xpbargains.net spam [was: Re: 'Broadcom Wireless b/g (BCM4315/BCM22062000)']

Ian Smith smithi at nimnet.asn.au
Fri Dec 10 13:47:38 UTC 2010

In freebsd-questions Digest, Vol 340, Issue 11, Message: 27
On Fri, 10 Dec 2010 00:54:37 -0500
 > On Sun, Nov 7, 2010 at 9:54 AM, Paul B Mahol <onemda at gmail.com> wrote:

No, he didn't.  These mails are FORGED as being from freebsd-questions 
participants, and on first glance may appear to be list postings.  They 
used to get posted to the list itself also, but postmaster@ blocked the 
nuisance source back in August.  However that doesn't stop them from 
targetting individual list participants, like you.

If you examine the full mail headers, it's likely to have originated 
from the following IP address.  If so, you just need to block that 
address at your mailserver.  But if they've moved, we need to know ..

Quoting from a message to postmaster@ in August:

 > As Roland pointed out, the phishing/virus/whatever referral has switched
 > from downwind.com.au to xpbargains.net, and possibly some others.
 > Here's the business:
 > % dig +short -x
 > allmail.0b2.net.
 > % dig +short allmail.0b2.net.
 > % dig +short dusk.parklogic.com
 > If you can discard by Message-ID then every one of these, including the
 > privately mailed ones, has @dusk.parklogic.com there.
 > If you can block by IP, then that's the one.  Or by hostname, every one
 > so far has been relayed by allmail.0b2.net (that's a zero).

So if the full headers reveal coming from that hostname or that IP or 
any other IP in, just block that and move on.

If it's a different address range now, please provide the full headers 
for the message you received, with a copy to postmaster at freebsd.org

Thanks, Ian  (please cc me on any reply, I take this list as a digest)

More information about the freebsd-questions mailing list