[Wine] Wine registration email - system failure

Martin Gregorie martin at gregorie.org
Tue Jul 26 10:42:15 CDT 2011 

On Tue, 2011-07-26 at 08:53 -0500, Ace... wrote:
> So now, after some serious debate; what consensus conclusions can we draw?
>
> 1. Do we now think that, in fact, WineHQ is NOT a major source of spam?
>
It still is a source of spam, though not a huge source. My count, for
the last week,  says:
July 20 - 1
July 21 - 2
July 22 - 4
July 23 - 0
July 24 - 1
July 25 - 3
July 26 - 11 (so far at 16:00 PM GMT - my spam filter caught 7 of these)

All of this is genuine spam: I've read all of them. Today is unusual:
the spam rate for the first six days is more typical.
 
> 2. Could it still be the case (hence the isp block)?
> 
My ISP uses greylisting. Before its implementation 80% of my mail was
spam. Post implementation its about 8%. The stuff I'm trapping is what
gets through the greylister.
 
> 3. Could it be that WineHQ WAS a major source of spam, and was therefore blacklisted, and remains so?
> (the latter: it used to be the case that blacklisting only lasted two or three months)
> 
I'd say that a day like today would be more than enough to get WineHQ
reported to at least one or more public blacklists and/or ISP's private
blacklists. Caveats:

- nobody is getting this spam unless they are subscribed to a Wine
  mail list, which will probably limit those who report it to a
  blacklist to casual users who think unsubscribing is more effort
  that getting it blacklisted.

- Spam received from WineHQ mail lists is quite hard to trap: since the
  Codewaevers MTA sends direct to subscribers' ISPs or MTAs, the usual
  set of headers that trigger many Spamassassin rules are absent, so 
  almost all that can be used to trap this spam is the body content.
  Writing general rules to catch this spam without getting false
  positives on legit. Wine user messages is very difficult.

  In general its a case of playing wack-a-mole by building lists of the
  URLs they're advertising.

  Simply doing URIBL lookups on the Wineusers output message stream
  to check the URLs in the subject line and body may catch a lot of it.
  IMO that would be worth a try, anyway.

> 4. Could it be that WineHQ was never a major source of spam?
> 
Not the case. See above.

> We have already identified the 'repeated word' bug, in the subject line.....
> .... in fact I've just had another look at the email.
> 
Unlikely, I think. I've never seen a standard Spamassassin rule that
triggers on arbitrary repeated words. If any did, they'd be looking for
words that were specific to the stuff being advertised, not something as
neutral as 'Forum'


Martin

More information about the wine-users mailing list