Attn: Retro Guy (i2pn2/Rocksolid/novaBBS admin) - Spammer using novaBBS

[VanguardLH]

i2pn2.org via novaBBS has a poster that is responding off-topic on
random posts across multiple newsgroups. Besides attempting to use HTML
in his signature, he is spamming his web site in his unrelated replies.

From: hayvanl...@gmail.com (kaan26)
X-Rslight-Posting-User: 786be9db11f0968f3b262f9c2682ed90efb5422a

Message-IDs:
<31289c341915c43f...@www.novabbs.com>
<c5dfca7c7b0647ab...@www.novabbs.com>
<ec0ea727a07fd2e8...@www.novabbs.com>
<31289c341915c43f...@www.novabbs.com>
<c5dfca7c7b0647ab...@www.novabbs.com>
<1efc52400c7503f6...@www.novabbs.com>
<bcc9a673dfd94e04...@www.novabbs.com>
<788db730fda8bcb1...@www.novabbs.com>
<ec0ea727a07fd2e8...@www.novabbs.com>
<5cc3ffc9d6e15fca...@www.novabbs.com>
<31289c341915c43f...@www.novabbs.com>
<d45beca289b65641...@www.novabbs.com>
<8095fad81816266b...@www.novabbs.com>
<b06b7f160c0e4945...@www.novabbs.com>

These were found in the newsgroups to which I subscribe, so this spammer
could be afflicting other newsgroups (those available at novaBBS).

I'm reporting here, because I've see the i2pn2 admin (Retro Guy) post
here. I don't have a novabbs account to report there. For now, I'm
filtering out this spammer by AND'ing his From and Message-ID headers.
Rarely do I use the MID header since the client can specify its own
value, but this is a web-based forum, so the poster unlikely can define
this header. Normally I would use the PATH header to detect the
injection node for the origin of a post.

This is new spam starting today (1/21/2024), so hopefully not a new
trend of Google Groups spammers migrating to other web-based Usenet
gateways. I'd be leery of any new users having a @gmail.com e-mail
address. The GG users and spammers are going to move to somewhere else.

If I see a migration of GG posters to alternative web-based gateways to
Usenet, I'll probably add checking on their e-mail address to add to my
current set of GG filters. Yes, I know lots of legit posters use Gmail,
but my GG filters eliminate all GG posters: some good apples get
discarded with the barrel of mostly rotten apples.

[Andy Burns]

VanguardLH wrote:

> i2pn2.org via novaBBS has a poster that is responding off-topic on
> random posts across multiple newsgroups.

Yes, I'd noticed these new turkish(?) spams in windows and android groups.

> hopefully not a new
> trend of Google Groups spammers migrating to other web-based Usenet
> gateways. I'd be leery of any new users having a @gmail.com e-mail
> address.

Yes but ... as well as all the G2 spammers, there are likely to be a lot
of genuine G2 users needing a new way to access usenet ...

[Retro Guy]

On Sun, 21 Jan 2024 11:42:50 -0600, VanguardLH wrote:

> i2pn2.org via novaBBS has a poster that is responding off-topic on
> random posts across multiple newsgroups. Besides attempting to use HTML
> in his signature, he is spamming his web site in his unrelated replies.
>
> From: hayvanl...@gmail.com (kaan26)
> X-Rslight-Posting-User: 786be9db11f0968f3b262f9c2682ed90efb5422a
>
> Message-IDs:
> <31289c341915c43f...@www.novabbs.com>
> <c5dfca7c7b0647ab...@www.novabbs.com>
> <ec0ea727a07fd2e8...@www.novabbs.com>
> <31289c341915c43f...@www.novabbs.com>
> <c5dfca7c7b0647ab...@www.novabbs.com>
> <1efc52400c7503f6...@www.novabbs.com>
> <bcc9a673dfd94e04...@www.novabbs.com>
> <788db730fda8bcb1...@www.novabbs.com>
> <ec0ea727a07fd2e8...@www.novabbs.com>
> <5cc3ffc9d6e15fca...@www.novabbs.com>
> <31289c341915c43f...@www.novabbs.com>
> <d45beca289b65641...@www.novabbs.com>
> <8095fad81816266b...@www.novabbs.com>
> <b06b7f160c0e4945...@www.novabbs.com>
>
> These were found in the newsgroups to which I subscribe, so this spammer
> could be afflicting other newsgroups (those available at novaBBS).

Thank you for this report! I have issued a NoCeM for the offending posts,
banned the user, and have added triggers from their posts to spamassassin.

>
> I'm reporting here, because I've see the i2pn2 admin (Retro Guy) post
> here. I don't have a novabbs account to report there. For now, I'm
> filtering out this spammer by AND'ing his From and Message-ID headers.
> Rarely do I use the MID header since the client can specify its own
> value, but this is a web-based forum, so the poster unlikely can define
> this header. Normally I would use the PATH header to detect the
> injection node for the origin of a post.

To provide info on how www.novabbs.com works as far as headers:

From: will always be the posting user's web account. It can not be changed.

Path will always begin at the injection server, which is currently
i2pn2.org.

As you note, message-id can not be changed and will end with
'www.novabbs.com'

Injection-Info / posting-account: is the web site account. You can use this
to block the entire website

X-Rslight-Posting-User: is the user account for the poster on the website.

The site has limits on rate of posting. I tried to find a reasonable number
to allow users to post as they wish, and not let spammers just send 10,000
messages all of a sudden. The current limit is 12 posts per hour by default
(I can change that per user if necessary)

I understand your concerns about people being able to post using a web
interface, and I plan to add features as necessary to help keep spam on
Usenet to a minimum.

[Retro Guy]

On Sun, 21 Jan 2024 18:00:13 +0000, Andy Burns wrote:

> VanguardLH wrote:
>
>> i2pn2.org via novaBBS has a poster that is responding off-topic on
>> random posts across multiple newsgroups.
>
> Yes, I'd noticed these new turkish(?) spams in windows and android groups.

If you notice them from my sites, please let me know.

For the user VanguardLH listed, I pulled all of their posts from my logs to
generate the NoCeM (mentioned in another post).

>
>> hopefully not a new
>> trend of Google Groups spammers migrating to other web-based Usenet
>> gateways. I'd be leery of any new users having a @gmail.com e-mail
>> address.
>
> Yes but ... as well as all the G2 spammers, there are likely to be a lot
> of genuine G2 users needing a new way to access usenet ...

Quite a few valid GG users have migrated to www.novabbs.com and are happily
posting along without generating spam. These are the users I like.

[Ray Banana]

Thus spake Ottavio Caruso <ottavio2006...@yahoo.com>

> Has this NG now become the support group for Rocksolid? Have Rocksolid
> taken over ES? When? genuine question.

Thank you for giving me the opportunity to point out that the
rocksolid.* hierarchy is also available on E-S.

--
Пу́тін — хуйло́
https://www.eternal-september.org

[Retro Guy]

On Mon, 22 Jan 2024 12:22:37 +0100, Ray Banana wrote:

> Thus spake Ottavio Caruso <ottavio2006...@yahoo.com>
>
>> Has this NG now become the support group for Rocksolid? Have Rocksolid
>> taken over ES? When? genuine question.
>
> Thank you for giving me the opportunity to point out that the
> rocksolid.* hierarchy is also available on E-S.

Thanks Ray. I regularly monitor rocksolid.nodes.help for such issues.

Let's make sure e-s.support is for e-s support :)

[Adam H. Kerman]

Ottavio Caruso <ottavio2006...@yahoo.com> wrote:

>Has this NG now become the support group for Rocksolid? Have Rocksolid
>taken over ES? When? genuine question.

Several News administrators who issue NoCeMs to counter abuse that are
processed by news.eternal-september.org have been discussing it here.

[VanguardLH]

Thanks for the update. I was thinking rocksolid.shared.general might be
where to report, but I'll go with rocksolid.nodes.help.