Re: [Groff] goodbye to the groff list

[Jim Reid]

>>>>> "Larry" == Larry Kollar <address@hidden> writes:

    Larry> Everyone has an opinion about where the spam is coming
    Larry> from, mine is that someone *subscribed to the groff list*
    Larry> is infected and unknowingly sending the viruses. My
    Larry> reasoning is that viruses sent to the groff list (that I've
    Larry> seen, anyway) are sent using the names of well-known
    Larry> listers (such as Werner or Ted Harding) -- and the way
    Larry> these things work is that they read the victim's address
    Larry> book to get addresses to send & forge. I was also under the
    Larry> impression that messages from non-subscribers got diverted
    Larry> to the list owner for vetting.

Your theory is probably wrong. The last virus message originated from
Balqa University in Jordan. That's unlikely to be a place where we'd
expect to find a list member. So the message probably came from a PC
there that had security holes which were exploited by the spammer of
worm/virus. A list member may well have inadvertedly seeded the
virus/worm with valid email addresses. But now the worm/virus is
propagating itself and its spam through millions of unsecured PCs. The
checking for non-member postings is nearly useless and doesn't work
with these virus/worm messages. They just set the From: header to a
valid list address and the message goes through.

The list's mail system is inadequate. Take a look at the mail headers
in the most recent virus/worm message. There's no Message-Id, a good
indication the message is bogus. The first Received: line is:
        Received: from unknown (HELO ffii.org) (213.139.47.21)
          by genba.ffii.org with SMTP; 22 Apr 2004 05:05:00 -0000

This tells us that the SMTP connection came from 213.139.47.21 and
that reverse DNS for this IP address doesn't work. That's another good
indication of a spam source. Address to name mappings in the DNS work
for well-behaved clients. They usually don't for spammers. In the SMTP
dialogue, this host said "HELO ffii.org": it's claiming to be the name
of the server it's talking too! This is wrong. And it's a cast-iron
indication of a spam source. A decent mail system would have dropped
the SMTP connection at that point, assuming it hadn't already done so
because the client had no reverse DNS.

    Larry> Having said that, everyone has their own level of
    Larry> tolerance. The traffic here has been low enough that I can
    Larry> ignore the junk

Maybe, but that misses the point. Firstly, the spammers win if their
garbage reaches your mail server's disks. Filtering is all very well
but is the wrong solution IMO. Spam has to be blocked at its source.
It's too late to do something about this after the SMTP session has
closed and your disk space, CPU cycles and bandwidth have been handed
to the spammer.

The more important point is the mail administrators at ffii.org aren't
doing a good enough job. Nobody seems to be able to do anything about
that. This means the list needs to find a new home or it will die.
[From the simple perspective of list administration, a mailing list is
doomed if there's no effective list management.] Roger has volunteered
to provide a new home for the list. We should take up that very kind
offer and abandon the ffii.org list to get clogged with spam and virus
crap.

IMO, the time for talking about this problem is over. We should move
the list to a new home that has better anti-spam defences and a list
manager or postmaster who will take their responsibilities seriously.
Can I suggest that Roger starts address@hidden and tells us how to
subscribe? We can then migrate to that and unsubscribe ourselves from
the flawed ffii.org's list.