Fwd: Undeliverable: Re: sh[it] and What am I missing here?

Valeri Galtsev galtsev at kicp.uchicago.edu
Mon Jun 6 14:56:23 UTC 2016 

On Mon, June 6, 2016 2:29 am, Ian Smith wrote:
> In freebsd-questions Digest, Vol 626, Issue 8, Message: 21
> On Sun, 05 Jun 2016 12:40:27 -0600 jd1008 <jd1008 at gmail.com>
>
>  > Why am I getting this after I reply to a post?
>  > The list must have a subscriber who is on a spamming server.
>  > If this continues, I believe I may have to unsubscribe to
>  > protect my machine from possible malware.
>  >
>  >
>  > Yo
>  >
>  >
>  > -------- Forwarded Message --------
>  > Subject: 	Undeliverable: Re: sh[it] and What am I missing here? Date:
	Sun, 5 Jun 2016 13:36:55 -0500
>  > From: 	Postmaster <postmaster at snaffler-net.bounceio.net>
>  > To: 	jd1008 at gmail.com
> [..]
>  >         There was a problem delivering your email to:
>  >
>  >
>  >         krad at snaffler.net
>
> Please DO NOT FORWARD spam and related material to this (or any) list.
>

Ian, I fully agree with you: people, do not amplify spam by forwarding the
who thing to everybody.

Here is just a piece of information that I can vouch for to be true about
my copy of this spam. These are relevant lines added by _my_ server (which
I trust) about the host that delivered it (name and IP of my server are
obliterated purposefully):

Received: from mx09.bounceio.net (mx09.bounceio.net [192.237.151.9])
     by XXXX.uchicago.edu (Postfix) with ESMTP id 93F4DCB8C82
     for <galtsev at kicp.uchicago.edu>; Sun, 5 Jun 2016 22:04:56 -0500 (CDT)

Now, the rest of the header as well as the content of what that machine
sent me is not to be trusted (at least until one contacts that server
admin and decides to trust him/her/them). The domain it came from has
nothing to do with the recipient of undelivered message, therefore this
server that delivered message to me either rogue server, or is poorly
configured and is a source of backscatter (or trusts different server that
is being source of backscatter). In any case it will be blocked on my
servers. This server, however, is a part of group of the same setup, and I
prefer to block the whole group. To get details I just use whois:

$ whois 192.237.151.9
...
BounceIO RACKS-8-1375277654480348 (NET-192-237-151-8-1) 192.237.151.8 -
192.237.151.15
...

(now I have the whole range of IPs I will block).

Is it reasonable to find out whether krad at snaffler.net is subscribed to
mail list? No, in my opinion. He may be just an innocent victim, or his
domain (snaffler.net) may be a victim of provider with poor configuration.
Either way, the above list of IP addresses are the culprit for me. Nice
way would be to attempt to contact their sysadmin (by sending e-mail to
the postmaster postmaster at snaffler-net.bounceio.net, - address bounce
message claimed to be sent from, and yes, it seems to be existing in DNS).



> Then other people will lazily top-post and quote the whole bloody lot
again, and again .. as just amply demonstrated.
>
> If you have any sort of problem with spam, or this sort of issue - that
comes up here repeatedly - the correct thing to do is to forward the
mail in question - including absolutely ALL of the mail headers - to
postmaster at freebsd.org
>
> It is pointless, and annoying, to say "will someone pleae unsubscribe
so-and-so from the list."  Postmaster is responsible for _scores_ of
lists, and certainly hasn't time to read this one.  Direct mail to
postmaster@, with sufficient detail to actually reveal the problem,
usually has good results in my experience.
>
> Deleting all the crap, at the bottom of your (digest) message was:
>
>  > -------------- next part --------------
>  > An embedded message was scrubbed...
>  > From: jd1008 <jd1008 at gmail.com>
>  > Subject: Re: sh[it] and What am I missing here?
>  > Date: Sun, 05 Jun 2016 12:26:28 -0600
>  > Size: 7858
>  > URL:
> <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160605/8f39576e/attachment-0001.eml>
>
> If you download that attachment you than have all the headers needed by
postmaster@ to see the problem delivery.  Hint: the message was actually
>
> Delivered-To: chrisscott1066 at tiscali.co.uk
> Received: from cm12gb1 (10.101.251.12) by
> mail.svcgb1.int.opaltelecom.net
>  (8.6.141.03) id 574E52E2004546F2 for chris_scott at ukgateway.net; Sun, 5
Jun 2016 19:26:59 +0100
> Received: from mx2.freebsd.org ([8.8.178.116]) by mx.talktalk.net with SMTP
>  id 9clFbbvm5kpdi9clGbuKNn; Sun, 05 Jun 2016 19:26:59 +0100
> X-Delivered-To: chris_scott at ukgateway.net
> Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
>  (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
>  (No client certificate requested)
>  by mx2.freebsd.org (Postfix) with ESMTPS id 6D77E6CAA2;
>  Sun,  5 Jun 2016 18:26:56 +0000 (UTC)
>  (envelope-from owner-freebsd-questions at freebsd.org)
>
> And as you'll see, went through a very circuitous path, via some very
screwy looking servers .. note this one:
>
> X-SMTP-MAILFROM:
> <srs0=hysflox2=r5=freebsd.org=owner-freebsd-questions at tiscali.co.uk>
>
> Seems tiscali.co.uk is in the mix; owner-freebsd-questions at freebsd.org
was the original sender, so that one at least is forged.
>
> I'll do you the favour of copying this mail to postmaster at freebsd.org
but in future please don't spam the list with this sort of stuff, ta!
>
> Ian
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

More information about the freebsd-questions mailing list