Thread: More link spam getting through to the lists
Lately I've been seeing about one a day of these obvious spams on the
lists. Can we do anything to block them? It mostly seems to be from
gmail, though I'm not sure that's helpful for filtering purposes.
regards, tom lane
------- Forwarded Message
Return-Path: pgsql-general-owner+M176620@postgresql.org
Delivery-Date: Wed Jun 8 13:01:58 2011
Received: from mx1.hub.org (mx1.hub.org [200.46.208.106])by sss.pgh.pa.us (8.14.2/8.14.2) with ESMTP id
p58H1v5p014508for<tgl@sss.pgh.pa.us>; Wed, 8 Jun 2011 13:01:58 -0400 (EDT)
Received: from postgresql.org (mail.postgresql.org [200.46.204.86])by mx1.hub.org (Postfix) with ESMTP id
CE89D27FE07A;Wed, 8 Jun 2011 14:01:54 -0300 (ADT)
Received: from maia.hub.org (maia-5.hub.org [200.46.204.29])by mail.postgresql.org (Postfix) with ESMTP id
56C63B5DF14for<pgsql-general-postgresql.org@mail.postgresql.org>; Wed, 8 Jun 2011 14:01:20 -0300 (ADT)
Received: from mail.postgresql.org ([200.46.204.86])by maia.hub.org (mx1.hub.org [200.46.204.29]) (amavisd-maia, port
10024)withESMTP id 19945-02for <pgsql-general-postgresql.org@mail.postgresql.org>;Wed, 8 Jun 2011 17:01:17 +0000
(UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-qy0-f196.google.com (mail-qy0-f196.google.com [209.85.216.196])by mail.postgresql.org (Postfix)
withESMTP id 4C938B5DF13for <pgsql-general@postgresql.org>; Wed, 8 Jun 2011 14:01:17 -0300 (ADT)
Received: by qyk35 with SMTP id 35so57527qyk.7 for <pgsql-general@postgresql.org>; Wed, 08 Jun 2011 10:01:16
-0700(PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type;
bh=UfJi9a04+0b0OmXcSG0SUsIOM0isuMc4L1UZNdChISo=;
b=m/sy0aR9+8nUv7ET42QisKWOXrBPF/m2x0QBxOPJrozZu//FLku0RCog2+3ra7i6ET
UeCXPt0aJFU3sK7kyWdp4Zim7bceBDflGPPXBVy/O9L77ZHm42erEwWFMoROq5cs/HrK oSe8X7FM72vger8CgpBZUvspZu1y/vH+dV6UY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=jfColABQMYePwBWTSrxprqa2MszNxpKN91HfeqcY/Gn3ihhdG9ATJJqR2SqrHv5h24
aAnS788JbxnWCXE86Z7or8rKCa6+lUjxOdYlI45Z9LTajmS/XlERzQNveSe8WEn+D4/z Jz1uD3Y0MJJ5gyMWMqY7QOKR7P9Sqk83qgZ5U=
MIME-Version: 1.0
Received: by 10.229.127.104 with SMTP id f40mr5709455qcs.48.1307552476721;Wed, 08 Jun 2011 10:01:16 -0700 (PDT)
Received: by 10.229.95.8 with HTTP; Wed, 8 Jun 2011 10:01:16 -0700 (PDT)
Date: Wed, 8 Jun 2011 18:01:16 +0100
Message-ID: <BANLkTi=iG=5MeyMf0r4OY8i0f_nr=T6U4g@mail.gmail.com>
Subject: [GENERAL]
From: Callum Scott <scott.callum@gmail.com>
To: paul.connelly1@o2.co.uk, peterbratcher@hotmail.com, peter.cruickshank@gmail.com, petercruikshank@gmail.com,
colinpeters@fvhost.org.uk, pgsql-general@postgresql.org, info@power-adapters.co.uk, rathgild@gmail.com,
redmanifesto@gmail.com, register@dum.acc.umu.se
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Spam-Status: No, hits=-1.887 tagged_above=-5 required=5 tests=BAYES_00=-1.9,FREEMAIL_FROM=0.001,
RFC_ABUSE_POST=0.001,TVD_SPACE_RATIO=0.001,T_TO_NO_BRKTS_FREEMAIL=0.01
X-Spam-Level:
X-Mailing-List: pgsql-general
List-Archive: <http://archives.postgresql.org/pgsql-general>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgsql-general.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@postgresql.org>
List-Post: <mailto:pgsql-general@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgsql-general>
List-Unsubscribe: <mailto:majordomo@postgresql.org?body=unsub%20pgsql-general>
Precedence: bulk
Sender: pgsql-general-owner@postgresql.org
http://alkiosco.com/lindex02.html
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
------- End of Forwarded Message
This was posted by someone who was actually a subscriber to the list. And does have DKIM signatures from gmail - though I don't have the tools to verify them. It indicates to me that either someone got their account(s) hacked and used to send it, or a spammer is sophisticated enough to create a gmail account and subscribed it to the list before they post.. Which seems quite advanced.. //Magnus On Wed, Jun 8, 2011 at 19:18, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Lately I've been seeing about one a day of these obvious spams on the > lists. Can we do anything to block them? It mostly seems to be from > gmail, though I'm not sure that's helpful for filtering purposes. > > regards, tom lane > > > ------- Forwarded Message > > Return-Path: pgsql-general-owner+M176620@postgresql.org > Delivery-Date: Wed Jun 8 13:01:58 2011 > Received: from mx1.hub.org (mx1.hub.org [200.46.208.106]) > by sss.pgh.pa.us (8.14.2/8.14.2) with ESMTP id p58H1v5p014508 > for <tgl@sss.pgh.pa.us>; Wed, 8 Jun 2011 13:01:58 -0400 (EDT) > Received: from postgresql.org (mail.postgresql.org [200.46.204.86]) > by mx1.hub.org (Postfix) with ESMTP id CE89D27FE07A; > Wed, 8 Jun 2011 14:01:54 -0300 (ADT) > Received: from maia.hub.org (maia-5.hub.org [200.46.204.29]) > by mail.postgresql.org (Postfix) with ESMTP id 56C63B5DF14 > for <pgsql-general-postgresql.org@mail.postgresql.org>; Wed, 8 Jun 2011 14:01:20 -0300 (ADT) > Received: from mail.postgresql.org ([200.46.204.86]) > by maia.hub.org (mx1.hub.org [200.46.204.29]) (amavisd-maia, port 10024) > with ESMTP id 19945-02 > for <pgsql-general-postgresql.org@mail.postgresql.org>; > Wed, 8 Jun 2011 17:01:17 +0000 (UTC) > X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 > Received: from mail-qy0-f196.google.com (mail-qy0-f196.google.com [209.85.216.196]) > by mail.postgresql.org (Postfix) with ESMTP id 4C938B5DF13 > for <pgsql-general@postgresql.org>; Wed, 8 Jun 2011 14:01:17 -0300 (ADT) > Received: by qyk35 with SMTP id 35so57527qyk.7 > for <pgsql-general@postgresql.org>; Wed, 08 Jun 2011 10:01:16 -0700 (PDT) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; > d=gmail.com; s=gamma; > h=domainkey-signature:mime-version:date:message-id:subject:from:to > :content-type; > bh=UfJi9a04+0b0OmXcSG0SUsIOM0isuMc4L1UZNdChISo=; > b=m/sy0aR9+8nUv7ET42QisKWOXrBPF/m2x0QBxOPJrozZu//FLku0RCog2+3ra7i6ET > UeCXPt0aJFU3sK7kyWdp4Zim7bceBDflGPPXBVy/O9L77ZHm42erEwWFMoROq5cs/HrK > oSe8X7FM72vger8CgpBZUvspZu1y/vH+dV6UY= > DomainKey-Signature: a=rsa-sha1; c=nofws; > d=gmail.com; s=gamma; > h=mime-version:date:message-id:subject:from:to:content-type; > b=jfColABQMYePwBWTSrxprqa2MszNxpKN91HfeqcY/Gn3ihhdG9ATJJqR2SqrHv5h24 > aAnS788JbxnWCXE86Z7or8rKCa6+lUjxOdYlI45Z9LTajmS/XlERzQNveSe8WEn+D4/z > Jz1uD3Y0MJJ5gyMWMqY7QOKR7P9Sqk83qgZ5U= > MIME-Version: 1.0 > Received: by 10.229.127.104 with SMTP id f40mr5709455qcs.48.1307552476721; > Wed, 08 Jun 2011 10:01:16 -0700 (PDT) > Received: by 10.229.95.8 with HTTP; Wed, 8 Jun 2011 10:01:16 -0700 (PDT) > Date: Wed, 8 Jun 2011 18:01:16 +0100 > Message-ID: <BANLkTi=iG=5MeyMf0r4OY8i0f_nr=T6U4g@mail.gmail.com> > Subject: [GENERAL] > From: Callum Scott <scott.callum@gmail.com> > To: paul.connelly1@o2.co.uk, peterbratcher@hotmail.com, > peter.cruickshank@gmail.com, petercruikshank@gmail.com, > colinpeters@fvhost.org.uk, pgsql-general@postgresql.org, > info@power-adapters.co.uk, rathgild@gmail.com, redmanifesto@gmail.com, > register@dum.acc.umu.se > Content-Type: text/plain; charset=ISO-8859-1 > X-Virus-Scanned: Maia Mailguard 1.0.1 > X-Spam-Status: No, hits=-1.887 tagged_above=-5 required=5 tests=BAYES_00=-1.9, > FREEMAIL_FROM=0.001, RFC_ABUSE_POST=0.001, TVD_SPACE_RATIO=0.001, > T_TO_NO_BRKTS_FREEMAIL=0.01 > X-Spam-Level: > X-Mailing-List: pgsql-general > List-Archive: <http://archives.postgresql.org/pgsql-general> > List-Help: <mailto:majordomo@postgresql.org?body=help> > List-ID: <pgsql-general.postgresql.org> > List-Owner: <mailto:pgsql-general-owner@postgresql.org> > List-Post: <mailto:pgsql-general@postgresql.org> > List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgsql-general> > List-Unsubscribe: <mailto:majordomo@postgresql.org?body=unsub%20pgsql-general> > Precedence: bulk > Sender: pgsql-general-owner@postgresql.org > > http://alkiosco.com/lindex02.html > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general > > ------- End of Forwarded Message > > > -- > Sent via pgsql-www mailing list (pgsql-www@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-www >
Magnus Hagander <magnus@hagander.net> writes:
> This was posted by someone who was actually a subscriber to the list.
> And does have DKIM signatures from gmail - though I don't have the
> tools to verify them.
> It indicates to me that either someone got their account(s) hacked and
> used to send it, or a spammer is sophisticated enough to create a
> gmail account and subscribed it to the list before they post.. Which
> seems quite advanced..
Hard to tell which it is. I believe we've seen these from a number of
different gmail accounts. Do we have logs showing how long somebody's
been subscribed? If they were recent subscribers I'd think the latter,
else more likely the former.
regards, tom lane
On Wed, Jun 8, 2011 at 23:14, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Magnus Hagander <magnus@hagander.net> writes: >> This was posted by someone who was actually a subscriber to the list. >> And does have DKIM signatures from gmail - though I don't have the >> tools to verify them. > >> It indicates to me that either someone got their account(s) hacked and >> used to send it, or a spammer is sophisticated enough to create a >> gmail account and subscribed it to the list before they post.. Which >> seems quite advanced.. > > Hard to tell which it is. I believe we've seen these from a number of > different gmail accounts. Do we have logs showing how long somebody's > been subscribed? If they were recent subscribers I'd think the latter, > else more likely the former. No idea, unfortunately. Marc/Alvaro, do we have such a log? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Excerpts from Magnus Hagander's message of jue jun 09 07:14:24 -0400 2011: > On Wed, Jun 8, 2011 at 23:14, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Magnus Hagander <magnus@hagander.net> writes: > >> This was posted by someone who was actually a subscriber to the list. > >> And does have DKIM signatures from gmail - though I don't have the > >> tools to verify them. > > > >> It indicates to me that either someone got their account(s) hacked and > >> used to send it, or a spammer is sophisticated enough to create a > >> gmail account and subscribed it to the list before they post.. Which > >> seems quite advanced.. > > > > Hard to tell which it is. I believe we've seen these from a number of > > different gmail accounts. Do we have logs showing how long somebody's > > been subscribed? If they were recent subscribers I'd think the latter, > > else more likely the former. > > No idea, unfortunately. Marc/Alvaro, do we have such a log? I don't think so, no. Majordomo doesn't seem to keep it. I have one for the spanish list, of course, but that's just the emails that Majordomo sends me to notify of the subscription changes. I somehow doubt that Marc is going to keep them for all lists. As far as this problem goes, anyway, I've sort of seen a similar problem in the spanish list: some long-subscribed fellow seems to get "something" in their Hotmail account (I've seen a couple from Gmail as well, but Hotmail seems to be more frequently affected) and they start sending link spam such as the above. What I did in that case was to add a rule that sends to moderation all emails with /^Message-Id:.*phx.gbl/i This blocks all the bad ones coming from Hotmail, as well as some legitimate Hotmail email. (Fortunately we have very few active Hotmail users anyway). I have not looked into Gmail spam. Clearly, marking all email from gmail.com for moderation is not practical. -- Álvaro Herrera <alvherre@commandprompt.com> The PostgreSQL Company - Command Prompt, Inc. PostgreSQL Replication, Consulting, Custom Development, 24x7 support
Alvaro Herrera <alvherre@commandprompt.com> writes:
> As far as this problem goes, anyway, I've sort of seen a similar problem
> in the spanish list: some long-subscribed fellow seems to get
> "something" in their Hotmail account (I've seen a couple from Gmail as
> well, but Hotmail seems to be more frequently affected) and they start
> sending link spam such as the above.
> What I did in that case was to add a rule that sends to moderation all
> emails with
> /^Message-Id:.*phx.gbl/i
> This blocks all the bad ones coming from Hotmail, as well as some
> legitimate Hotmail email. (Fortunately we have very few active Hotmail
> users anyway).
> I have not looked into Gmail spam. Clearly, marking all email from
> gmail.com for moderation is not practical.
Yeah, I agree. From the examples I've seen so far, the spams contain
nothing in the body except a URL; but I don't know whether it's
practical to write a spamassassin test for that.
regards, tom lane
On Thu, Jun 9, 2011 at 3:32 PM, Alvaro Herrera <alvherre@commandprompt.com> wrote: > As far as this problem goes, anyway, I've sort of seen a similar problem > in the spanish list: some long-subscribed fellow seems to get > "something" in their Hotmail account (I've seen a couple from Gmail as > well, but Hotmail seems to be more frequently affected) and they start > sending link spam such as the above. There's a reason Google has put so much effort into things like: http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html Hijacking webmail acconuts is a huge problem. If you share passwords with any other service or use a guessable password I highly recommend turning on this feature. Of course it doesn't help with our spam problems. The good news is that Google does track down this accounts and disables them (not so good news for the owners of the accounts but better than having someone else have access to your account indefinitely) but of course as long as the spammers have a continual supply of them that doesn't really help. There might be a place you can report them, are we seeing more than one from any given account? -- greg
Excerpts from Greg Stark's message of jue jun 09 12:12:11 -0400 2011: > There might be a place you can report them, are we seeing more than > one from any given account? Not AFAICS. See BANLkTi=iG=5MeyMf0r4OY8i0f_nr=T6U4g@mail.gmail.com BANLkTimbFfmrGUgc89sYx-U6XX5rdPtyjg@mail.gmail.com 115101.47895.qm@web30801.mail.mud.yahoo.com Three different accounts. Two of those addresses have legitimate email in archives. -- Álvaro Herrera <alvherre@commandprompt.com> The PostgreSQL Company - Command Prompt, Inc. PostgreSQL Replication, Consulting, Custom Development, 24x7 support