[Dshield] Interesting change in Phishing
cef at optus.net
Fri Feb 2 00:27:40 GMT 2007
On Friday 02 February 2007 08:14, Mark wrote:
> I received an "auto-responder" from a mail list
> informing me a mail I had purportedly sent was being
> held for moderator review. Issue is I never sent such
> an email. The email offered a link to cancel this
For mailman, this is actually pretty standard.
> This is a rather unique change as most recipients
> first reaction would be to "cancel the post" as it
> obviously didn't come from them. Joe Six-Pack is
> likely to click on it because he doesn't want some
> other Joe Six-Pack sending stuff to lists using his
> Below is the actual email with the link broken up. I
> didn't click as I have zero time to "play" with it.
Looking at the mail you forwarded, the question here is whether
banwa<dot>upm<dot>edu<dot>ph actually hosts a mailman setup, or if it's
Searching google for it found some relevant info:
It's the team address for one of the debian translation teams (tl = Tagalog).
My guess is that it's ended up in a spammer addressbook, and they've been
spamming places with forged From: addresses (yours is probably only one of
many they've used).
As someone who manages a few mailing lists with various sorts of mailing list
interfaces (mailman, Sympa), I know your pain. Only thing I can sauggest is
that if you're managing the domain for your email address to start using
something like SPF, and then hope that other people pick it up and use it to
identify forged From: address spam.
PS: I get a LOT of these sorts of things, and on the mailing lists I run, I
try to minimise this sort of almost unavoidable back-scatter. But there is
only so much you can do in some of these situations. On the peverse side, I
am just waiting for some of the lists to receive spam that passes the filters
and has a forged From: address of one of the list members, get distributed to
everyone, and then getting one of the list servers reported for spamming by
some 'n00b' spamhaus reporter. *sigh*
Stuart Young - aka Cefiar - cef at optus.net
More information about the list