RE: E-mail account disabling warning.
Andrew Savory <[EMAIL PROTECTED]> writes: > > Just an unfortunate coincidence that the virus spoofed a moderator :-( Who says it was a coincidence? (Hey, even a paranoid can be a target of the malicious.)
Re: E-mail account disabling warning.
Hi, On 3 Mar 2004, at 19:12, Steven Noels wrote: That's what I was afraid of, since I happened to know Andrew uses *both* addresses (or has been using them), at the very least in private mails sent to me. Yup, I was. Now I'm happily living in mac-land, just [EMAIL PROTECTED] Do I need to unsub savs@ and resub as [EMAIL PROTECTED] If so, where's the 'allow' list, as I should remove myself ... Just an unfortunate coincidence that the virus spoofed a moderator :-( Andrew. -- Andrew Savory, Managing Director, Luminas Limited Tel: +44 (0)870 741 6658 Fax: +44 (0)700 598 1135 Web: http://www.luminas.co.uk/ Orixo alliance: http://www.orixo.com/
Re: E-mail account disabling warning.
Is there any digital signer anyone recommends? What is the procedure? Can it be set automatic or is it something to remember and do everytime? -Thanks. - Original Message - From: "Stefano Mazzocchi" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 4:24 PM Subject: Re: E-mail account disabling warning. > Steven Noels wrote: > > > On 03 Mar 2004, at 17:23, Brian Behlendorf wrote: > > > >> On Wed, 3 Mar 2004, Sam Ruby wrote: > >> > >>> Neither. This email contained: > >>> > >>> Return-Path: <[EMAIL PROTECTED]> > >>> From: [EMAIL PROTECTED] > >>> > >>> ... neither of which is subscribed to [EMAIL PROTECTED] > >>> > >>> From what I have read, ezmlm uses a separate SMTP 'SENDER' field, which > >>> isn't retained in the archive. My bets are that this field contained > >>> the value [EMAIL PROTECTED] > >> > >> > >> No. Return-Path does capture the email address used by ezmlm to figure > >> out if and when to send. As it turns out, "[EMAIL PROTECTED]" is able > >> to post as he's in the "allow" database for that list. > > > > > > That's what I was afraid of, since I happened to know Andrew uses *both* > > addresses (or has been using them), at the very least in private mails > > sent to me. > > > > How can we defend ourselves from bots spamming the lists using > > subscribed or allowed addresses...? > > the only way is to require everybody to sign their email. But enforcing > this would be a serious PITA. > > > Or do we need to actively > > monitor/clean up stale entries in the allow list? > > this doesn't really reduce the problem. > > -- > Stefano. > >
Re: E-mail account disabling warning.
Steven Noels wrote: On 03 Mar 2004, at 17:23, Brian Behlendorf wrote: On Wed, 3 Mar 2004, Sam Ruby wrote: Neither. This email contained: Return-Path: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] ... neither of which is subscribed to [EMAIL PROTECTED] From what I have read, ezmlm uses a separate SMTP 'SENDER' field, which isn't retained in the archive. My bets are that this field contained the value [EMAIL PROTECTED] No. Return-Path does capture the email address used by ezmlm to figure out if and when to send. As it turns out, "[EMAIL PROTECTED]" is able to post as he's in the "allow" database for that list. That's what I was afraid of, since I happened to know Andrew uses *both* addresses (or has been using them), at the very least in private mails sent to me. How can we defend ourselves from bots spamming the lists using subscribed or allowed addresses...? the only way is to require everybody to sign their email. But enforcing this would be a serious PITA. Or do we need to actively monitor/clean up stale entries in the allow list? this doesn't really reduce the problem. -- Stefano. smime.p7s Description: S/MIME Cryptographic Signature
RE: E-mail account disabling warning.
Steven Noels <[EMAIL PROTECTED]> writes: > How can we defend ourselves from bots spamming the lists using > subscribed or allowed addresses...? Or do we need to actively > monitor/clean up stale entries in the allow list? The same format of message also hit xml-dev this morning. Again, bounced through the list. Don't think you can really defend against. Nothing says that they just won't use forged headers of a regular user. You could try and verify that the mail server corresponds to the sender domain but for people on the road that likely ain't going to cut it. Quarantining all attachments (and forcing explicit download) might be workable? I guess I'm going to have to stop using my regular e-mail address for this kind of thing and start maintaining yet another mail box (5 so far). So far our virus checkers have caught all this stuff but sooner or later someone's going to find a hole that doesn't rely on social engineering and doesn't get caught by the filters...
Re: E-mail account disabling warning.
On 03 Mar 2004, at 17:23, Brian Behlendorf wrote: On Wed, 3 Mar 2004, Sam Ruby wrote: Neither. This email contained: Return-Path: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] ... neither of which is subscribed to [EMAIL PROTECTED] From what I have read, ezmlm uses a separate SMTP 'SENDER' field, which isn't retained in the archive. My bets are that this field contained the value [EMAIL PROTECTED] No. Return-Path does capture the email address used by ezmlm to figure out if and when to send. As it turns out, "[EMAIL PROTECTED]" is able to post as he's in the "allow" database for that list. That's what I was afraid of, since I happened to know Andrew uses *both* addresses (or has been using them), at the very least in private mails sent to me. How can we defend ourselves from bots spamming the lists using subscribed or allowed addresses...? Or do we need to actively monitor/clean up stale entries in the allow list? -- Steven Noelshttp://outerthought.org/ Outerthought - Open Source Java & XMLAn Orixo Member Read my weblog athttp://blogs.cocoondev.org/stevenn/ stevenn at outerthought.orgstevenn at apache.org
Re: E-mail account disabling warning.
On Wed, 3 Mar 2004, Sam Ruby wrote: > Neither. This email contained: > > Return-Path: <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > > ... neither of which is subscribed to [EMAIL PROTECTED] > > From what I have read, ezmlm uses a separate SMTP 'SENDER' field, which > isn't retained in the archive. My bets are that this field contained > the value [EMAIL PROTECTED] No. Return-Path does capture the email address used by ezmlm to figure out if and when to send. As it turns out, "[EMAIL PROTECTED]" is able to post as he's in the "allow" database for that list. Brian
Re: E-mail account disabling warning.
Steven Noels wrote: On 03 Mar 2004, at 15:19, Sam Ruby wrote: Agreed. It looks to me like this was NOT moderated in. The dates don't match the files in /home/apmail/lists/cocoon.apache.org/dev/mod/accepted The message contains the following header: Return-Path: <[EMAIL PROTECTED]> ... which, may very well have been spoofed. In any case, Andrew Savory ([EMAIL PROTECTED]) subscribed to the [EMAIL PROTECTED] mailing list almost exactly two years ago (Sat Mar 2 09:54:49 PST 2002). ... and Andrew is coincidentally also one of the two moderators on this list. :-/ I'm not sure that that mattered. Are we saying ezmlm checks the Return-Path header rather than the From? Neither. This email contained: Return-Path: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] ... neither of which is subscribed to [EMAIL PROTECTED] From what I have read, ezmlm uses a separate SMTP 'SENDER' field, which isn't retained in the archive. My bets are that this field contained the value [EMAIL PROTECTED] - Sam Ruby
Re: E-mail account disabling warning.
On 03 Mar 2004, at 15:19, Sam Ruby wrote: Agreed. It looks to me like this was NOT moderated in. The dates don't match the files in /home/apmail/lists/cocoon.apache.org/dev/mod/accepted The message contains the following header: Return-Path: <[EMAIL PROTECTED]> ... which, may very well have been spoofed. In any case, Andrew Savory ([EMAIL PROTECTED]) subscribed to the [EMAIL PROTECTED] mailing list almost exactly two years ago (Sat Mar 2 09:54:49 PST 2002). ... and Andrew is coincidentally also one of the two moderators on this list. :-/ Are we saying ezmlm checks the Return-Path header rather than the From? -- Steven Noelshttp://outerthought.org/ Outerthought - Open Source Java & XMLAn Orixo Member Read my weblog athttp://blogs.cocoondev.org/stevenn/ stevenn at outerthought.orgstevenn at apache.org
Re: E-mail account disabling warning.
Steven Noels wrote: On 03 Mar 2004, at 14:30, Stefano Mazzocchi wrote: [EMAIL PROTECTED] wrote: Dear user of Apache.org gateway e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. Please, read the attach for further details. Cheers, The Apache.org team http://www.apache.org AGH! Who let this in? Not me - Andrew? I'm starting to suspect they properly subscribed to the list prior to posting. :-| Agreed. It looks to me like this was NOT moderated in. The dates don't match the files in /home/apmail/lists/cocoon.apache.org/dev/mod/accepted The message contains the following header: Return-Path: <[EMAIL PROTECTED]> ... which, may very well have been spoofed. In any case, Andrew Savory ([EMAIL PROTECTED]) subscribed to the [EMAIL PROTECTED] mailing list almost exactly two years ago (Sat Mar 2 09:54:49 PST 2002). - Sam Ruby
Re: E-mail account disabling warning.
On 03 Mar 2004, at 14:30, Stefano Mazzocchi wrote: [EMAIL PROTECTED] wrote: Dear user of Apache.org gateway e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. Please, read the attach for further details. Cheers, The Apache.org team http://www.apache.org AGH! Who let this in? Not me - Andrew? I'm starting to suspect they properly subscribed to the list prior to posting. :-| -- Steven Noelshttp://outerthought.org/ Outerthought - Open Source Java & XMLAn Orixo Member Read my weblog athttp://blogs.cocoondev.org/stevenn/ stevenn at outerthought.orgstevenn at apache.org
Re: E-mail account disabling warning.
[EMAIL PROTECTED] wrote: Dear user of Apache.org gateway e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. Please, read the attach for further details. Cheers, The Apache.org team http://www.apache.org AGH! Who let this in? -- Stefano. smime.p7s Description: S/MIME Cryptographic Signature