[Dshield] Interesting change in Phishing

Cefiar cef at optus.net
Fri Feb 2 00:27:40 GMT 2007

On Friday 02 February 2007 08:14, Mark wrote:
> I received an "auto-responder" from a mail list
> informing me a mail I had purportedly sent was being
> held for moderator review. Issue is I never sent such
> an email. The email offered a link to cancel this
> post.

For mailman, this is actually pretty standard.

> This is a rather unique change as most recipients
> first reaction would be to "cancel the post" as it
> obviously didn't come from them. Joe Six-Pack is
> likely to click on it because he doesn't want some
> other Joe Six-Pack sending stuff to lists using his
> email.
> Below is the actual email with the link broken up. I
> didn't click as I have zero time to "play" with it.

Looking at the mail you forwarded, the question here is whether 
banwa<dot>upm<dot>edu<dot>ph actually hosts a mailman setup, or if it's 
something else.

Searching google for it found some relevant info:


It's the team address for one of the debian translation teams (tl = Tagalog).

My guess is that it's ended up in a spammer addressbook, and they've been 
spamming places with forged From: addresses (yours is probably only one of 
many they've used).

As someone who manages a few mailing lists with various sorts of mailing list 
interfaces (mailman, Sympa), I know your pain. Only thing I can sauggest is 
that if you're managing the domain for your email address to start using 
something like SPF, and then hope that other people pick it up and use it to 
identify forged From: address spam.

PS: I get a LOT of these sorts of things, and on the mailing lists I run, I 
try to minimise this sort of almost unavoidable back-scatter. But there is 
only so much you can do in some of these situations. On the peverse side, I 
am just waiting for some of the lists to receive spam that passes the filters 
and has a forged From: address of one of the list members, get distributed to 
everyone, and then getting one of the list servers reported for spamming by 
some 'n00b' spamhaus reporter. *sigh*

 Stuart Young - aka Cefiar - cef at optus.net

More information about the list mailing list