Spam through Sourceforge.net (Update)

Today happened what I thought it was impossible: I received spam on my username’s alias email address registered at sourceforge.net.

Fig. 1: A simple but effective spam

Fig. 1: A simple but effective spam

Sourceforge.net is the world’s largest open source software development web site. I have an account there since I was a student and started to work as volunteer for an open source project. I still do, even if with not the same intensity as before. Sourceforge is known for its very aggressive anti spam measures. The Spamassasin software at sourceforge.net has detected correctly the email as spam, but why didn’t it stop it for being delivered?

Fig. 2: The mail is correctly flagged as spam.

Fig. 2: The mail is correctly flagged as spam.

The spam mail I’ve seen this morning consists just of one line of text. The only thing which allowed an anti spam filter to detect the message as spam was the fact the link inside was blacklisted because of hosting a spam website and that the IP address from the Received headers was already blacklisted.

So, everything is ok, but why did I receive the email even if it was flagged correctly? The website does say something about the email aliases that simply receive whatever comes there: “Any email sent to a user’s mail alias is automatically passed to the email address that is on file for a that account.”

Well, this is very nice – but very wrong: To test this, I’ve sent an email from my email account at  work (domain is avira.com), but it was immediately whitelisted because of the many security features that our admins support (DKIM, Signatures, reverse DNS, etc.). So, it went through the filter.

I’ve sent another email from another email address having attached the well know GTUBE test file. Now everything was different, the email was blocked and I received immediately a nice email making fun of me:

Fig. 3: Spam that is not automatically forwarded.

Fig. 3: Spam that is not automatically forwarded.

So, why all this happened if Sourceforge doesn’t automatically forward any email sent to the users’ aliases? I don’t know, but I will surely ask Sourceforge. I will blog again if I receive the answer from them. Oh, by the way, Avira Premium Security Suite also correctly marks this kind of email as spam.

Update:

After writing to the Sourceforge Support an email, I received the answer below in less than an hour. I must say that I was pleasantly surprised for such a fast response time, considering the fact that Sourceforge gives all these services for free to the programmers.

“At SourceForge, we do our best to prevent spam from reaching our users. However, it isn’t possible to prevent all spam from getting through, and you will occasionally see examples like the one you’ve provided. We are constantly updating our filters and anti-spam techniques, though, so you should see this problem resolve itself in the next day or so. If it persists, please let us know.

An additional step you can take is to filter based on the “X-VA-Spam-Flag: YES” header, which we apply to email we suspected of being spam. Finally, we recently added the ability to control what sorts of email you receive through your email alias; you can find this feature on your Account Options page.”

Sorin Mustaca
Manager International Software Development

3 responses to “Spam through Sourceforge.net (Update)

  1. Pingback: Just How Much Spam Do You Get Each Day? | DigitalWebTalk·

  2. Pingback: SPAM Blockers and Filters | DigitalWebTalk·

  3. Pingback: New post in Avira blog: Spam Through Sourceforge.net « Me and the world·

Comments are closed.