[185582] in North American Network Operators' Group
Re: AW: Uptick in spam
daemon@ATHENA.MIT.EDU (Jim Popovitch)
Wed Oct 28 15:28:11 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <56307CC4.5070008@alvarezp.org>
Date: Wed, 28 Oct 2015 15:28:08 -0400
From: Jim Popovitch <jimpop@gmail.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Wed, Oct 28, 2015 at 3:44 AM, Octavio Alvarez
<octalnanog@alvarezp.org> wrote:
>
>
> On 10/27/2015 05:09 AM, Ian Smith wrote:
>>
>> On Mon, Oct 26, 2015 at 9:40 PM, Octavio Alvarez
>> <octalnanog@alvarezp.org <mailto:octalnanog@alvarezp.org>> wrote:
>>
>> On 26/10/15 11:38, J=C3=BCrgen Jaritsch wrote:
>> <snip>
>>
>> But it is originating all from different IP addresses. Who knows if
>> this
>> is an attack to get *@jdlabs.fr <http://jdlabs.fr/> blocked from
>> NANOG and is just getting
>> its goal accomplished.
>>
>>
>>
>> This is the part that's been bugging me. Doesn't the NANOG server
>> implement SPF checking on inbound list mail? jdlabs.fr
>> <http://jdlabs.fr> doesn't appear to have an SPF record published. It
>> seems to me that these messages should have been dropped during the
>> connection.
>
>
> That doesn't stop spam from hijacked accounts.
>
> For this case, an account was compromised, apparently.
There was no account compromise, it was only oddball webservers that
were compromised and then used in a spam run where the From was set to
a nanog subscriber's email address.
> What if after 6 messages in the last 5 minutes with the same or absent
> 'In-Reply-To' moves he account to moderation mode.
>
> Easier said than implemented, though.
>
This is already under consideration, by me, for a mailman patch.
It's a good idea that has been around for a while and is well worth
having as an option.
-Jim P.
