[Mailman-Users] Spam - from where?

[Mark Sapiro]

Lindsay Haisley wrote:

>I just checked my mail logs and find a very large number of attempted
>deliveries from the list to various users @gamblingplanet.org.  e.g.,
>
>Jun  8 17:27:52 kali courierd: started,id=00000000001B562E.000000004C0E7E65.00004AF9,from=<cyberpluckers-bounces+playwrightcl=gamblingplanet.org at autoharp.org>,module=esmtp,host=gamblingplanet.org,addr=<playwrightCL at gamblingplanet.org>
>Jun  8 17:28:52 kali courieresmtp: id=00000000001B562E.000000004C0E7E65.00004AF9,from=<cyberpluckers-bounces+playwrightcl=gamblingplanet.org at autoharp.org>,addr=<playwrightCL at gamblingplanet.org>: Connection timed out
>Jun  8 17:28:52 kali courieresmtp: id=00000000001B562E.000000004C0E7E65.00004AF9,from=<cyberpluckers-bounces+playwrightcl=gamblingplanet.org at autoharp.org>,addr=<playwrightCL at gamblingplanet.org>,status: deferred
>
>There are no addresses @gamblingplanet.org on the cyberpluckers list!
>Has the list server been hacked?  What could be going on here?  I'm not
>seeing any incoming probes which would generate a list DSN or NDR.



These are VERPed Mailman messages in response to messages from
playwrightcl at gamblingplanet.org. The originals will be in your logs
too. Just prior to the log messages quoted above, you will find
messages from somewhere to cyberpluckers at autoharp.org,
cyberpluckers-request at autoharp.org, etc.

The return messages above could be held or rejected post messages,
results of your email commands messages, etc. depending on to where
the originals were delivered.

Note that the 'from=' in the log of the original is the envelope sender
which is probably not playwrightcl at gamblingplanet.org and maybe not
anything in the gamblingplanet.org domain.
playwrightcl at gamblingplanet.org is the From: header address of the
message.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan