list abuse - Externals

21 years ago by Paul G — view source

unread

folks,

would someone with ml admin privs take a look and, if present, remove an @tgpwizards.com e-mail address subscription? the user has apparently put a sender confirmation script in place that bombards me (and i'm sure others as well) with confirmation requests. needless to say, it gets very old very fast.

paul

21 years ago by Andrey Hristov — view source

unread

Paul G wrote:

folks,

would someone with ml admin privs take a look and, if present, remove an @tgpwizards.com e-mail address subscription? the user has apparently put a sender confirmation script in place that bombards me (and i'm sure others as well) with confirmation requests. needless to say, it gets very old very fast.

paul

Last time I looked at the message it does spoof the original address and is being
sent from an unknown server.

Andrey

21 years ago by Paul G — view source

unread

----- Original Message -----
From: "Andrey Hristov" php@hristov.com
To: "Paul G" paul@rusko.us
Cc: internals@lists.php.net
Sent: Monday, August 02, 2004 4:18 AM
Subject: Re: [PHP-DEV] list abuse

Paul G wrote:

folks,

would someone with ml admin privs take a look and, if present, remove an
@tgpwizards.com e-mail address subscription? the user has apparently put a
sender confirmation script in place that bombards me (and i'm sure others as
well) with confirmation requests. needless to say, it gets very old very
fast.

paul

Last time I looked at the message it does spoof the original address and
is being
sent from an unknown server.

it is unlikely it does so intentionally. mail coming from the list has
internals@ listed as the to: address, which the script obviously doesn't
sanity check. regardless of whether this is malicious, the dude needs to go.

paul

21 years ago by Andrey Hristov — view source

unread

Quoting Paul G paul@rusko.us:

----- Original Message -----
From: "Andrey Hristov" php@hristov.com
To: "Paul G" paul@rusko.us
Cc: internals@lists.php.net
Sent: Monday, August 02, 2004 4:18 AM
Subject: Re: [PHP-DEV] list abuse

Paul G wrote:

folks,

Last time I looked at the message it does spoof the original address and
is being
sent from an unknown server.

it is unlikely it does so intentionally. mail coming from the list has
internals@ listed as the to: address, which the script obviously doesn't
sanity check. regardless of whether this is malicious, the dude needs to go.

Sure it does it intentionally. I have used to check the site without the
provided link and it looked
like some pr0n site.

Here is the source of the last message. Usually they "come" from addresses like
andi@zend.com,
zeev@zend.com even paul@rusko.us :)

[snip]
Received: from hristov by iko.gotobg.net with local-bsmtp (Exim 4.34)
id 1BrTFY-0005fA-ON
for php@hristov.com; Mon, 02 Aug 2004 06:12:42 +0300
Received: from [66.17.150.83] (helo=tgpnexus.com)
by iko.gotobg.net with esmtp (Exim 4.34)
id 1BrTFY-0007Sp-BJ
for php_at_hristov_punkt_com; Mon, 02 Aug 2004 06:12:32 +0300
Received: (from root@localhost)
by tgpnexus.com (8.11.6/8.11.6) id i722svi20745;
Sun, 1 Aug 2004 22:54:57 -0400
Date: Sun, 1 Aug 2004 22:54:57 -0400
Message-Id: 200408020254.i722svi20745@tgpnexus.com
To: php_at_hristov_punkt_com
Subject: IMPORTANT: Please Verify Your Message
From: internals@lists.php.net
Reply-To: internals@lists.php.net
[/snip]
As far as I see this email has nothing to do with internals and php.net services
except it spoofs
that it comes from internal@lists.php.net .So the mail comes from tgpnexus.com
(looks like).

andrey

21 years ago by Paul G — view source

unread

----- Original Message -----
From: "Andrey Hristov" php@hristov.com
To: "Paul G" paul@rusko.us
Cc: internals@lists.php.net
Sent: Monday, August 02, 2004 9:53 AM
Subject: Re: [PHP-DEV] list abuse

--- snip ---

Sure it does it intentionally. I have used to check the site without the
provided link and it looked
like some pr0n site.

Here is the source of the last message. Usually they "come" from addresses
like
andi@zend.com,
zeev@zend.com even paul@rusko.us :)

this is really simple, as i've stated in a previous mail. script parses
message, takes the address listed first in the 'to' and uses it as 'from'
for the confirmation mail. this works perfectly fine when it's a mail from
person A to cluetard B, but delivers funky results (which we are seeing)
when used on an account that receives mailing list traffic. this is
understandable, since the author obviously never intended for it to be used
that way.

nekkidness or no nekkidness doesn't make a difference in this case (the
website seems to be a service for adult gallery webmasters) - if they wanted
to harvest e-mail addresses, they could just harvest from the archives. this
is clearly a case of misconfiguration (ie confirmation script enabled on an
account receiving maillist traffic).

regardless, it would be nice to get rid of it. can someone on the admin side
send an ID'ed test to subscribers to see where this is coming from (or is
this considered a minor nuisance not worth bothering with)?

paul

21 years ago by Wez Furlong — view source

unread

I checked this last week; there are no people subscribed using that domain.

folks,

would someone with ml admin privs take a look and, if present, remove an @tgpwizards.com e-mail address subscription? the user has apparently put a sender confirmation script in place that bombards me (and i'm sure others as well) with confirmation requests. needless to say, it gets very old very fast.

paul