Wally J
2023-12-03 20:10:07 UTC
Who is peering all these spams ostensibly from Google Groups?
<http://groups.google.com/g/comp.mobile.android>
In the past few weeks, what I'll call "indonesian" spam has been
increasing but not to the level of this "movie" spam which is now
hundreds per day (at least it is on the Android newsgroup).
While the headers look like they're coming from Google Groups,
I'm aware that headers could be forged such that it could be
coming from a rogue nntp server sending all this spam.
But then why are the reputable nntp news server admins peering
these spams?
I realize every line in the header can be spoofed (even the
path can have information injected into it), but I don't know
how to read headers well.
Is there any way to tell from the header who is peering them.
To help you answer this question, below are just 3 random spams.
========< cut here for random spams >========
X-Received: by 2002:a0c:ed31:0:b0:67a:b50a:cf46 with SMTP id u17-20020a0ced31000000b0067ab50acf46mr63374qvq.7.1701623906718; Sun, 03 Dec 2023 09:18:26 -0800 (PST)
X-Received: by 2002:a05:6870:f293:b0:1fb:2688:896e with SMTP id u19-20020a056870f29300b001fb2688896emr1145397oap.8.1701623906460; Sun, 03 Dec 2023 09:18:26 -0800 (PST)
Path: .!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!3.us.feeder.erje.net!feeder.erje.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mobile.android
Date: Sun, 3 Dec 2023 09:18:26 -0800 (PST)
Injection-Info: google-groups.googlegroups.com; posting-host=202.46.68.61; posting-account=FDFpwAkAAAAzh5Zwwcosm-KBqOzgWZ4S
NNTP-Posting-Host: 202.46.68.61
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <d2da9b7d-4ac6-43dc-80e3-***@googlegroups.com>
Subject: [.WATCH.] Renaissance: A Film By Beyoncé Watch (FullMovie) Free Online ON STREAMINGS
From: Atto Lorse <***@gmail.com>
Injection-Date: Sun, 03 Dec 2023 17:18:26 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3761
Xref: . comp.mobile.android:110200
========< cut here for random spams >========
X-Received: by 2002:a05:6214:1fc4:b0:67a:262e:35b5 with SMTP id jh4-20020a0562141fc400b0067a262e35b5mr642984qvb.9.1701622417293; Sun, 03 Dec 2023 08:53:37 -0800 (PST)
X-Received: by 2002:a9d:5cc6:0:b0:6d8:1345:7de4 with SMTP id r6-20020a9d5cc6000000b006d813457de4mr1630461oti.7.1701622417090; Sun, 03 Dec 2023 08:53:37 -0800 (PST)
Path: .!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!1.us.feeder.erje.net!feeder.erje.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mobile.android
Date: Sun, 3 Dec 2023 08:53:36 -0800 (PST)
In-Reply-To: <f5e007ca-f669-4d58-9112-***@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=118.179.109.17; posting-account=cd0JhgoAAACShHBEpPkoEjnWjSQ47bCx
NNTP-Posting-Host: 118.179.109.17
References: <f5e007ca-f669-4d58-9112-***@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <f09f38dc-333c-4e8a-81b0-***@googlegroups.com>
Subject: Re: [.WATCH.] It Came from Dimension X Watch (.FullMovie.) Free Online On STREAMINGS
From: Derrick Matthews <***@gmail.com>
Injection-Date: Sun, 03 Dec 2023 16:53:37 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 5359
Xref: . comp.mobile.android:110194
========< cut here for random spams >========
X-Received: by 2002:a05:622a:103:b0:423:72a5:a7da with SMTP id u3-20020a05622a010300b0042372a5a7damr969557qtw.8.1701624819984; Sun, 03 Dec 2023 09:33:39 -0800 (PST)
X-Received: by 2002:a9d:6a8f:0:b0:6d8:8052:2ec8 with SMTP id l15-20020a9d6a8f000000b006d880522ec8mr627917otq.2.1701624819695; Sun, 03 Dec 2023 09:33:39 -0800 (PST)
Path: .!news2.arglkargh.de!2.eu.feeder.erje.net!1.us.feeder.erje.net!feeder.erje.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mobile.android
Date: Sun, 3 Dec 2023 09:33:39 -0800 (PST)
Injection-Info: google-groups.googlegroups.com; posting-host=93.177.75.198; posting-account=IjNbuAoAAADuPrioAyFILqIJ1RQ_HnG8
NNTP-Posting-Host: 93.177.75.198
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <fa356544-c7a3-4d01-bb73-***@googlegroups.com>
Subject: **Wish 2023 free '.Fullmovie.' Online English HD 720p, 480p
From: Raden Surya Sigadiraja <***@gmail.com>
Injection-Date: Sun, 03 Dec 2023 17:33:39 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 16654
Xref: . comp.mobile.android:110202
<http://groups.google.com/g/comp.mobile.android>
In the past few weeks, what I'll call "indonesian" spam has been
increasing but not to the level of this "movie" spam which is now
hundreds per day (at least it is on the Android newsgroup).
While the headers look like they're coming from Google Groups,
I'm aware that headers could be forged such that it could be
coming from a rogue nntp server sending all this spam.
But then why are the reputable nntp news server admins peering
these spams?
I realize every line in the header can be spoofed (even the
path can have information injected into it), but I don't know
how to read headers well.
Is there any way to tell from the header who is peering them.
To help you answer this question, below are just 3 random spams.
========< cut here for random spams >========
X-Received: by 2002:a0c:ed31:0:b0:67a:b50a:cf46 with SMTP id u17-20020a0ced31000000b0067ab50acf46mr63374qvq.7.1701623906718; Sun, 03 Dec 2023 09:18:26 -0800 (PST)
X-Received: by 2002:a05:6870:f293:b0:1fb:2688:896e with SMTP id u19-20020a056870f29300b001fb2688896emr1145397oap.8.1701623906460; Sun, 03 Dec 2023 09:18:26 -0800 (PST)
Path: .!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!3.us.feeder.erje.net!feeder.erje.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mobile.android
Date: Sun, 3 Dec 2023 09:18:26 -0800 (PST)
Injection-Info: google-groups.googlegroups.com; posting-host=202.46.68.61; posting-account=FDFpwAkAAAAzh5Zwwcosm-KBqOzgWZ4S
NNTP-Posting-Host: 202.46.68.61
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <d2da9b7d-4ac6-43dc-80e3-***@googlegroups.com>
Subject: [.WATCH.] Renaissance: A Film By Beyoncé Watch (FullMovie) Free Online ON STREAMINGS
From: Atto Lorse <***@gmail.com>
Injection-Date: Sun, 03 Dec 2023 17:18:26 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3761
Xref: . comp.mobile.android:110200
========< cut here for random spams >========
X-Received: by 2002:a05:6214:1fc4:b0:67a:262e:35b5 with SMTP id jh4-20020a0562141fc400b0067a262e35b5mr642984qvb.9.1701622417293; Sun, 03 Dec 2023 08:53:37 -0800 (PST)
X-Received: by 2002:a9d:5cc6:0:b0:6d8:1345:7de4 with SMTP id r6-20020a9d5cc6000000b006d813457de4mr1630461oti.7.1701622417090; Sun, 03 Dec 2023 08:53:37 -0800 (PST)
Path: .!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!1.us.feeder.erje.net!feeder.erje.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mobile.android
Date: Sun, 3 Dec 2023 08:53:36 -0800 (PST)
In-Reply-To: <f5e007ca-f669-4d58-9112-***@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=118.179.109.17; posting-account=cd0JhgoAAACShHBEpPkoEjnWjSQ47bCx
NNTP-Posting-Host: 118.179.109.17
References: <f5e007ca-f669-4d58-9112-***@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <f09f38dc-333c-4e8a-81b0-***@googlegroups.com>
Subject: Re: [.WATCH.] It Came from Dimension X Watch (.FullMovie.) Free Online On STREAMINGS
From: Derrick Matthews <***@gmail.com>
Injection-Date: Sun, 03 Dec 2023 16:53:37 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 5359
Xref: . comp.mobile.android:110194
========< cut here for random spams >========
X-Received: by 2002:a05:622a:103:b0:423:72a5:a7da with SMTP id u3-20020a05622a010300b0042372a5a7damr969557qtw.8.1701624819984; Sun, 03 Dec 2023 09:33:39 -0800 (PST)
X-Received: by 2002:a9d:6a8f:0:b0:6d8:8052:2ec8 with SMTP id l15-20020a9d6a8f000000b006d880522ec8mr627917otq.2.1701624819695; Sun, 03 Dec 2023 09:33:39 -0800 (PST)
Path: .!news2.arglkargh.de!2.eu.feeder.erje.net!1.us.feeder.erje.net!feeder.erje.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mobile.android
Date: Sun, 3 Dec 2023 09:33:39 -0800 (PST)
Injection-Info: google-groups.googlegroups.com; posting-host=93.177.75.198; posting-account=IjNbuAoAAADuPrioAyFILqIJ1RQ_HnG8
NNTP-Posting-Host: 93.177.75.198
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <fa356544-c7a3-4d01-bb73-***@googlegroups.com>
Subject: **Wish 2023 free '.Fullmovie.' Online English HD 720p, 480p
From: Raden Surya Sigadiraja <***@gmail.com>
Injection-Date: Sun, 03 Dec 2023 17:33:39 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 16654
Xref: . comp.mobile.android:110202
--
TIA
TIA