Closed Bug 224944 Opened 21 years ago Closed 20 years ago

newsgroups being heavily spammed

Categories

(mozilla.org Graveyard :: Server Operations, task)

task
Not set
major

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 63735

People

(Reporter: mohr.42, Assigned: mbaur)

Details

Something needs to be done about the amount of spam that started showing on n.p.m.wishlist and n.p.m.svg in the past couple hours (and the other few n.p.m.? newsgroups I checked that I'm not subscribed to). The current amount of spam makes it impossible to follow a newsgroup. I honestly don't know if mozilla.org can do anything, especially since the newsgroups are available through multiple servers. Also, I'm not very familiar with USENET. So I can't suggest a fix--I can only say something should be done.
nntp -> markus
Assignee: endico → mbaur
Status: UNCONFIRMED → NEW
Ever confirmed: true
oops, someone forgot to change their email address. :) (netscape.com doesn't work anymore). I IMed him though, and he's on it.
n.p.m.seamonkey is getting hit too.
as is n.p.m.webtools
And m.jseng. It's the anti-globalization creeps. Someone track them down and electrocute them, please. /be
It appears to have stagnated, but for awhile it didn't look like it was going to stop.
they must be trading newsgroups. npm.webtools has gotten 12 of them in the last hour, 3 in the last 10 minutes.
2:20 AM EST: <markus> The spam I looked at seemed to come from a single IP only (200.66.80.11) which I've added to our blacklist. <markus> Let me know if that didn't help. <justdave> how long ago? <markus> just a minute or two ago
well, it took until about 10am EST before it stopped coming through on the mailing lists, but the block Marcus put on last night appears to have successfully stopped it on the news server. So much of it showed up so fast it apparently took MailMan a while to catch up with the stuff that was already on the news server or something. I'm going to sign this off as fixed.... if anyone is still seeing this crap please reopen.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
I'm still getting them (just got a new one a few minutes ago, 8pm PST to mozilla-unix, first timestamped by rheet.mozilla.org at Fri, 7 Nov 2003 00:26:45 -0800). But they're coming a lot more slowly now, a few per hour. Could that all still be batched mail (is that 00:26 -0800 really PST, or UT?) I'll hold off from reopening and see if it's still coming tomorrow.
hmm, I just got one, too. But it's from the same IP address that Markus already blocked, and the timestamp on it is prior to the time he blocked it. Either MailMan or Sendmail apparently had it queued somewhere.
I just deleted 2698 queue files containing the string "NNTP-Posting Host: 200.66.80.11" from the mail spool on rheet.
n.p.m.wishlist just got another, but it might be isolated.
Confirmed. he's baaccckk!!! NNTP-Posting-Host: 219.252.1.30 Markus, can we block him again?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Subject: Re: the shoes we wear NNTP-Posting-Host: awork107089.netvigator.com same crap
n.p.m.jseng and .seamonkey are under attack. Please cancel as well as blacklisting the s.o.b.'s. /be
I just blocked 219.252.1.30 and 203.198.21.89
I was going to reopen this now, but it wasn't closed after the last outbreak. The guy appears to be back.
we already killed him. Markus was on top of things tonight :) There hasn't been anything from him in the spool on rheet in the last 20 minutes, so I'm assuming everything that made it through has been delivered already. I killed 631 copies from MailMan's queue and 82 out of sendmail's queue after Markus blocked their IP on the news server.
Is there any procmail or similar service running on rheet which might be able to look for a few strings like "unswoosher" and set up a ban automatically? Not that I'm complaining about Markus' flying fingers -- very fast ban this time, thanks! Just wondering if an automated ban might save some labor if these jerks are going to keep at it.
Resolving as fixed, until he comes back. Feel free to reopen if you know how to do what is suggested in comment 20.
Status: REOPENED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED
They're back.... These are all in the last 3 days: First three seem to be generic spammers looking to advertise their websites: Newsgroups: netscape.public.mozilla.webtools Message-ID: <760080377025031706533883543715@ezboard.com> NNTP-Posting-Host: 24.222.121.229 Spammed-Website: http://p208.ezboard.com/fozclubforumsfrm5.showMessage?topicID=118.topic Newsgroups: netscape.public.mozilla.webtools Message-ID: <302417213766532487426126535312@ezboard.com> NNTP-Posting-Host: 24.222.121.229 Spammed-Website: http://p208.ezboard.com/fozclubforumsfrm5.showMessage?topicID=118.topic Newsgroups: netscape.public.mozilla.webtools Message-ID: <cbklm6$it0105@ripley.netscape.com> NNTP-Posting-Host: 200165025176.user.veloxzone.com.br Spammed-Website: www.imoveisvitoria.com.br The rest, all of which there's been several dozen over the last 3 days, seem to be a virus that wants to spread via usenet, by my guess. I have yet to see more than 2 of them come from the same IP address. What they have in common: 1) Each is cross-posted to between 6 and 8 newsgroups, all within the netscape.public.mozilla.* hierarchy 2) Each is advertising a URL with the following characteristics: a) host is an IP address b) port 89 c) filename ends in .scr If we can block based on the body pattern matching #2 above, that would be great. m#\bhttp://[^/]:89/\W+\/scr\b#
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
*** This bug has been marked as a duplicate of 63735 ***
Status: REOPENED → RESOLVED
Closed: 21 years ago20 years ago
Resolution: --- → DUPLICATE
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.