On Wed, Oct 28, 2015 at 3:44 AM, Octavio Alvarez <octalnanog@alvarezp.org> wrote:
On 10/27/2015 05:09 AM, Ian Smith wrote:
On Mon, Oct 26, 2015 at 9:40 PM, Octavio Alvarez <octalnanog@alvarezp.org <mailto:octalnanog@alvarezp.org>> wrote:
On 26/10/15 11:38, Jürgen Jaritsch wrote: <snip>
But it is originating all from different IP addresses. Who knows if this is an attack to get *@jdlabs.fr <http://jdlabs.fr/> blocked from NANOG and is just getting its goal accomplished.
This is the part that's been bugging me. Doesn't the NANOG server implement SPF checking on inbound list mail? jdlabs.fr <http://jdlabs.fr> doesn't appear to have an SPF record published. It seems to me that these messages should have been dropped during the connection.
That doesn't stop spam from hijacked accounts.
For this case, an account was compromised, apparently.
There was no account compromise, it was only oddball webservers that were compromised and then used in a spam run where the From was set to a nanog subscriber's email address.
What if after 6 messages in the last 5 minutes with the same or absent 'In-Reply-To' moves he account to moderation mode.
Easier said than implemented, though.
This is already under consideration, by me, for a mailman patch. It's a good idea that has been around for a while and is well worth having as an option. -Jim P.