Обсуждение: news gateway malfunctioning?

Поиск
Список
Период
Сортировка

news gateway malfunctioning?

От
Alvaro Herrera
Дата:
Hi Marc,

Lately I have gotten a number of moderation request for -hackers and
other lists that look like the attached message.  From the header it
looks to me like they are coming from the USENET gateway; I wonder
what's up with the "RCPT TO" stuff at the top of the body of the
message.  Is the gateway getting confused by the mangling done by the
spam checker?

--
Alvaro Herrera                         http://www.flickr.com/photos/alvherre/
"Y eso te lo doy firmado con mis lágrimas" (Fiebre del Loco)
__
The following request:

  "(post to pgsql-hackers)"

was sent to postgresql.org
by www.softmarket.rumix@saratoff.ru.

The request requires your confirmation for the following reason(s):

  The author (www.softmarket.rumix@saratoff.ru)
  is not a member of any of the restrict_post groups.


To accept or reject this request, please do one of the following:

1. If you have web browsing capability, visit
   <http://mail.postgresql.org/mj/mj_confirm/domain=postgresql.org?t=D3DF-3B9E-0982>
   and follow the instructions there.

2. Reply to majordomo@postgresql.org
   with one of the following two commands in the body of the message:

    accept
    reject

   (The number D3DF-3B9E-0982 must be in the Subject header)

3. Reply to majordomo@postgresql.org
   with one of the following two commands in the body of the message:

    accept D3DF-3B9E-0982
    reject D3DF-3B9E-0982

4. If you know the administrative password for the pgsql-hackers list,
   all pending requests can be managed by visiting
   <http://mail.postgresql.org/mj/mj_wwwadm/domain=postgresql.org/pgsql-hackers?func=showtokens>

If you do not respond within 7 days, this token will expire,
and the request will not be completed.

MAIL FROM: <alsou@triza.ru>
RCPT TO: <pgsql-hackers@news.hub.org>
RCPT TO: <pgsql-docs@news.hub.org>
RCPT TO: <pgsql-general@news.hub.org>
RCPT TO: <pgsql-committers@news.hub.org>
RCPT TO: <usenet@news.hub.org>
RCPT TO: <mailnull@news.hub.org>
RCPT TO: <pgsql-patches@news.hub.org>
DATA
Received: from 116.22.234.180 by mail.triza.ru; Wed, 4 Mar 2009 23:34:24 +0800
Message-ID: <000d01c99cde$b2948380$6400a8c0@alsou>
From: =?koi8-r?B?5tXOy8PJySDTxcvSxdTB0tE=?= <alsou@triza.ru>
To: <pgsql-hackers@news.hub.org>
Subject: =?koi8-r?B?5tXOy8PJz87BzNjO2cUgz8LR2sHOzs/T1MkgIMkg3NTJy8XUICDTzNXW?=
    =?koi8-r?B?xcLO2cggz9TOz9vFzsnKINPFy9LF1MHS0Q==?=
Date: Wed, 4 Mar 2009 23:34:24 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0007_01C99CDE.B2948380"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2741.2600
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2741.2600

This is a multi-part message in MIME format.

------=_NextPart_000_0007_01C99CDE.B2948380
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: quoted-printable


=E4=C5=CC=CF=D0=D2=CF=C9=DA=D7=CF=C4=D3=D4=D7=CF -  =CF=D2=C7=C1=CE=C9=DA=C1=
=C3=C9=D1 =C4=CF=CB=D5=CD=C5=CE=D4=CF=CF=C2=CF=D2=CF=D4=C1 =D0=D2=C5=C4=D0=D2=
=C9=D1=D4=C9=D1=20
=E9=CE=C6=CF=D2=CD=C1=C3=C9=C0 =CD=CF=D6=CE=CF =D0=CF=CC=D5=DE=C9=D4=D8 =D0=
=CF =D4=C5=CC=C5=C6=CF=CE=C1=CD: (cod =ED=CF=D3=CB=D7=D9) 7/9/2-21 22;  =FE=
45-=FA9  68

 =20
    V=CF=D3=C5=CD=CEad=C3=C1=D4=CFg=CF =CD=C1=D2ta 2009 =C7.
 =20

=F0=D2=CF=C7=D2=C1=CD=CD=C1 =CD=C5=D2=CF=D0=D2=C9=D1=D4=C9=D1 1-=CA =C4=C5=CE=
=D8:=20

  =EE=CF=D2=CD=C1=D4=C9=D7=CE=CF-=D0=D2=C1=D7=CF=D7=D9=C5 =C1=CB=D4=D9 =D0=CF=
 =C4=C5=CC=CF=D0=D2=CF=C9=DA=D7=CF=C4=D3=D4=D7=D5. =EF=D3=CE=CF=D7=CE=D9=C5=
 =CB=C1=D4=C5=C7=CF=D2=C9=C9 =C4=CF=CB=D5=CD=C5=CE=D4=CF=D7. =F3=CF=DA=C4=C1=
=CE=C9=C5 =F4=C1=C2=C5=CC=D1 =D5=CE=C9=C6=C9=C3=C9=D2=CF=D7=C1=CE=CE=D9=C8 =
=C6=CF=D2=CD =C4=CF=CB=D5=CD=C5=CE=D4=CF=D7 =D0=D2=C5=C4=D0=D2=C9=D1=D4=C9=D1=

Re: news gateway malfunctioning?

От
"Marc G. Fournier"
Дата:
On Wed, 4 Mar 2009, Alvaro Herrera wrote:

> Hi Marc,
>
> Lately I have gotten a number of moderation request for -hackers and
> other lists that look like the attached message.  From the header it
> looks to me like they are coming from the USENET gateway; I wonder
> what's up with the "RCPT TO" stuff at the top of the body of the
> message.  Is the gateway getting confused by the mangling done by the
> spam checker?

I'm a bit lost here, so bare with me ...

First question, I guess, is whether there are othe rmessages showing up 
that RCPT TO stuff, or is it just these types of 'spam' messages ... ?

The oddness here is that it almost looks like someone manually connected 
to the smtp port and tried to inject the message manually ... and ended up 
injecting the 'formatted message' that has all the SMTP cmds embeded ...

The second question is ... mangling done by what spam checker?  Our spam 
checker does nothing except add some X-Spam / X-Virus related headers ... 
the body isn't touched ...

 ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664

Re: news gateway malfunctioning?

От
Alvaro Herrera
Дата:
Marc G. Fournier wrote:
> On Wed, 4 Mar 2009, Alvaro Herrera wrote:
>
>> Lately I have gotten a number of moderation request for -hackers and
>> other lists that look like the attached message.  From the header it
>> looks to me like they are coming from the USENET gateway; I wonder
>> what's up with the "RCPT TO" stuff at the top of the body of the
>> message.  Is the gateway getting confused by the mangling done by the
>> spam checker?
>
> I'm a bit lost here, so bare with me ...
>
> First question, I guess, is whether there are othe rmessages showing up
> that RCPT TO stuff, or is it just these types of 'spam' messages ... ?

As far as I can tell, it's only spam messages that are KOI8-R encoded.
Strangely no other spam message seems to suffer the same fate.  Maybe
something is buggy in the usenet gateway path that gets confused by a
KOI8-R escape sequence or something, and ends up inserting an extra
carriage return.

> The oddness here is that it almost looks like someone manually connected
> to the smtp port and tried to inject the message manually ... and ended
> up injecting the 'formatted message' that has all the SMTP cmds embeded
> ...

Well, it's consistent enough that I doubt that's the case.  I attach a
pair of messages here.  As far as I can tell, they are both exactly the
same message, except that one was passed through the usenet gateway.

--
Alvaro Herrera                                http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
__
The following request:

  "(post to pgsql-hackers)"

was sent to postgresql.org
by www.softmarket.rumix@saratoff.ru (=?koi8-r?B?88/T1MHXzMXOycUgzs/Nxc7LzMHU1dLZIMTFzA==?=).

The request requires your confirmation for the following reason(s):

  The author (www.softmarket.rumix@saratoff.ru (=?koi8-r?B?88/T1MHXzMXOycUgzs/Nxc7LzMHU1dLZIMTFzA==?=))
  is not a member of any of the restrict_post groups.


To accept or reject this request, please do one of the following:

1. If you have web browsing capability, visit
   <http://mail.postgresql.org/mj/mj_confirm/domain=postgresql.org?t=AFDB-1B52-CAF6>
   and follow the instructions there.

2. Reply to majordomo@postgresql.org
   with one of the following two commands in the body of the message:

    accept
    reject

   (The number AFDB-1B52-CAF6 must be in the Subject header)

3. Reply to majordomo@postgresql.org
   with one of the following two commands in the body of the message:

    accept AFDB-1B52-CAF6
    reject AFDB-1B52-CAF6

4. If you know the administrative password for the pgsql-hackers list,
   all pending requests can be managed by visiting
   <http://mail.postgresql.org/mj/mj_wwwadm/domain=postgresql.org/pgsql-hackers?func=showtokens>

If you do not respond within 7 days, this token will expire,
and the request will not be completed.


Делопроизводство -  организация документооборота предприятия
Вся информация по тел: [495] 792*--21 22, 4Ч5Ч05З


    18 Mарtа 2ОО9 г.


Программа мероприятия 1-й день:

  Нормативно-правовые акты по делопроизводству. Основные категории документов. Создание Табеля унифицированных форм
документовпредприятия=__  
The following request:

  "(post to pgsql-hackers)"

was sent to postgresql.org
by www.softmarket.rumix@saratoff.ru.

The request requires your confirmation for the following reason(s):

  The author (www.softmarket.rumix@saratoff.ru)
  is not a member of any of the restrict_post groups.


To accept or reject this request, please do one of the following:

1. If you have web browsing capability, visit
   <http://mail.postgresql.org/mj/mj_confirm/domain=postgresql.org?t=B458-2AF8-2D95>
   and follow the instructions there.

2. Reply to majordomo@postgresql.org
   with one of the following two commands in the body of the message:

    accept
    reject

   (The number B458-2AF8-2D95 must be in the Subject header)

3. Reply to majordomo@postgresql.org
   with one of the following two commands in the body of the message:

    accept B458-2AF8-2D95
    reject B458-2AF8-2D95

4. If you know the administrative password for the pgsql-hackers list,
   all pending requests can be managed by visiting
   <http://mail.postgresql.org/mj/mj_wwwadm/domain=postgresql.org/pgsql-hackers?func=showtokens>

If you do not respond within 7 days, this token will expire,
and the request will not be completed.

MAIL FROM: <alsou@triza.ru>
RCPT TO: <pgsql-hackers@news.hub.org>
RCPT TO: <pgsql-docs@news.hub.org>
RCPT TO: <pgsql-general@news.hub.org>
RCPT TO: <pgsql-committers@news.hub.org>
RCPT TO: <usenet@news.hub.org>
RCPT TO: <mailnull@news.hub.org>
RCPT TO: <pgsql-patches@news.hub.org>
DATA
MAIL FROM: <a.kluveld@abbnm.com>
RCPT TO: <pgsql-hackers@news.hub.org>
RCPT TO: <pgsql-docs@news.hub.org>
RCPT TO: <pgsql-general@news.hub.org>
RCPT TO: <pgsql-committers@news.hub.org>
RCPT TO: <usenet@news.hub.org>
RCPT TO: <mailnull@news.hub.org>
RCPT TO: <pgsql-patches@news.hub.org>
DATA
Received: from 116.22.234.180 by fw.abbnm.com; Wed, 4 Mar 2009 23:34:32 +0800
Message-ID: <000d01c99cde$b7163b10$6400a8c0@a.kluveld>
From: =?koi8-r?B?6c3JxNYgz8bJ0y3Nxc7FxNbF0sE=?= <a.kluveld@abbnm.com>
To: <pgsql-hackers@news.hub.org>
Subject: =?koi8-r?B?5tXOy8PJz87BzNjO2cUgz8LR2sHOzs/T1MkgIMkg3NTJy8XUICDTzNXW?=
    =?koi8-r?B?xcLO2cggz9TOz9vFzsnKINPFy9LF1MHS0Q==?=
Date: Wed, 4 Mar 2009 23:34:32 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0007_01C99CDE.B7163B10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663

This is a multi-part message in MIME format.

------=_NextPart_000_0007_01C99CDE.B7163B10
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: quoted-printable


=EE=CF=D2=CD=C1=D4=C9=D7=CE=CF-=D0=D2=C1=D7=CF=D7=D9=C5 =C1=CB=D4=D9 =D0=CF=
 =C4=C5=CC=CF=D0=D2=CF=C9=DA=D7=CF=C4=D3=D4=D7=D5. =F0=D2=C1=CB=D4=C9=DE=C5=
=D3=CB=C1=D1 =D2=C1=C2=CF=D4=C1 =D3 =C4=CF=CB=D5=CD=C5=CE=D4=C1=CD=C9=20
=F0=CF =D7=CF=D0p=CFc=C1=CD =D0=CF=C4=D2=CF=C2=CE=CF=CA =C9=CE=C6=CF=D2=CD=C1=
=C3=C9=C9 =C9 p=C5=C7uc=D4=C1p=C1=C3uu =CF=C2p=C1=DD=C1=CA=D4=C5c=D8 =D0=CF=
 =D4=C5=CC: (495) 792-=C4=D7=C1=C4=C3=C1=D4=D8 =CF=C4=C9=CE-=C4=D7=C1=C4=C3=
=C1=D4=D8 =C4=D7=C1, 4=FE5-4=EF-=D0=D1=D4=D8=C4=C5=D3=D1=D8 =D4=D2=C9

 =20
    l8 M=C1rt=C1 2OO9 =C7.
 =20

=F0=D2=CF=C7=D2=C1=CD=CD=C1 =CD=C5=D2=CF=D0=D2=C9=D1=D4=C9=D1 1-=CA =C4=C5=CE=
=D8:=20

  =EE=CF=D2=CD=C1=D4=C9=D7=CE=CF-=D0=D2=C1=D7=CF=D7=D9=C5 =C1=CB=D4=D9 =D0=CF=
 =C4=C5=CC=CF=D0=D2=CF=C9=DA=D7=CF=C4=D3=D4=D7=D5. =EF=D3=CE=CF=D7=CE=D9=C5=
 =CB=C1=D4=C5=C7=CF=D2=C9=C9 =C4=CF=CB=D5=CD=C5=CE=D4=CF=D7. =F3=CF=DA=C4=C1=
=CE=C9=C5 =F4=C1=C2=C5=CC=D1 =D5=CE=C9=C6=C9=C3=C9=D2=CF=D7=C1=CE=CE=D9=C8 =
=C6=CF=D2=CD =C4=CF=CB=D5=CD=C5=CE=D4=CF=D7 =D0=D2=C5=C4=D0=D2=C9=D1=D4=C9=D1=