On 09/21/2016 12:25 PM, Dan White wrote:
I'll note in the headers for the forged message:
Received: from pglaf.org ([127.0.0.1]) by localhost (mail.pglaf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q3dJbRQr1ULg for <cypherpunks@lists.cpunks.org>; Wed, 21 Sep 2016 03:57:34 -0700 (PDT) X-Greylist: delayed 905 seconds by postgrey-1.34 at mail; Wed, 21 Sep 2016 03:57:33 PDT Received-SPF: Softfail (domain owner discourages use of this host) identity=mailfrom; client-ip=195.128.120.25; helo=mail05.parking.ru; envelope-from=juan.g71@gmail.com; receiver=cypherpunks@lists.cpunks.org Received: from mail05.parking.ru (mail05.parking.ru [195.128.120.25]) by pglaf.org (Postfix) with ESMTP id A35D611C0539 for <cypherpunks@lists.cpunks.org>; Wed, 21 Sep 2016 03:57:33 -0700 (PDT) Received: from web38 [195.128.121.111] by mail05.parking.ru with SMTP; Wed, 21 Sep 2016 13:41:59 +0300
The originating smtp relay server was apparently mail05.parking.ru. The Received-SPF (presumably from pglaf.org, the cypherpunks list host) grey listed the message due to an SPF fail, instead of rejecting the message, which would have prevented this message from being distributed to the list.
On 09/21/16 16:10 -0300, juan wrote:
I didn't send the message quoted below, so I'm wondering how the spoofing was done this time...
Sean Lynch: > Of course, this is all unglamorous work > that's hard to get volunteers to do > unless they're really passionate Or getting paid, fucker.
------------------------------------------------------------------------ -------------------------------- This email was sent via Anonymous email service for free. YOU CAN REMOVE THIS TEXT MESSAGE BY BEING A PAID MEMBER FOR $19/year. <http://bit.ly/k37rpz> CLICK HERE => <http://bit.ly/k37rpz> Message ID= 315861 ------------------------------------------------------------------------ --------------------------------
I accidentally spoofed pglaf.org one day mailing to this list just a short while back by using Thunderbird > "Edit as new" on an older message sent from another address at pglaf.org. I wiped the From: field and inserting my correct email at riseup. It appeared to be delivered from my correct username@pglaf.org. Rr