From majordomo-users-owner@greatcircle.com  Thu Nov 12 23:27:17 2009
X-Greylist: delayed 1452 seconds by postgrey-1.24 at mycroft; Thu, 12 Nov 2009 23:27:16 PST
Received: from vps.huberspace.net (vps.huberspace.net [207.58.136.186])
	by mycroft.greatcircle.com (Postfix) with ESMTP id F15034B0055
	for <majordomo-users@greatcircle.com>; Thu, 12 Nov 2009 23:27:16 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=huberspace.net)
	by vps.huberspace.net with esmtp (Exim 4.42)
	id 1N8qBT-00043r-TK
	for majordomo-users@greatcircle.com; Fri, 13 Nov 2009 02:03:03 -0500
From: "Jim Huber" <huber@huberspace.net>
To: majordomo-users@greatcircle.com
Subject: spam sneaking into a closed list?
Date: Fri, 13 Nov 2009 02:03:03 -0500
Message-Id: <20091113064243.M16941@huberspace.net>
X-Mailer: Open WebMail 2.41 20040926
X-OriginatingIP: 71.171.110.84 (huber@huberspace.net)
MIME-Version: 1.0
Content-Type: text/plain;
	charset=iso-8859-1
X-Archive-Number: 200911/1
X-Sequence-Number: 5900

I found a spam message that was sent out successfully to a closed mailing list, and I
was wondering if anyone might recognize what's going on and have an answer.

A few details... According to the headers, it was sent by majordomo-owner@domain.com
(domain.com obviously substituting for the domain name) to listname-out@domain.com. The
subject was "Majordomo results: Luxury handbags on sale now.  Buy her th". And nearly
half way into the message it says "**** Command disabled."

Sound familiar or interesting? If you're willing to bite, let me know what additional
info you need.

Thanks for your help - Jim

From majordomo-users-owner@greatcircle.com  Fri Nov 13 06:37:12 2009
Received: from tower.berklix.org (tower.berklix.org [83.236.223.114])
	by mycroft.greatcircle.com (Postfix) with ESMTP id C109A690093
	for <majordomo-users@greatcircle.com>; Fri, 13 Nov 2009 06:36:23 -0800 (PST)
Received: from park.js.berklix.net (p549A6E4C.dip.t-dialin.net [84.154.110.76])
	(authenticated bits=0)
	by tower.berklix.org (8.14.2/8.14.2) with ESMTP id nADEaGJj091931;
	Fri, 13 Nov 2009 14:36:20 GMT
	(envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41])
	by park.js.berklix.net (8.13.8/8.13.8) with ESMTP id nADEa95f010387;
	Fri, 13 Nov 2009 15:36:09 +0100 (CET)
	(envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (localhost [127.0.0.1])
	by fire.js.berklix.net (8.14.3/8.14.3) with ESMTP id nADEZwih061728;
	Fri, 13 Nov 2009 15:36:03 +0100 (CET)
	(envelope-from jhs@fire.js.berklix.net)
Message-Id: <200911131436.nADEZwih061728@fire.js.berklix.net>
To: "Jim Huber" <huber@huberspace.net>
cc: majordomo-users@greatcircle.com
Subject: Re: spam sneaking into a closed list? 
From: "Julian H. Stacey" <jhs@berklix.com>
Organization: http://www.berklix.com BSD Unix Linux Consultancy, Munich Germany
User-agent: EXMH on FreeBSD http://www.berklix.com/free/
X-URL: http://www.berklix.com
In-reply-to: Your message "Fri, 13 Nov 2009 02:03:03 EST."
		<20091113064243.M16941@huberspace.net> 
Date: Fri, 13 Nov 2009 15:35:58 +0100
X-Archive-Number: 200911/2
X-Sequence-Number: 5901

Hi,
Reference:
> From:		"Jim Huber" <huber@huberspace.net> 
> Date:		Fri, 13 Nov 2009 02:03:03 -0500 
> Message-id:	<20091113064243.M16941@huberspace.net> 

"Jim Huber" wrote:
> I found a spam message that was sent out successfully to a closed mailing list, and I
> was wondering if anyone might recognize what's going on and have an answer.
> 
> A few details... According to the headers, it was sent by majordomo-owner@domain.com
> (domain.com obviously substituting for the domain name) to listname-out@domain.com. The
> subject was "Majordomo results: Luxury handbags on sale now.  Buy her th". And nearly
> half way into the message it says "**** Command disabled."
> 
> Sound familiar or interesting? If you're willing to bite, let me know what additional
> info you need.
> 
> Thanks for your help - Jim

Perhaps the "Command disabled." suggests one of your addresses were
trawled by a robot found to be live responding so was spammed again.

Majordomo lists have certain addresses that are priveleged to write
to lists. If the spammer stumbles on one & masquerades as being that,
then he can spam your list. Happened to me some months back.

Most people on my lists are clueless Microsh.t users, regularly
they catch viruses, their PC mail archives get raped, addresses
harvested & reported back to spammers. Inevitably frequent posters
to lists get their addresss harvested, seen associated with list
names.

Spammers mainly blind attack linked names & some get through.  One
is more vulnerable - greater chance of matched by spammer, if one's
list owner & personal subscribed address etc have same domain as
list name, so if you have multiple domains available, use them.

Cheers,
Julian
-- 
Julian Stacey: BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com
Mail plain text not quoted-printable, HTML or Base64:  http://asciiribbon.org