[Dshield] List Problem?

stu secmail at patchsupplier.dyndns.org
Tue Aug 30 13:00:31 GMT 2005


Yeah it's strange, quite annoying too. If their mail is quarantined then
they will not get their posts from dshield. Initially I thought it was
dshield dishing them out because I got the mail back instantly before I
got my own post back through the mail list. 


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of jayjwa
Sent: 30 August 2005 04:50
To: General DShield Discussion List
Subject: Re: [Dshield] List Problem?


On Sun, 28 Aug 2005, stu wrote:

-> The last 2 posts I have made to the list resulted in me getting a
mail
-> back:
-> 
-> Action Taken:
-> The message was quarantined and replaced with a text informing the
-> recipient of the action taken.
-> 
-> To:
-> General DShield Discussion List <list at lists.dshield.org>
-> 
-> From:
-> stu <secmail at patchsupplier.dyndns.org>
-> 
-> Sent:
-> -965133568,29731832
-> 
-> Subject:
-> Re: [Dshield] IRC BotNet Connection Question
-> 
-> Attachment Details:-
-> 
-> Attachment Name: N/A
-> File: Infected.msg
-> Infected? No
-> Repaired? No
-> Blocked? Yes
-> Deleted? No
-> Virus Name:



Yes, the exact same thing happend to me. It appears that someone has
made 
a very bad decision to filter the list for common, everyday words. If
you 
check the header, you'll see it's not from Dshield, but some other
server, 
"naspers" or something to that effect:


Aug 27 09:58:23 atr2 sm-mta[9468]: NOQUEUE: connect from 
mail03.naspers.com [152.111.1.4]

Aug 27 09:58:23 atr2 sm-mta[9468]: j7RDwN0s009468: Milter
(milter-regex): 
init success to negotiate

Aug 27 09:58:23 atr2 sm-mta[9468]: j7RDwN0s009468: Milter: connect to 
filters

Aug 27 09:58:28 atr2 sm-mta[9468]: j7RDwN0s009468: 
from=<NAINASSITE01NDSXCH03 at media24.com>, size=5007, class=0, nrcpts=1, 
msgid=<16E8656C063C6D46BA77995C917BB0CA0A037FF7 at ndsxch03.naspers.com>, 
proto=ESMTP, daemon=MTA, relay=mail03.naspers.com [152.111.1.4]

Aug 27 09:58:28 atr2 sm-mta[9468]: j7RDwN0s009468: Milter accept:
message

Aug 27 09:58:28 atr2 sm-mta[9470]: j7RDwN0s009468: 
to=<jayjwa at atr2.ath.cx>, delay=00:00:02, xdelay=00:00:00, mailer=local, 
pri=35212, dsn=2.0.0, stat=Sent

Aug 27 09:58:28 atr2 sm-mta[9470]: j7RDwN0s009468: done; delay=00:00:02,

ntries=1


I simply banned the server (another plus of running your own
mailserver). 
Good thing too, because not even a full hour later, there it was again
spamming out it's bounces:


Aug 27 10:32:39 atr2 sm-mta[9541]: NOQUEUE: connect from 
mail03.naspers.com [152.111.1.4]

Aug 27 10:32:39 atr2 sm-mta[9541]: ruleset=check_relay, 
arg1=mail03.naspers.com, arg2=152.111.1.4, relay=mail03.naspers.com 
[152.111.1.4], reject=550 5.0.0 [BANNED] for malfunctioning AV scanner 
which spams bounces.


To top it all off, there's a MS attachment at the end, something which 
made sense neither base64'ed or de-base64'ed.





_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list