From owner-freebsd-questions@FreeBSD.ORG Fri Dec 10 13:47:38 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58A4D106564A for ; Fri, 10 Dec 2010 13:47:38 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id C9DA68FC1A for ; Fri, 10 Dec 2010 13:47:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id oBADlYOL058570; Sat, 11 Dec 2010 00:47:34 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 11 Dec 2010 00:47:33 +1100 (EST) From: Ian Smith To: Chris Brennan In-Reply-To: <20101210060704.A3B641065783@hub.freebsd.org> Message-ID: <20101211002225.D61647@sola.nimnet.asn.au> References: <20101210060704.A3B641065783@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: xpbargains.net spam [was: Re: 'Broadcom Wireless b/g (BCM4315/BCM22062000)'] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2010 13:47:38 -0000 In freebsd-questions Digest, Vol 340, Issue 11, Message: 27 On Fri, 10 Dec 2010 00:54:37 -0500 > On Sun, Nov 7, 2010 at 9:54 AM, Paul B Mahol wrote: No, he didn't. These mails are FORGED as being from freebsd-questions participants, and on first glance may appear to be list postings. They used to get posted to the list itself also, but postmaster@ blocked the nuisance source back in August. However that doesn't stop them from targetting individual list participants, like you. If you examine the full mail headers, it's likely to have originated from the following IP address. If so, you just need to block that address at your mailserver. But if they've moved, we need to know .. Quoting from a message to postmaster@ in August: > As Roland pointed out, the phishing/virus/whatever referral has switched > from downwind.com.au to xpbargains.net, and possibly some others. > > Here's the business: > > % dig +short -x 64.38.11.26 > allmail.0b2.net. > % dig +short allmail.0b2.net. > 64.38.11.26 > % dig +short dusk.parklogic.com > 64.38.11.26 > > If you can discard by Message-ID then every one of these, including the > privately mailed ones, has @dusk.parklogic.com there. > > If you can block by IP, then that's the one. Or by hostname, every one > so far has been relayed by allmail.0b2.net (that's a zero). So if the full headers reveal coming from that hostname or that IP or any other IP in 64.38.11.26/29, just block that and move on. If it's a different address range now, please provide the full headers for the message you received, with a copy to postmaster@freebsd.org Thanks, Ian (please cc me on any reply, I take this list as a digest)