Closed
Bug 224944
Opened 21 years ago
Closed 20 years ago
newsgroups being heavily spammed
Categories
(mozilla.org Graveyard :: Server Operations, task)
mozilla.org Graveyard
Server Operations
Tracking
(Not tracked)
People
(Reporter: mohr.42, Assigned: mbaur)
Details
Something needs to be done about the amount of spam that started showing on
n.p.m.wishlist and n.p.m.svg in the past couple hours (and the other few n.p.m.?
newsgroups I checked that I'm not subscribed to). The current amount of spam
makes it impossible to follow a newsgroup.
I honestly don't know if mozilla.org can do anything, especially since the
newsgroups are available through multiple servers. Also, I'm not very familiar
with USENET. So I can't suggest a fix--I can only say something should be done.
Comment 1•21 years ago
|
||
nntp -> markus
Assignee: endico → mbaur
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•21 years ago
|
||
oops, someone forgot to change their email address. :) (netscape.com doesn't
work anymore). I IMed him though, and he's on it.
Comment 3•21 years ago
|
||
n.p.m.seamonkey is getting hit too.
Comment 4•21 years ago
|
||
as is n.p.m.webtools
Comment 5•21 years ago
|
||
And m.jseng.
It's the anti-globalization creeps. Someone track them down and electrocute
them, please.
/be
Reporter | ||
Comment 6•21 years ago
|
||
It appears to have stagnated, but for awhile it didn't look like it was going to
stop.
Comment 7•21 years ago
|
||
they must be trading newsgroups. npm.webtools has gotten 12 of them in the last
hour, 3 in the last 10 minutes.
Comment 8•21 years ago
|
||
2:20 AM EST:
<markus> The spam I looked at seemed to come from a single IP only
(200.66.80.11) which I've added to our blacklist.
<markus> Let me know if that didn't help.
<justdave> how long ago?
<markus> just a minute or two ago
Comment 9•21 years ago
|
||
well, it took until about 10am EST before it stopped coming through on the
mailing lists, but the block Marcus put on last night appears to have
successfully stopped it on the news server. So much of it showed up so fast it
apparently took MailMan a while to catch up with the stuff that was already on
the news server or something.
I'm going to sign this off as fixed.... if anyone is still seeing this crap
please reopen.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment 10•21 years ago
|
||
I'm still getting them (just got a new one a few minutes ago, 8pm PST to
mozilla-unix, first timestamped by rheet.mozilla.org at Fri, 7 Nov 2003 00:26:45
-0800). But they're coming a lot more slowly now, a few per hour. Could that
all still be batched mail (is that 00:26 -0800 really PST, or UT?) I'll hold
off from reopening and see if it's still coming tomorrow.
Comment 11•21 years ago
|
||
hmm, I just got one, too. But it's from the same IP address that Markus already
blocked, and the timestamp on it is prior to the time he blocked it. Either
MailMan or Sendmail apparently had it queued somewhere.
Comment 12•21 years ago
|
||
I just deleted 2698 queue files containing the string
"NNTP-Posting Host: 200.66.80.11"
from the mail spool on rheet.
Reporter | ||
Comment 13•21 years ago
|
||
n.p.m.wishlist just got another, but it might be isolated.
Comment 14•21 years ago
|
||
Confirmed. he's baaccckk!!!
NNTP-Posting-Host: 219.252.1.30
Markus, can we block him again?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 15•21 years ago
|
||
Subject: Re: the shoes we wear
NNTP-Posting-Host: awork107089.netvigator.com
same crap
Comment 16•21 years ago
|
||
n.p.m.jseng and .seamonkey are under attack. Please cancel as well as
blacklisting the s.o.b.'s.
/be
Assignee | ||
Comment 17•21 years ago
|
||
I just blocked 219.252.1.30 and 203.198.21.89
Reporter | ||
Comment 18•21 years ago
|
||
I was going to reopen this now, but it wasn't closed after the last outbreak.
The guy appears to be back.
Comment 19•21 years ago
|
||
we already killed him. Markus was on top of things tonight :) There hasn't
been anything from him in the spool on rheet in the last 20 minutes, so I'm
assuming everything that made it through has been delivered already.
I killed 631 copies from MailMan's queue and 82 out of sendmail's queue after
Markus blocked their IP on the news server.
Comment 20•21 years ago
|
||
Is there any procmail or similar service running on rheet which might be able to
look for a few strings like "unswoosher" and set up a ban automatically?
Not that I'm complaining about Markus' flying fingers -- very fast ban this
time, thanks! Just wondering if an automated ban might save some labor if these
jerks are going to keep at it.
Reporter | ||
Comment 21•21 years ago
|
||
Resolving as fixed, until he comes back. Feel free to reopen if you know how to
do what is suggested in comment 20.
Status: REOPENED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → FIXED
Comment 22•21 years ago
|
||
They're back....
These are all in the last 3 days:
First three seem to be generic spammers looking to advertise their websites:
Newsgroups: netscape.public.mozilla.webtools
Message-ID: <760080377025031706533883543715@ezboard.com>
NNTP-Posting-Host: 24.222.121.229
Spammed-Website:
http://p208.ezboard.com/fozclubforumsfrm5.showMessage?topicID=118.topic
Newsgroups: netscape.public.mozilla.webtools
Message-ID: <302417213766532487426126535312@ezboard.com>
NNTP-Posting-Host: 24.222.121.229
Spammed-Website:
http://p208.ezboard.com/fozclubforumsfrm5.showMessage?topicID=118.topic
Newsgroups: netscape.public.mozilla.webtools
Message-ID: <cbklm6$it0105@ripley.netscape.com>
NNTP-Posting-Host: 200165025176.user.veloxzone.com.br
Spammed-Website: www.imoveisvitoria.com.br
The rest, all of which there's been several dozen over the last 3 days,
seem to be a virus that wants to spread via usenet, by my guess.
I have yet to see more than 2 of them come from the same IP address.
What they have in common:
1) Each is cross-posted to between 6 and 8 newsgroups, all within the
netscape.public.mozilla.* hierarchy
2) Each is advertising a URL with the following characteristics:
a) host is an IP address
b) port 89
c) filename ends in .scr
If we can block based on the body pattern matching #2 above, that would be great.
m#\bhttp://[^/]:89/\W+\/scr\b#
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 23•20 years ago
|
||
*** This bug has been marked as a duplicate of 63735 ***
Status: REOPENED → RESOLVED
Closed: 21 years ago → 20 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•