| [OT] Spam in RABT [message #168291] |
Do, 17 November 2005 23:11 |
|
Is anyone else getting a huge number of spam and random cross-postings
on RABT today, or is something up with my mailserver?
--
darkside
email: darksidex at charter dot net
website: http://silenceisdefeat.org/~darkside
|
|
|
| Re: [OT] Spam in RABT [message #168293 ] |
Do, 17 November 2005 23:55 |
|
darkside wrote:
> Is anyone else getting a huge number of spam and random cross-postings
> on RABT today, or is something up with my mailserver?
Yeah, I got the same thing.
|
|
|
| Re: [OT] Spam in RABT [message #168294 ] |
Fr, 18 November 2005 02:55 |
|
Conrad Dunkerson <conrad.dunkerson [at] worldnet.att.net> wrote:
> darkside wrote:
>> Is anyone else getting a huge number of spam and random cross-postings
>> on RABT today, or is something up with my mailserver?
> Yeah, I got the same thing.
So did I. Does anybody have any idea why it happened? Was it deliberate
spamming or was it some quirk played by the cyberspace?
|
|
|
| Re: [OT] Spam in RABT [message #168295 ] |
Fr, 18 November 2005 03:49 |
|
In article <dljcar$obs$1 [at] oravannahka.helsinki.fi>,
Tamim <hallaril [at] hotmail.com> wrote:
> Conrad Dunkerson <conrad.dunkerson [at] worldnet.att.net> wrote:
> > darkside wrote:
> >> Is anyone else getting a huge number of spam and random cross-postings
> >> on RABT today, or is something up with my mailserver?
>
> > Yeah, I got the same thing.
>
> So did I. Does anybody have any idea why it happened? Was it deliberate
> spamming or was it some quirk played by the cyberspace?
I was obviously one annoying jerk who was anonymously spamming rubbish
to rec.art.books.* newsgroups.
|
|
|
| Re: [OT] Spam in RABT [message #168296 ] |
Fr, 18 November 2005 06:01 |
|
Quoth darkside <darkside [at] no.spam.see.sig> in article
<87oe4iorgc.fsf [at] no.spam.see.sig>:
> Is anyone else getting a huge number of spam and random cross-postings
> on RABT today, or is something up with my mailserver?
I figured something had to be up when I saw that r.a.b.t had suddenly
leapt to well over 2000 articles. I think it's deliberate, and I have
no idea what to do about it. Somebody really ought to be losing
access to the internet for life, but I rather doubt that will
happen. :)
Any advice on how to handle the flood? (Kill every article posted
today, I guess?) Anyone we should be reporting this to?
Steuard Jensen
|
|
|
| Re: [OT] Spam in RABT [message #168297 ] |
Fr, 18 November 2005 06:11 |
|
> Any advice on how to handle the flood? (Kill every article posted
> today, I guess?) Anyone we should be reporting this to?
Suppose you could filter it in some way - or just ignore it all (which is a
pain).
I've not checked all the header (for some reason) but they all versions of
the following
Path:
news.theplanet.net!nntp.theplanet.net!inewsm1.nntp.theplanet .net!newsfeed.icl.net!newsfeed.fjserv.net!news.tele.dk!news. tele.dk!small.news.tele.dk!newspeer1.se.telia.net!se.telia.n et!masternews.telia.net.!newsc.telia.net.POSTED!not-for-mail
From: "C. McWharton" <newbie [at] hotmail.com>
Message-ID: <j9cmhmNr$kTTIt.562431 [at] hotmail.com>
Newsgroups: rec.arts.books.tolkien
Subject: Dan C is a monstrous, smelly, pile-draining scrotum logger
0.488518357276917
Organization: he'll be explaining with empty Ronette until his code hates
nearly
Dan_C: A good dancing monkey :)
Lines: 96
Date: Thu, 17 Nov 2005 19:54:08 GMT
NNTP-Posting-Host: 81.236.171.146
X-Complaints-To: abuse [at] telia.com
X-Trace: newsc.telia.net 1132257248 81.236.171.146 (Thu, 17 Nov 2005
20:54:08 CET)
NNTP-Posting-Date: Thu, 17 Nov 2005 20:54:08 CET
Xref: news.theplanet.net rec.arts.books.tolkien:270178
So that suggests contacting telia.com whether they are really the
originating point or not they'll want to deal with it - as it's carrying
TeliaSonera's name.
|
|
|
| Re: [OT] Spam in RABT [message #168298 ] |
Fr, 18 November 2005 10:35 |
|
In message <news:dljnob$ste$1 [at] news8.svr.pol.co.uk> "gp.skinner"
<gp.skinner [at] NOSPAM.talk21.com> enriched us with:
>
<snip>
> Suppose you could filter it in some way -
If you can filter out all messages containing a "Dan C" header, then
I think it'd catch most, if not all, of it. Certainly killing posts
with 'Dan C' in the header helps.
> or just ignore it all (which is a pain).
Indeed.
> I've not checked all the header (for some reason) but they all
> versions of the following
>
> Path:
> news.theplanet.net!nntp.theplanet.net!inewsm1.nntp.theplanet .net!ne
> wsfeed.icl.net!newsfeed.fjserv.net!news.tele.dk!news.tele.dk !small.
> news.tele.dk!newspeer1.se.telia.net!se.telia.net!masternews. telia.n
> et.!newsc.telia.net.POSTED!not-for-mail
[...]
> Dan_C: A good dancing monkey :)
[...]
> X-Complaints-To: abuse [at] telia.com
> X-Trace: newsc.telia.net 1132257248 81.236.171.146 (Thu, 17 Nov
> 2005 20:54:08 CET)
[...]
> So that suggests contacting telia.com whether they are really the
> originating point or not they'll want to deal with it - as it's
> carrying TeliaSonera's name.
Yes, it is 'cleverly' morphing the usual headers for killing posts,
and unfortunately I can't kill on the presence of the 'Dan_C:'
header, which seems to be in all the messages.
They are not all from Telia, however. I found this one as well:
Path: news1.nokia.com!newsfeed1.nokia.com!nntp.inet.fi!inet.fi!
newsfeed.kolumbus.fi!border1.nntp.dca.giganews.com!
nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.rcn.net !
news.rcn.net.POSTED!not-for-mail
NNTP-Posting-Date: Thu, 17 Nov 2005 10:48:32 -0600
From: Oliver <shithead [at] swbell.net>
Message-ID: <D566A96E3288CA6 [at] 242.243.63.4>
Newsgroups: rec.arts.books.tolkien
Subject: who moulds totally, when Kirsten kicks the smart enigma
below the river
Date: Thu, 17 Nov 2005 13:46:42 GMT
Organization: lately Cristof will cover the sauce, and if Susanne
generally hates it too, the onion will expect inside the ugly
night
Dan_C: Dancing Monkey Test
Lines: 76
NNTP-Posting-Host: 216.15.35.136
X-Trace: sv3-aFn9tLcfRK43+QveFvNka+
9eNHeu6uje71uhPsP0Gbcyh+MXzzzU3jiWo//TW3voT8yJIo6MrVmpWpT!
QPZ4pYTpSDRMN0R38FP4qFJy/uq86bECkw7Owkecw5eXlvwg+j0cLJ6Egq/h LA==
X-Complaints-To: abuse [at] rcn.net
X-DMCA-Complaints-To: abuse [at] rcn.net
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL
headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
X-Postfilter: 1.3.32
So there is more than one account being used. I've sent complaints to
Telia and RCN.
I've deleted nearly everything outside the CotW threads (which I
score sufficiently high to circumvent the attack). I noticed one post
by Larry and one by Tamim, but most likely there were other posts
that got deleted (I'm sorry about it, but there was nothing else to
do, really).
--
Troels Forchhammer
Valid e-mail is <t.forch(a)email.dk>
Only two things are infinite, the universe and human
stupidity, and I'm not sure about the former.
- Albert Einstein
|
|
|
| Re: [OT] Spam in RABT [message #168299 ] |
Fr, 18 November 2005 10:42 |
|
In message <news:87oe4iorgc.fsf [at] no.spam.see.sig> darkside
<darkside [at] no.spam.see.sig> enriched us with:
>
> Is anyone else getting a huge number of spam and random
> cross-postings on RABT today, or is something up with my
> mailserver?
It seems that news.individual.net has managed to delete the posts --
before actually downloading the new posts, it said nearly 2000 posts
for RABT, but I only got the normal quota on that server (my work
server, however, is another matter alltogether). I think the
implication is that they've gone through the group after first letting
the posts through.
--
Troels Forchhammer
Valid e-mail is <t.forch(a)email.dk>
+++ Divide By Cucumber Error. Please Reinstall Universe And Reboot +++
- /Hogfather/ (Terry Pratchett)
|
|
|
| Re: [OT] Spam in RABT [message #168300 ] |
Fr, 18 November 2005 14:19 |
|
gp.skinner wrote:
>> Any advice on how to handle the flood? (Kill every article posted
>> today, I guess?) Anyone we should be reporting this to?
>
> Suppose you could filter it in some way - or just ignore it all (which is
> a pain).
> I've not checked all the header (for some reason) but they all versions of
> the following
....
> Dan_C: A good dancing monkey :)
....
> NNTP-Posting-Host: 81.236.171.146
....
> X-Complaints-To: abuse [at] telia.com
....
> So that suggests contacting telia.com whether they are really the
> originating point or not they'll want to deal with it - as it's carrying
> TeliaSonera's name.
Interestingly, _all_ of mine had
> NNTP-Posting-Host: 216.15.35.136
> X-Complaints-To: abuse [at] rcn.net
and I manually deleted them out of my news spool and filtered that IP in
leafnode.
--
derek
|
|
|
| Re: Spam in RABT [message #168301 ] |
Fr, 18 November 2005 16:08 |
|
Steuard Jensen wrote:
> Quoth darkside <darkside [at] no.spam.see.sig> in article
> <87oe4iorgc.fsf [at] no.spam.see.sig>:
> > Is anyone else getting a huge number of spam and random cross-postings
> > on RABT today, or is something up with my mailserver?
>
> I figured something had to be up when I saw that r.a.b.t had suddenly
> leapt to well over 2000 articles. I think it's deliberate, and I have
> no idea what to do about it. Somebody really ought to be losing
> access to the internet for life, but I rather doubt that will
> happen. :)
>
> Any advice on how to handle the flood? (Kill every article posted
> today, I guess?) Anyone we should be reporting this to?
>
A post to news.admin.net-abuse.sightings would probably be appropriate.
|
|
|
| Re: [OT] Spam in RABT [message #168302 ] |
Fr, 18 November 2005 16:12 |
|
Troels Forchhammer <Troels [at] thisisfake.invalid> wrote:
> They are not all from Telia, however. I found this one as well:
> Path: news1.nokia.com!newsfeed1.nokia.com!nntp.inet.fi!inet.fi!
> newsfeed.kolumbus.fi!border1.nntp.dca.giganews.com!
> nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.rcn.net !
> news.rcn.net.POSTED!not-for-mail
So they are coming from one of the nordic countries anyway. Probably
Finland: not many suspects here ;)
|
|
|
| Re: [OT] Spam in RABT [message #168303 ] |
Fr, 18 November 2005 17:07 |
|
Quoth Troels Forchhammer <Troels [at] ThisIsFake.invalid> in article
<Xns97126D623972CT.Forch [at] 131.228.6.98>:
> <gp.skinner [at] NOSPAM.talk21.com> enriched us with:
> > Suppose you could filter it in some way -
> If you can filter out all messages containing a "Dan C" header, then
> I think it'd catch most, if not all, of it. Certainly killing posts
> with 'Dan C' in the header helps.
Thank you very much! Filtering out posts with headers containing
either "Dan_C:" or "_Dan_C_" got all but a handful of them. (I
figured that would avoid killing any posts _from_ a Dan_C, thus
evading one possible goal of the spammer.)
Steuard Jensen
|
|
|
| Re: [OT] Spam in RABT [message #168304 ] |
Fr, 18 November 2005 17:41 |
|
> Interestingly, _all_ of mine had
>> NNTP-Posting-Host: 216.15.35.136
>> X-Complaints-To: abuse [at] rcn.net
Like I say I did not check them all, but just picked a good number of them
at random. Strange.
> and I manually deleted them out of my news spool and filtered that IP in
> leafnode.
> --
Never tried that, and not sure I'd know how.
Graeme
|
|
|
| Re: [OT] Spam in RABT [message #168307 ] |
Fr, 18 November 2005 18:38 |
|
Steuard Jensen wrote:
>
> Quoth darkside <darkside [at] no.spam.see.sig> in article
> <87oe4iorgc.fsf [at] no.spam.see.sig>:
> > Is anyone else getting a huge number of spam and random cross-postings
> > on RABT today, or is something up with my mailserver?
>
> I figured something had to be up when I saw that r.a.b.t had suddenly
> leapt to well over 2000 articles. I think it's deliberate, and I have
> no idea what to do about it. Somebody really ought to be losing
> access to the internet for life, but I rather doubt that will
> happen. :)
>
> Any advice on how to handle the flood? (Kill every article posted
> today, I guess?) Anyone we should be reporting this to?
>
> Steuard Jensen
Spam can be reported to news.admin.net-abuse.usenet
Flames or personal abuse online should not be reported there but to the
offender's ISP
The reason is that SPAM is considered an abuse OF Usenet.
Flames are considered abuse ON Usenet.
:-)
Hope this helps.
Appropriate newsgroup added.
<what muppet deleted rabt from this thread?>
M.
|
|
|
| Re: [OT] Spam in RABT [message #168309 ] |
Fr, 18 November 2005 20:56 |
|
Tamim wrote:
> Troels Forchhammer <Troels [at] thisisfake.invalid> wrote:
>
>
>
>>They are not all from Telia, however. I found this one as well:
>
>
>>Path: news1.nokia.com!newsfeed1.nokia.com!nntp.inet.fi!inet.fi!
>> newsfeed.kolumbus.fi!border1.nntp.dca.giganews.com!
>> nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.rcn.net !
>> news.rcn.net.POSTED!not-for-mail
>
>
> So they are coming from one of the nordic countries anyway. Probably
> Finland: not many suspects here ;)
You're not reading it right. Rcn.net, which is the source
of the message, is American. Nokia is where Troels works
and where the message was recieved. The guy behind this
started spamming from his rcn.net account, and when that
was blocked, moved to a different account, and so on.
Of course he could be originally from anywhere.
Morgil
|
|
|
| Re: [OT] Spam in RABT [message #168310 ] |
Fr, 18 November 2005 21:40 |
|
Morgil <morestelx [at] hotmail.com> wrote:
> You're not reading it right. Rcn.net, which is the source
> of the message, is American. Nokia is where Troels works
> and where the message was recieved. The guy behind this
> started spamming from his rcn.net account, and when that
> was blocked, moved to a different account, and so on.
> Of course he could be originally from anywhere.
OK.
|
|
|
| Re: Spam in RABT [message #168311 ] |
Fr, 18 November 2005 21:50 |
|
Michael O'Neill wrote:
> Steuard Jensen wrote:
> >
> > Quoth darkside <darkside [at] no.spam.see.sig> in article
> > <87oe4iorgc.fsf [at] no.spam.see.sig>:
> > > Is anyone else getting a huge number of spam and random cross-postings
> > > on RABT today, or is something up with my mailserver?
> >
> > I figured something had to be up when I saw that r.a.b.t had suddenly
> > leapt to well over 2000 articles. I think it's deliberate, and I have
> > no idea what to do about it. Somebody really ought to be losing
> > access to the internet for life, but I rather doubt that will
> > happen. :)
> >
> > Any advice on how to handle the flood? (Kill every article posted
> > today, I guess?) Anyone we should be reporting this to?
> >
> > Steuard Jensen
>
> Spam can be reported to news.admin.net-abuse.usenet
>
> Flames or personal abuse online should not be reported there but to the
> offender's ISP
>
> The reason is that SPAM is considered an abuse OF Usenet.
>
> Flames are considered abuse ON Usenet.
>
> :-)
>
> Hope this helps.
>
> Appropriate newsgroup added.
>
> <what muppet deleted rabt from this thread?>
>
> M.
Is this happening on other ngs? Otherwise it seems that someone is
using some text creating bot simply to flood the Tolkien groups.
Sindamor Pandaturion
Felicitously pander the umbrage Peter Jackson Mise en scene otherwise
dodo.
|
|
|
| Re: Spam in RABT [message #184535 ] |
Mi, 14 Dezember 2005 20:44 |
|
Laowombat wrote:
>
> Michael O'Neill wrote:
> > Steuard Jensen wrote:
> > >
> > > Quoth darkside <darkside [at] no.spam.see.sig> in article
> > > <87oe4iorgc.fsf [at] no.spam.see.sig>:
> > > > Is anyone else getting a huge number of spam and random cross-postings
> > > > on RABT today, or is something up with my mailserver?
> > >
> > > I figured something had to be up when I saw that r.a.b.t had suddenly
> > > leapt to well over 2000 articles. I think it's deliberate, and I have
> > > no idea what to do about it. Somebody really ought to be losing
> > > access to the internet for life, but I rather doubt that will
> > > happen. :)
> > >
> > > Any advice on how to handle the flood? (Kill every article posted
> > > today, I guess?) Anyone we should be reporting this to?
> > >
> > > Steuard Jensen
> >
> > Spam can be reported to news.admin.net-abuse.usenet
> >
> > Flames or personal abuse online should not be reported there but to the
> > offender's ISP
> >
> > The reason is that SPAM is considered an abuse OF Usenet.
> >
> > Flames are considered abuse ON Usenet.
> >
> > :-)
> >
> > Hope this helps.
> >
> > Appropriate newsgroup added.
> >
> > <what muppet deleted rabt from this thread?>
> >
> > M.
>
> Is this happening on other ngs? Otherwise it seems that someone is
> using some text creating bot simply to flood the Tolkien groups.
<snip>
Dunno. Sorry for the late and lame reply.
M.
|
|
|
