[volunteers] Leftover administrative questions (and their answers)
Rick Moen
rick at linuxmafia.com
Mon Dec 18 18:44:09 PST 2006
Another item for collective knowledge among the membership and general
public: Back in March/April 2006, I asked our elected officers some
short questions about existing restrictions/bans, all of which were
ignored:
To do (if you're willing to let us know what addresses are banned or
restricted): For svlug at lists.svlug.org, go to Mailman Privacy Options,
Sender Filters page. Copy and past into a post to
volunteers at lists.svlug.org the contents of these fields:
o List of non-member addresses whose postings will be immediately held
for moderation.
o List of non-member addresses whose postings will be automatically
rejected.
o List of non-member addresses whose postings will be automatically
discarded.
Also, if you don't mind, go to Mailman Membership Management, Membership
List, and let us know what members have flag "mod" set.
Also, if you don't mind, go to Mailman Privacy Options, Spam Filters,
and tell us if there's anything other than actual spam set to be held,
rejected, or discarded.
If you're up for the above, showing us the contents (if any)
of Privacy Options, Subscription Rules, "List of addresses which are
banned from membership in this mailing list" would be appreciated, too.
Reminders about those polite questions having gone unanswered got me
nowhere. However, I'm now in a position to get those answers from
inspection -- and thus, so are you. ;->
svlug at lists.svlug.org:
---------------------
> List of non-member addresses whose postings will be immediately held
> for moderation:
none
> List of non-member addresses whose postings will be automatically
> rejected:
none
> List of non-member addresses whose postings will be automatically
> discarded:
account.department at paypal.com
account at paypal.com
accounts at ebay.com
accounts at paypal.com
adams200 at pobox.ru
admin at paypal.com
avalon_groups at virgilio.it
aw-comfirm at service-ebay.com
aw-confirm at ebay.com
aw-confrim at ebay.com
aw-notice at ebay.com
aw-verify at ebay.com
camelot.lottery1 at virgilio.it
cau at cade.com.br
change at ebay.com
chasecardservices at notify.chase.com
chaseonline at chase.com
cobra at jps.net
cust.serv at metabankonline.com
customer at paypal.com
do-not-reply at sbbt.com
feedback at online.ie
forword.citicards at citibank.com
gilii at amhanet.com.br
info at banesto.es
info at cdrl.org
info_win at virgilio.it
inventivemarketing at home.com
kundensupport at ebay.de
linnet at trainingtree.com
mail at chase.com
mailer-daemon at cleanweb.net
mailer-daemon at dakshsuri.com
mailer-daemon at juntadeandalucia.es
mailer-daemon at master.debian.org
mailer-daemon at mindfull.spc.org
mailer-daemon at perfora.net
mailer-daemon at svlug.org
mailer-daemon at ximian.com
mailman-owner-owner at svlug.org
marco at splicenet.com.br
member at ebay.com
member at paypal.com
mesage.center at chase.com
messages at ebay.com
nicole at wheelkingfreight.com
no-reply at paypal.com
paypal at email.paypal.com
postcard at postcard.com
postmaster at bootes.trampi.mpi.it
postmaster at corillian.com
postmaster at svlug.org
promotions_dayzersloterij1 at virgilio.it
redazioneweb at unipd.it
sarah_benson at nomoreaccent.com
secure at ebay.com
secure at paypal.com
security.system at chase.com
security at chase.com
service at chase.com
service at citibank.com
service at irs.gov
service at nafcu.org
service at paypal.com
smokesdirect at terra.es
support at paypal.com
support at worldsavings.com
suspension at paypal.com
techwiz123 at yahoo.com
teddy.smithcompany at inbox.com
ukonlinenationallotto at universia.pt
update at ebay.com
vinicius at linkcm.com.br
webform at email.paypal.com
webmail at teachersfcu.org
webmaster at amber.co.th
webmaster at amberairtravel.com
mailman-owner-owner at lists.svlug.org
mailer-daemon at barn.listbox.com
To the best of my ability to tell, there are no legitimate persons on
that list, subscribed or not, only likely-spam addresses.
("mailman-owner-owner at lists.svlug.org" is there to prevent
administrative notices from Mailman to reach the list.) At the time I
first regained listadmin access following removal of the server from
Drew Bertola's rack, local Web designer Anthony Ettinger was on that
list. I removed him -- and let him known.
I did _not_ at that time find Alvin Oga, though Alvin said at the time
that Marc Merlin had banned him from svlug at lists.svlug.org. Very
recently, Marc confirmed that at one time he'd done so in reaction to
sending Alvin a listadmin warning, only to find that Alvin had
configured his MTA to reject any mail from Marc. In any event, no such
block was present in either Mailman or the MTA configuration when I was
able to check. Again, I let Alvin know of these findings.
Part of the point of this exercise was to find old grudges, or
backstabs, or simple listadmin goofups, or whatever, and prevent them
from being automatically perpetuated in list rulesets.
> ...go to Mailman Membership Management, Membership List, and let us know
what members have flag "mod" set:
When I first regained listadmin access following removal of the server
from Drew Bertola's rack, one Holt Sorenson (hso at nosneros.net) was
included. I immediately removed the "moderated" (mod) flag from his
subscription.
No others remain.
> go to Mailman Privacy Options, Spam Filters, and tell us if there's
> anything other than actual spam set to be held, rejected, or
> discarded.
None. The following Python regexes are set to be held for moderation:
from: .*@hallkinion.com
from: .*formulasys.com
to: friend at public.com
message-id: relay.comanche.denmark.eu
from: list at listme.com
from: .*@uplinkpro.com
to: jobs at lists.svlug.org
to: jobs at svlug.org
cc: jobs at lists.svlug.org
cc: jobs at svlug.org
> ...the contents (if any) of Privacy Options, Subscription Rules, "List
> of addresses which are banned from membership in this mailing list"
smokesdirect at terra.es
cau at cade.com.br
Ukulelekid at aol.com
john at mediaoverdrive.com
stevezimmerman at hotmail.com
It seems very likely those are all spam-sending addresses. (It's pretty
futile to block those, and you have to beware of spammers forging the
addresses of innocent people, but listadmins/moderators often ban them
anyway.)
volunteers at lists.svlug.org:
--------------------------
> List of non-member addresses whose postings will be immediately held
> for moderation:
none
> List of non-member addresses whose postings will be automatically
> rejected:
none
> List of non-member addresses whose postings will be automatically
> discarded:
advertising at alleffort.com
apet at infoapet.com.br
comforty at comforty.com
emb_group at yahoo.com
info at pin-n-pin.com
info at discwizards.com
khetmeo at aol.com
mac_herman1 at virgilio.it
mailer-daemon at computerstaff.net
management at conus.co.il
info_online3 at adelphia.net
It seems very likely those are all spam-sending addresses.
> ...go to Mailman Membership Management, Membership List, and let us
> know what members have flag "mod" set:
None.
> go to Mailman Privacy Options, Spam Filters, and tell us if there's
> anything other than actual spam set to be held, rejected, or
> discarded.
None. The following Python regexes are set to be held for moderation:
# Lines that *start* with a '#' are comments.
to: friend at public.com
message-id: relay.comanche.denmark.eu
from: list at listme.com
from: .*@uplinkpro.com
> ...the contents (if any) of Privacy Options, Subscription Rules, "List
> of addresses which are banned from membership in this mailing list"
info_online3 at adelphia.net
It seems very likely this is a spam-sending address.
MTA rulesets
------------
In addition to filtering at the Mailman level, it was always possible
that some prior root-access user had installed blocks at the MTA (SMTP
server) level. I happen to know Exim4 pretty well, and looked carefully
for same -- and didn't find any.
/etc/exim4/acls/denyenvsenders has:
john at mediaoverdrive.com "go away"
Ukulelekid at aol.com "go away"
marc at networking-professionals.com "no more"
*@networking-professionals.com "no more"
Sales at sixnetio.com "no more mails from you"
calendars at lma404.siteprotect.com "Mass mailing without unsub link is spam"
*@lma404.siteprotect.com "Mass mailing without unsub link is spam"
*@paypal.com "Phishing unwelcome"
*@ebay.com "Phishing unwelcome"
*@eBay.com "Phishing unwelcome"
*@amazon.com "Phishing unwelcome"
*@paypal.com "Phishing unwelcome"
*@citibank.com "Phishing unwelcome"
*@irs.gov "Phishing unwelcome"
*@IRS.gov "Phishing unwelcome"
*@bofa.com "Phishing unwelcome"
*@bankofamerica.com "Phishing unwelcome"
*@mbna.com "Phishing unwelcome"
*@hsbc.com "Phishing unwelcome"
*@chase.com "Phishing unwelcome"
*@wellsfargo.com "Phishing unwelcome"
cterry at nww.com "Too many repetitive marketing come-ons. Bye."
(The last one was added by me, after one co-marketing spew too many from
Chrystie Terry, Online Audience Development Manager at IDG's Network
World magazine.)
/etc/exim4/acls/rejectlist has several thousand spam-sender IPs, mostly added
by me -- rather too long to list here. If anyone wants to see it, I'm
sure we can find a way to make it available.
/etc/exim4/acls/hostrejectrcpt has interesting stuff from Marc's
administration of the box:
# IP addresses for which we refuse all RCPTs with a custom error message
# Spams our reject logs by resending bad bounces over and over-- Marc 2002/01/15
24.0.95.147 "You are resending bad bounces over and over again"
# Stupid ass spammer who fakes helo and env from to be us !!! -- Marc 2002/03/25
# Return-path: <libservlet-bugs at lists.sourceforge.net>
# Received: from [211.245.3.127] (helo=externalmx.valinux.com)
# by mail2.vasoftware.com with esmtp (Exim 3.31-VA-mm2 #1 (Debian))
# id 16nmQy-0004IY-00 for <libservlet-bugs at lists.sourceforge.net>;
# Wed, 20 Mar 2002 12:11:48
-
# 0800
# From: ThanksSky <Blss at Almity.com>
# To: 42278 <libservlet-bugs at lists.sourceforge.net>
211.245.3.127 "Die scum!"
# Spams our reject logs by resending bad bounces over and over-- Marc 2002/01/15
24.0.95.147 "You are resending bad bounces over and over again"
# Stupid ass spammer who fakes helo and env from to be us !!! -- Marc 2002/03/25
# Return-path: <libservlet-bugs at lists.sourceforge.net>
# Received: from [211.245.3.127] (helo=externalmx.valinux.com)
# by mail2.vasoftware.com with esmtp (Exim 3.31-VA-mm2 #1 (Debian))
# id 16nmQy-0004IY-00 for <libservlet-bugs at lists.sourceforge.net>;
# Wed, 20 Mar 2002 12:11:48
-
# 0800
# From: ThanksSky <Blss at Almity.com>
# To: 42278 <libservlet-bugs at lists.sourceforge.net>
211.245.3.127 "Die scum!"
# Our mail server detected the Unknown Virus virus
# that appears to have come from your mail server. It was sent in
# an attachment Unknown File, from
# svlug-bounces+bmarinaccio=glaciertechnology.com at svlug.org to
# bmarinaccio at glaciertechnology.com,
# with the subject "Re: [svlug] Monitoring scripts". The Message-ID was:
# <Pine.LNX.4.33.0206030025250.28131-100000 at mast.right-net.com>.
208.247.232.250 "Turn off your stupid broken virus autoresponder!"
# The Virus software on our mail server detected the Unknown Virus
# virus that appears to have come from your mail server. It was sent in
# an attachment Unknown File, from
# svlug-bounces+cclark=surfside.net at svlug.org to cclark at surfside.net,
# with the subject "[svlug] Exercise log for linux?". The Message-ID was:
# <20020614090102.A4242 at vimes.qconcepts.net>.
64.68.205.85 "Turn off your stupid broken virus autoresponder!"
iptables rulesets:
-----------------
Here is a complete dump of the server's "iptables -L" output. Please
let me know if you see anything doubtful (and be sure to say why). At a
first glance, it all looks highly legitimate.
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG all -- localnet/8 anywhere LOG level warning
fieth0 all -- anywhere svlug.org
fieth0 all -- anywhere 157.22.20.255
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain fieth0 (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere state INVALID LOG level warning prefix `INVALID'
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG icmp -- anywhere anywhere icmp destination-unreachable LOG level warning prefix `ICMPFIXME'
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning prefix `ICMPFIXME'
ACCEPT icmp -- anywhere anywhere icmp source-quench
LOG icmp -- anywhere anywhere icmp time-exceeded LOG level warning prefix `ICMPFIXME'
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
LOG tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW LOG level warning prefix `TCPNEWnoSYN'
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
LOG all -f anywhere anywhere LOG level warning prefix `FRAGMENT_DROPPED'
REJECT all -f anywhere anywhere reject-with icmp-port-unreachable
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- localhost.localdomain anywhere udp dpt:amanda
ACCEPT tcp -- node-40240c02.sjc.onnet.us.uu.net anywhere tcp dpt:5666
ACCEPT udp -- node-40240c02.sjc.onnet.us.uu.net anywhere udp dpt:5666
ACCEPT udp -- node-40240c02.sjc.onnet.us.uu.net anywhere udp dpt:snmp
ACCEPT tcp -- node-40240c02.sjc.onnet.us.uu.net anywhere tcp dpt:telnet
ACCEPT tcp -- localhost.localdomain anywhere tcp dpts:1024:65535
ACCEPT tcp -- anywhere anywhere tcp dpt:26
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
REJECT udp -- anywhere anywhere udp dpt:netbios-ns reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:netbios-dgm reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:netbios-ssn reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:netbios-ns reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:netbios-dgm reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:netbios-ssn reject-with icmp-port-unreachable
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
More information about the volunteers
mailing list