress to clean it up further, of > course, just currently on hold as alvaro has been busy with the CF > work) The remaining question, in my mind, is: is there a way to reliably detect that link spam is just link spam and reject it altogether in Spamassassin? If that's the case, then we could do it at that level and save the work downstream. This is something that Stefan would have to answer. -- Álvaro Herrera <alvherre@commandprompt.com> The PostgreSQL Company - Command Prompt, Inc. PostgreSQL Replication, Consulting, Custom Development, 24x7 support
Alvaro Herrera <alvherre@commandprompt.com> writes:
> The remaining question, in my mind, is: is there a way to reliably
> detect that link spam is just link spam and reject it altogether in
> Spamassassin? If that's the case, then we could do it at that level and
> save the work downstream. This is something that Stefan would have to
> answer.
FWIW, all the examples I have seen recently bore all of these traits:
* empty subject line (other than the [LISTNAME] prefix attached by our own forwarding code)
* no content to speak of except the payload link
* To: addressed to multiple unrelated addresses
I'm not sure how much the last point helps, unfortunately, because a
heck of a lot of what passes through our lists has multiple To:, and
I doubt it's practical for the spam filter to test how many of the
target addresses are people subscribed to the lists. The empty subject
would be easy to test for, but surely the spammers will figure out
not to do that soon.
Anyway, what I've been seeing lately has all had X-pg-spam-score 3.5 or
more, which is what made me suggest that moderating on that basis would
improve matters.
regards, tom lane
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > He's not, but our incoming email no longer passes through the hub.org > antispam, and Alvaro has a decent clue on how the remaining pieces are > stitched together. Excellent, thanks. +1 then to Tom's idea of simply quarantining anything above a threshold. Would be ideal if there was a web-based form showing all such emails, across all lists, that moderators could simply approve or reject /pie-in-the-sky - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 201204081120 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAk+BrKwACgkQvJuQZxSWSshGPwCgx6hggZKmrvH0RKGHjMV2dewT T0AAnRidK2j3O8k1pruSdPHvSH9c1U5Z =2U6t -----END PGP SIGNATURE-----
On 04/08/2012 05:14 AM, Tom Lane wrote: > Alvaro Herrera <alvherre@commandprompt.com> writes: >> The remaining question, in my mind, is: is there a way to reliably >> detect that link spam is just link spam and reject it altogether in >> Spamassassin? If that's the case, then we could do it at that level and >> save the work downstream. This is something that Stefan would have to >> answer. > > FWIW, all the examples I have seen recently bore all of these traits: > > * empty subject line (other than the [LISTNAME] prefix attached by our > own forwarding code) > * no content to speak of except the payload link > * To: addressed to multiple unrelated addresses well in principle there is no reason why we cannot give more weight to mails given that description in our inbound mail system, which would probably push those in a relative selective way over the current hard-inbound-reject threshold (which atm is fairly conservative given we are still kinda finetuning the "new" system). > > I'm not sure how much the last point helps, unfortunately, because a > heck of a lot of what passes through our lists has multiple To:, and > I doubt it's practical for the spam filter to test how many of the > target addresses are people subscribed to the lists. The empty subject > would be easy to test for, but surely the spammers will figure out > not to do that soon. > > Anyway, what I've been seeing lately has all had X-pg-spam-score 3.5 or > more, which is what made me suggest that moderating on that basis would > improve matters. any chance you can provide us with some pointers to these kind of mails, I don't really have the bandwidth to follow that many lists and I don't think I have seen one coming by on the lists I actually read regulary... One important point to note is that only ~2% of our rejects are actually based by heavy-style contentfiltering (based on SA and clamav) the remaining 98% are getting dealt much earlier in the pipeline and using much lighter weight stuff. FWIW we actually passed approximatly ~10000 mails (excluding traffic we get from hub.org back as bounces) back to the actual listserver on April 10th. Out of that a total of 140 mails would have exceeded a X-Pg-Spam-Score of 3.5(across all lists). I have no idea whether making those "moderated by default" that would put an enormous amount of additional burden on the moderators or not, given I have no idea what kind of mails need to get dealt with on a typical day. Stefan
Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes: > On 04/08/2012 05:14 AM, Tom Lane wrote: >> Anyway, what I've been seeing lately has all had X-pg-spam-score 3.5 or >> more, which is what made me suggest that moderating on that basis would >> improve matters. > any chance you can provide us with some pointers to these kind of mails, > I don't really have the bandwidth to follow that many lists and I don't > think I have seen one coming by on the lists I actually read regulary... There's been about one a day lately on pgsql-admin --- go to the archives page and look for [no subject]. I see a few on pgsql-general as well. And I saw one today that broke the usual pattern of empty subject, confirming my fear that the spammers won't be that dumb for long: http://archives.postgresql.org/pgsql-general/2012-04/msg00227.php (although this one looks different enough that it might be a different spam engine than what's been plaguing us lately) > One important point to note is that only ~2% of our rejects are actually > based by heavy-style contentfiltering (based on SA and clamav) the > remaining 98% are getting dealt much earlier in the pipeline and using > much lighter weight stuff. Actually, the only reason I'm complaining is that the PG lists are so well filtered that I do no additional filtering here. If I were to let loose my normal spam filters on the list traffic, I'd never see these (nor, I fear, a lot of valid traffic). So this is the price of success: people expect perfection ;-) regards, tom lane
On Wed, Apr 11, 2012 at 02:59:08PM -0400, Tom Lane wrote: > Actually, the only reason I'm complaining is that the PG lists are so > well filtered that I do no additional filtering here. If I were to let > loose my normal spam filters on the list traffic, I'd never see these > (nor, I fear, a lot of valid traffic). So this is the price of success: > people expect perfection ;-) That is true for me as well --- all email from the postgresql.org servers is white-listed on my server. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +