[discuss] ❣some new stuff

Olivier MJ Crépin-Leblond ocl at gih.com
Tue May 23 12:51:34 UTC 2017


Dear Carlos,

if SPF was strictly enforced, like what Google does these days, this
basic junk spam wouldn't make it anywhere.

The problem is that we're designing all of these wonderful ways to clean
our mailboxes from junk, yet we do not practice what we preach, nor do
we make full use of what we have designed.

I too have seen this spam on so many poorly run mailman mailing lists.
Funny to see that it's Patrik's address that was spoofed, Frobbit being
such a "full featured" domain with SPF, DNSSEC etc.

Time for a "spring clean" campaign.

Kindest regards,

Olivier

On 23/05/2017 12:55, Carlos Afonso wrote:
> Incredible. This spam is appearing in nearly every mailman service I am
> aware of (including ISOC's lists). It seems a vulnerability in the mail
> agent which seems unable to handle this kind of spoofing (or missing
> some anti-spoofing config). It happens in our lists here at Nupef as well.
>
> Most of these are coming from Vietnam's terminal broadband addresses. I
> assume they do not block port 25 for end users.
>
> Below is the full header source of the spam. As the domain 1net.org is
> under APNIC, I am also copying to Arth.
>
> frt rgds
>
> --c.a.
>
> On 23-05-17 07:31, paf wrote:
> >From - Tue May 23 07:44:58 2017
> X-Account-Key: account1
> X-UIDL: 0002fe7154ffae3d
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> X-Mozilla-Keys:
>
> Return-Path: <discuss-bounces at 1net.org>
> Delivered-To: ca at cafonso.ca
> Received: from localhost (localhost [127.0.0.1])
> 	by email.nupef.org.br (Postfix) with ESMTP id 08EDA14A674
> 	for <ca at cafonso.ca>; Tue, 23 May 2017 07:32:35 -0300 (BRT)
> X-Virus-Scanned: Debian amavisd-new at email.nupef.org.br
> X-Spam-Flag: NO
> X-Spam-Score: 1.495
> X-Spam-Level: *
> X-Spam-Status: No, score=1.495 tagged_above=1 required=4.5
> 	tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001,
> 	HTML_IMAGE_ONLY_24=1.618, HTML_IMAGE_RATIO_02=0.437,
> 	HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.347,
> 	T_RP_MATCHES_RCVD=-0.01, URI_TRY_3LD=0.001]
> 	autolearn=no autolearn_force=no
> Received: from email.nupef.org.br ([127.0.0.1])
> 	by localhost (email.nupef.org.br [127.0.0.1]) (amavisd-new, port 10024)
> 	with ESMTP id FNl4YrmHzOoV for <ca at cafonso.ca>;
> 	Tue, 23 May 2017 07:32:31 -0300 (BRT)
> Received: from 1net-mail.1net.org (1net-mail.1net.org
> [IPv6:2a01:7e00::f03c:91ff:fedb:250a])
> 	by email.nupef.org.br (Postfix) with ESMTPS id 0CA20148749
> 	for <ca at cafonso.ca>; Tue, 23 May 2017 07:32:30 -0300 (BRT)
> Received: from localhost ([::1] helo=1net-mail.1net.org)
> 	by 1net-mail.1net.org with esmtp (Exim 4.80.1)
> 	(envelope-from <discuss-bounces at 1net.org>)
> 	id 1dD76s-0003zu-Pe; Tue, 23 May 2017 10:32:14 +0000
> Received: from [14.176.142.144] (helo=static.vnpt.vn)
> 	by 1net-mail.1net.org with esmtp (Exim 4.80.1)
> 	(envelope-from <qaukb at static.vnpt.vn>) id 1dD76o-0003zT-WA
> 	for discuss at 1net.org; Tue, 23 May 2017 10:32:13 +0000
> From: "paf" <paf at frobbit.se>
> To: "discuss" <discuss at 1net.org>
> Date: Tue, 23 May 2017 06:31:48 -0400
> Message-ID: <1753787746.20170523133148 at frobbit.se>
> MIME-Version: 1.0
> X-1net-SpamScore: 21.3 (+++++++++++++++++++++)
> Subject: [discuss] =?utf-8?q?=E2=9D=A3some_new_stuff?=
> X-BeenThere: discuss at 1net.org
> X-Mailman-Version: 2.1.12
> Precedence: list
> List-Id: <discuss.1net.org>
> List-Unsubscribe: <http://1net-mail.1net.org/mailman/options/discuss>,
> 	<mailto:discuss-request at 1net.org?subject=unsubscribe>
> List-Archive: <http://1net-mail.1net.org/pipermail/discuss/>
> List-Post: <mailto:discuss at 1net.org>
> List-Help: <mailto:discuss-request at 1net.org?subject=help>
> List-Subscribe: <http://1net-mail.1net.org/mailman/listinfo/discuss>,
> 	<mailto:discuss-request at 1net.org?subject=subscribe>
> Content-Type: multipart/mixed;
> boundary="===============3320793257203812010=="
> Sender: discuss-bounces at 1net.org
> Errors-To: discuss-bounces at 1net.org
>
> --===============3320793257203812010==
> Content-Type: multipart/alternative;
>         boundary="_2C237DC2-DA16-4DDF-A725-EC67FFD0D977_"
>
>

-- 
Olivier MJ Crépin-Leblond, PhD
http://www.gih.com/ocl.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://1net-mail.1net.org/pipermail/discuss/attachments/20170523/23f61d49/attachment.html>


More information about the discuss mailing list