Sysadmins, Could you deal with this spam issue?
-- Sylvain ----- Forwarded message from Werner LEMBERG <[EMAIL PROTECTED]> ----- Date: Fri, 03 Jun 2005 21:25:29 +0200 (CEST) To: savannah-hackers@gnu.org From: Werner LEMBERG <[EMAIL PROTECTED]> X-Mailer: Mew version 4.2.50 on Emacs 22.0.50.1 / Mule 5.0 (SAKAKI) Subject: [Savannah-help-public] Fw: [Groff] Spam apparently from list -- again Since the last internet worm there is again a bunch of spam emails sent to the groff list (and archived consequently) where only the contents are removed but not the emails themselves. Ted Harding's and my own email addresses are abused for that -- isn't it possible to suppress such emails? [...] Here an analysis of the spam problem. Maybe it is helpful. Werner X-Mailer: XFMail 1.3-alpha-031298 [p0] on Linux Date: Fri, 03 Jun 2005 18:21:02 +0100 (BST) From: Ted Harding <[EMAIL PROTECTED]> To: Peter Schaffter <[EMAIL PROTECTED]> Subject: RE: [Groff] Spam apparently from list -- again Cc: groff@gnu.org On 03-Jun-05 Peter Schaffter wrote: > I received six porno-spam emails today, apparently originating from > list members (Werner and Ted). Three yesterday. As before, when > this happened, the attachment is stripped off the email before I > receive it, but the message still comes though. > > Here's a sample envelope+header, in case someone can make use of it. You're not alone! I've been saving these for a while, and the one thing that you can definitely determine from the headers is that a) Almost all of them "helo" as a machine on gnu.org (often monty-python.gnu.org, occasionally others), usually by IP address rather than name. However, this is easily forged, so there's no clue here (except that the originator knows about FQDNs/IP addresses on gnu.org). b) Just about all of them are "Received from 194.2.22.250". This resolves to nat.isep.fr which has also been a source of previous waves of these things. Presumably this is picked up as the IP address of the connecting machine through which these mails are sent. I don't know if this item can be forged. (The above summary covers mails going back to January 2005). The domain isep.fr is the Institut Supérieur d'Électronique de Paris. Since the "nat" in "nat.isep.fr" could refer to a machine on the ISEP network which does NAT (Network Address Translation) it may not be possible to go further back down the line to the true source. I can only think of two suggestions. 1. Does our list have a subscriber from the domain "isep.fr"? If so, then contacting that person may take the matter forward. 2. It could be worth while to contact the Net administrators at isep.fr on the grounds that we are getting persistent (and very specific) spam from that domain. I'm no expert on the inner workings of all this sort of thing, and not being list administrator I can't foind out about #1. So I can only suggest ... ! Best wishes, Ted. -------------------------------------------------------------------- E-Mail: (Ted Harding) <[EMAIL PROTECTED]> Fax-to-email: +44 (0)870 094 0861 Date: 03-Jun-05 Time: 18:12:16 ------------------------------ XFMail ------------------------------ _______________________________________________ Groff mailing list Groff@gnu.org http://lists.gnu.org/mailman/listinfo/groff _______________________________________________ Savannah-help-public mailing list [EMAIL PROTECTED] http://lists.gnu.org/mailman/listinfo/savannah-hackers ----- End forwarded message ----- _______________________________________________ Savannah-help-public mailing list [EMAIL PROTECTED] http://lists.gnu.org/mailman/listinfo/savannah-hackers