Excerpts from Magnus Hagander's message of jue jun 09 07:14:24 -0400 2011:
> On Wed, Jun 8, 2011 at 23:14, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > Magnus Hagander <magnus@hagander.net> writes:
> >> This was posted by someone who was actually a subscriber to the list.
> >> And does have DKIM signatures from gmail - though I don't have the
> >> tools to verify them.
> >
> >> It indicates to me that either someone got their account(s) hacked and
> >> used to send it, or a spammer is sophisticated enough to create a
> >> gmail account and subscribed it to the list before they post.. Which
> >> seems quite advanced..
> >
> > Hard to tell which it is. I believe we've seen these from a number of
> > different gmail accounts. Do we have logs showing how long somebody's
> > been subscribed? If they were recent subscribers I'd think the latter,
> > else more likely the former.
>
> No idea, unfortunately. Marc/Alvaro, do we have such a log?
I don't think so, no. Majordomo doesn't seem to keep it. I have one
for the spanish list, of course, but that's just the emails that
Majordomo sends me to notify of the subscription changes. I somehow
doubt that Marc is going to keep them for all lists.
As far as this problem goes, anyway, I've sort of seen a similar problem
in the spanish list: some long-subscribed fellow seems to get
"something" in their Hotmail account (I've seen a couple from Gmail as
well, but Hotmail seems to be more frequently affected) and they start
sending link spam such as the above.
What I did in that case was to add a rule that sends to moderation all
emails with
/^Message-Id:.*phx.gbl/i
This blocks all the bad ones coming from Hotmail, as well as some
legitimate Hotmail email. (Fortunately we have very few active Hotmail
users anyway).
I have not looked into Gmail spam. Clearly, marking all email from
gmail.com for moderation is not practical.
--
Álvaro Herrera <alvherre@commandprompt.com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support