Gallery Digest Spam?

bensode

Joined: 2005-10-16
Posts: 2
Posted: Sun, 2005-10-16 02:05

I registered to the announce digest mail list and all of a sudden I'm getting spam to it. I key dist lists and sites I have to register to an email address that's exclusive to it, that way I would know where spam is truly coming from and see who is violating their tos. Well, within days of registering here at gallery I'm getting spam to the addres that is published no where else but to the list manager for gallery.

Here's the headers, although probably forged. Some things edited for obvious reasons but an original is available if required. Mail comes into my mail server then is rediredcted to a private account (Gmail).

------
X-Gmail-Received: 8147d94655eba22b60ed9f40fac21df5341a5ffb
Delivered-To:

Received: by 10.65.105.6 with SMTP id h6cs20196qbm;
Sat, 15 Oct 2005 13:44:46 -0700 (PDT)
Received: by 10.65.160.11 with SMTP id m11mr724383qbo;
Sat, 15 Oct 2005 13:44:46 -0700 (PDT)
Return-Path: <Moore@fronttraining.com>
Received: from mail.hudat.com (hudat.com [64.135.121.12])
by mx.gmail.com with ESMTP id c5si4294169qbc.2005.10.15.13.44.45;
Sat, 15 Oct 2005 13:44:46 -0700 (PDT)
Received-SPF: neutral (gmail.com: 64.135.121.12 is neither permitted nor denied by best guess record for domain of

)
Received: from localhost (localhost [127.0.0.1])
by spam-scan.localhost.localdomain (Postfix) with ESMTP id 7E3F062800A
for <XXXX@gmail.com>; Sat, 15 Oct 2005 16:44:44 -0400 (EDT)
Received: from mail.hudat.com ([127.0.0.1])
by localhost (scan.localhost.localdomain [127.0.0.1]) (amavisd-new, port 10029)
with ESMTP id 31704-10 for <XXXX@gmail.com>;
Sat, 15 Oct 2005 16:44:42 -0400 (EDT)
Received: from agu138.internetdsl.tpnet.pl (agu138.internetdsl.tpnet.pl [83.16.176.138])
by mail.hudat.com (Postfix) with SMTP id 16789628003
for <gallery@gypsyhouse.net>; Sat, 15 Oct 2005 16:44:40 -0400 (EDT)
Message-ID: <4ee301c5d1c9$052871ea$3bb4e677@agu138.internetdsl.tpnet.pl>
From: "Robinson Morris" <Moore@fronttraining.com>
To: "Robison Morton" <gallery@gypsyhouse.net>
Subject: Re[4]: Hi!
Date: Sat, 15 Oct 2005 20:44:43 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_40CE_1F627A89.B53D40CE"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Virus-Scanned: amavisd-new at hudat.com

This is a multi-part message in MIME format.

------=_NextPart_000_40CE_1F627A89.B53D40CE
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Best choice for those who have it!

Go on, give it a try. You'll sure enjoy it!
SPUR-M: http://www.geocities.com/wt6p1d2qkmz8gx/

Discreet, unmarked packaging.

------=_NextPart_000_40CE_1F627A89.B53D40CE
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2722" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>
Best choice for those who have it!
</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Go on, give it a try. =
You'll sure=20
enjoy it!<BR>SPUR-M: <A=20
href=3D"http://www.geocities.com/wt6p1d2qkmz8gx/">http://www.geocities.com/wt6p1d2qkmz8gx/</A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Discreet, unmarked=20
packaging.</FONT></DIV></BODY></HTML>

------=_NextPart_000_40CE_1F627A89.B53D40CE--

 
bharat
bharat's picture

Joined: 2002-05-21
Posts: 7994
Posted: Sun, 2005-10-16 09:15

That's not good!

The announce mailing list is managed by the SouceForge folks and I know that they hate spam with a passion. I'd be shocked if they were doing anything disreputable with that list information.

Did you use the same email address to register to the announce list as you did to register to the Gallery website? I searched the database and don't see any references to your email address in publicly visible places so it's not obvious to me how a spam harvester could have gotten at it. Our mail server is on the same machine as the webserver, so it should not be getting leaked that way. I keep the server up to date, it's as secure as I can make it with tight firewall rules and anti-intrusion systems. I regularly run rootkit checks and keep a close tab on it.

I'm going to create a new gmail account and register it to the announce list and see if I get any spam to it, and maybe figure out what's going on here. Thanks for the heads up, and if you figure out anything more please let me know!

 
bensode

Joined: 2005-10-16
Posts: 2
Posted: Mon, 2005-10-17 00:06

Yeah I didn't think it would be a good thing but thought it was very unusual. I did a little more homework today and went over the gallery site I run and confirmed that the gallery admin account email is the same as I registered (the spammed one). I can tell you that other than the announce list and this forum that email hasn't been knowingly published anywhere. I pretty much make them ad-hoc as I go and don't reuse them since I can create them on the go. Oddly enough, I went through just about every interface option of Gallery but don't see where anyone could pick that up so I'm wondering if there is a bot out there that is able to target gallery sites and strip the information out? It's not a big deal at this point and I kill that mail account and resubscribe with a new one but thought maybe that may be something to look into.

Bensode