Re: [time-nuts] 2 (Spoofing)
Scott Newell wrote: At 07:09 AM 10/5/2011, John Ackermann N8UR wrote: The mailing list system resends messages rather than just relaying them. List messages won't show details of the originating sender path. Really? It appears to me that your message was sent from 10.73.100.66 through a dsl line (h69-128-27-124.stjmmi.dsl.dynamic.tds.net) at 69.128.27.124. > on the messages I send through time-nuts don't have my IP listed as > originating... or listed at all. The header information I find in the And for Chuck, it appears that his email came from 192.168.1.105 through a Verizon FIOS connection (pool-173-73-20-237.washdc.fios.verizon.net) at 173.73.20.237. Or am I missing something here? The two IP addresses you mention are private (not on the open internet - most likely the addresses of a machine on a private LAN behind a firewall. See: http://en.wikipedia.org/wiki/Private_network -- Bob Smither, Ph.D. smit...@c-c-i.com == "The most potent weapon of the oppressor is the mind of the oppressed." - Steven Biko == Circuit Concepts, Inc.281-331-2744 <>___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
No, you're correct. The Mailman system adds a bunch of headers and changes the "from" and "reply-to" headers (don't recall the exact details, but there's a bounce-detection scheme called VERP that causes more than the normal amount of rewriting), and adds "[time-nuts]" to the subject line, but it doesn't completely change the headers. I was misremembering. John On Oct 5, 2011, at 11:02 AM, Scott Newell wrote: > At 07:09 AM 10/5/2011, John Ackermann N8UR wrote: >> The mailing list system resends messages rather than just relaying them. >> List messages won't show details of the originating sender path. > > Really? It appears to me that your message was sent from 10.73.100.66 > through a dsl line (h69-128-27-124.stjmmi.dsl.dynamic.tds.net) at > 69.128.27.124. > > >> > on the messages I send through time-nuts don't have my IP listed as >> > originating... or listed at all. The header information I find in the > > And for Chuck, it appears that his email came from 192.168.1.105 through a > Verizon FIOS connection (pool-173-73-20-237.washdc.fios.verizon.net) at > 173.73.20.237. > > Or am I missing something here? > > -- > newell N5TNL > > ___ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
At 07:09 AM 10/5/2011, John Ackermann N8UR wrote: The mailing list system resends messages rather than just relaying them. List messages won't show details of the originating sender path. Really? It appears to me that your message was sent from 10.73.100.66 through a dsl line (h69-128-27-124.stjmmi.dsl.dynamic.tds.net) at 69.128.27.124. > on the messages I send through time-nuts don't have my IP listed as > originating... or listed at all. The header information I find in the And for Chuck, it appears that his email came from 192.168.1.105 through a Verizon FIOS connection (pool-173-73-20-237.washdc.fios.verizon.net) at 173.73.20.237. Or am I missing something here? -- newell N5TNL ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
On 10/5/11 5:30 AM, Raj wrote: Some subscribe to lists of interest and harvest email IDs. A decade ago I collected all the digests from another similar type of group and harvested the emails and then made an analysis as to who posted more on the group. The stats were interesting! not for spamming! Raj Speaking of spam... I'm curious where they got my address from. Exactly.. this kind of targeted marketing is not the massive indiscriminate spam. If you were selling, say, supercomputers or services for supercomputers, it might be worth it to gather up the last 10 years of Beowulf list archives and write whatever scripts are needed to extract the emails (i.e. many list archives obscure the email in some way:mynamemydomain, so that the archives aren't trivially scrapable) Look for the top posters, and send them an email. On most lists, less than 5-10% of the list recipients actually post in any given year, so you'd pick up only a few hundred emails (might be better to call them "sales leads" at this point). Since there's a whole lot of "touch labor" in this process, I suspect the targeted email might be better formatted and less obnoxious. After all, I get an email every day or so from various and sundry trade rags (EDN, EETimes, etc.) that I subscribe to in paper form, mostly full of advertising, although often with links to articles of interns. I don't know that I explicitly asked to receive it, and, in general, they'll let you opt out, although with the interlocking nature of publishers, if you dump one publication's emails, sometimes you'll still get them because you subscribe to another one from the same pub. And, this is, after all, *sales*... always be closing. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
Some subscribe to lists of interest and harvest email IDs. A decade ago I collected all the digests from another similar type of group and harvested the emails and then made an analysis as to who posted more on the group. The stats were interesting! not for spamming! Raj >Speaking of spam... > >I'm curious where they got my address from. > ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
The mailing list system resends messages rather than just relaying them. List messages won't show details of the originating sender path. John On Oct 4, 2011, at 9:51 PM, Chuck Harris wrote: > Hi John, > > I have looked at the "originating" IP's in the headers, and I find > a curious thing: They are all built and structured differently. Those > on the messages I send through time-nuts don't have my IP listed as > originating... or listed at all. The header information I find in the > messages that come to me is generally showing the path from febo to my > ISP... febo is listed as the originating IP. > > I think the originating IP header in the spam mail from jeff was added > there by the spammer... just like they generally add headers that try to > tell you that the message is whitelisted, approved by spamassasin, and > not spam, etc.. > > -Chuck Harris > > John Ackermann N8UR wrote: >> See my other message for more details, but the spammers often use a two-step >> approach: (1) harvest address lists from the web, from compromised machines, >> etc., and (2) send those addresses, along with the payload, off to the >> botnets who >> then send the actual email. That gives legitimate-looking senders along >> with the >> volume sending power of the botnet. >> >> I think in the past things work as you suggested and probably often still do, >> Chuck, but if you look at the originating IP on these messages they often >> are in >> blocks assigned to countries unlikely to be the home of the victim. >> >> John > > ___ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
Speaking of spam... Anybody else get spam from trackstick? (They sell GPS tracking gear.) It arrived Tue afternoon. I'm curious where they got my address from. My copy came from authsmtp.co.uk/authsmtp.com -- These are my opinions, not necessarily my employer's. I hate spam. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
I used to get tons (100-300 a day) of "backscatter" emails - emails that were supposedly sent by me but bounced back because the recipient didn't really exist. I use a web hosting company for my website and email so I had them enable SPF (Sender Policy Framework) on my domain and all that stopped within a few days. I'm not an expert on it but the way I understand it, any email received by a compliant system is supposed to check if SPF is enabled and if so, verify the email is from a legitimate source. Here are more details: http://www.openspf.org/Introduction -Bob ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
Hi John, I have looked at the "originating" IP's in the headers, and I find a curious thing: They are all built and structured differently. Those on the messages I send through time-nuts don't have my IP listed as originating... or listed at all. The header information I find in the messages that come to me is generally showing the path from febo to my ISP... febo is listed as the originating IP. I think the originating IP header in the spam mail from jeff was added there by the spammer... just like they generally add headers that try to tell you that the message is whitelisted, approved by spamassasin, and not spam, etc.. -Chuck Harris John Ackermann N8UR wrote: See my other message for more details, but the spammers often use a two-step approach: (1) harvest address lists from the web, from compromised machines, etc., and (2) send those addresses, along with the payload, off to the botnets who then send the actual email. That gives legitimate-looking senders along with the volume sending power of the botnet. I think in the past things work as you suggested and probably often still do, Chuck, but if you look at the originating IP on these messages they often are in blocks assigned to countries unlikely to be the home of the victim. John ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
Most of the spambots are in China, Russia, Brazil, the Netherlands, and lately India. Many are spamming for "Canadian Pharmacies", but lately Indian Television has become a real PITA. Hosting sites like Serverbeach aka Tier1 will not do anything about such abuse. -John === > See my other message for more details, but the spammers often use a > two-step approach: (1) harvest address lists from the web, from > compromised machines, etc., and (2) send those addresses, along with the > payload, off to the botnets who then send the actual email. That gives > legitimate-looking senders along with the volume sending power of the > botnet. > > I think in the past things work as you suggested and probably often still > do, Chuck, but if you look at the originating IP on these messages they > often are in blocks assigned to countries unlikely to be the home of the > victim. > > John > > On Oct 4, 2011, at 5:11 PM, Chuck Harris wrote: > >> Take a look at the header on this message, and find the one that >> says "X-Originating IP:" It isn't there. That was added to Jeff's >> message by the spoofer for some reason or other. >> >> The one header that looks like it might be the originating IP points >> to FEBO. >> >> Two other guys that I know of that found themselves spamming Yahoo >> groups found they were running little spambot programs on their >> windows machines. >> >> That is the simplest answer, and the most likely IMHO. >> >> Think about it: A spammer that is spamming a non yahoo group like >> time-nuts specially? Not likely. This is a spambot that sent a >> message to all addresses in Jeff's address book, using Jeff's PC. >> >> -Chuck Harris >> >> gbusg wrote: >>>> From the looks of it: >>> >>> 1. The bad guys imported/stole Jeff's address book (via social >>> networking >>> ABI hijack, or PC infection). >>> >>> 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to >>> the >>> contacts they stole from Jeff's address book (and spoofing as "Jeff"). >>> >>> This is troubling because it could happen to any one of us (if we have >>> an >>> address book and it gets hijacked). >>> >>> Per John's previous message, I would be leery of social network ABI >>> (Address >>> Book Import) for one thing. >>> >>> -Greg >>> >>> >>> - Original Message - >>> From: "Chuck Harris" >>> To: "Discussion of precise time and frequency measurement" >>> >>> Sent: Tuesday, October 04, 2011 2:04 PM >>> Subject: Re: [time-nuts] 2 (Spoofing) >>> >>> >>> I'm not convinced. Notice that the to: line contains a list of >>> addresses >>> that >>> look like they would belong in a time-nut's address book. That >>> wouldn't be >>> beneficial, or necessary if the spammer was spoofing his way into >>> febo's >>> servers. >>> >>> I think this came from a spambot running on jeff's machine, and it >>> emailed >>> the >>> payload to as many places as it dared... one of them happened to be the >>> time-nuts >>> address used for posting messages. >>> >>> -Chuck Harris >>> >>> gbusg wrote: >>>> The spam message in question was apparently spoofed and did *not* >>>> originate >>>> from Jeff's PC. In the message header, note the Originating-IP was >>>> [84.27.224.19]. That IP address originates from a server at >>>> [Netherlands >>>> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat >>>> here) >>>> is significantly different and is located in the U.S.A. >>>> >>>> Chuck, I think somehow the spoofers have overcome the obstacle you >>>> mention, >>>> unfortunately. (Otherwise how did the user of the Netherlands server >>>> manage >>>> to get spam through to our group?) >>>> >>>> -Greg >>> >>> ___ >>> time-nuts mailing list -- time-nuts@febo.com >>> To unsubscribe, go to >>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >>> and follow the instructions there. >>> >>> >>> ___ >>> time-nuts mailing list -- time-nuts@febo.com >>> To unsubscribe, go to >>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >>> and follow the instructions there. >>> >> >> ___ >> time-nuts mailing list -- time-nuts@febo.com >> To unsubscribe, go to >> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >> and follow the instructions there. > > ___ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to > https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there. > > ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
See my other message for more details, but the spammers often use a two-step approach: (1) harvest address lists from the web, from compromised machines, etc., and (2) send those addresses, along with the payload, off to the botnets who then send the actual email. That gives legitimate-looking senders along with the volume sending power of the botnet. I think in the past things work as you suggested and probably often still do, Chuck, but if you look at the originating IP on these messages they often are in blocks assigned to countries unlikely to be the home of the victim. John On Oct 4, 2011, at 5:11 PM, Chuck Harris wrote: > Take a look at the header on this message, and find the one that > says "X-Originating IP:" It isn't there. That was added to Jeff's > message by the spoofer for some reason or other. > > The one header that looks like it might be the originating IP points > to FEBO. > > Two other guys that I know of that found themselves spamming Yahoo > groups found they were running little spambot programs on their > windows machines. > > That is the simplest answer, and the most likely IMHO. > > Think about it: A spammer that is spamming a non yahoo group like > time-nuts specially? Not likely. This is a spambot that sent a > message to all addresses in Jeff's address book, using Jeff's PC. > > -Chuck Harris > > gbusg wrote: >>> From the looks of it: >> >> 1. The bad guys imported/stole Jeff's address book (via social networking >> ABI hijack, or PC infection). >> >> 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to the >> contacts they stole from Jeff's address book (and spoofing as "Jeff"). >> >> This is troubling because it could happen to any one of us (if we have an >> address book and it gets hijacked). >> >> Per John's previous message, I would be leery of social network ABI (Address >> Book Import) for one thing. >> >> -Greg >> >> >> - Original Message - >> From: "Chuck Harris" >> To: "Discussion of precise time and frequency measurement" >> >> Sent: Tuesday, October 04, 2011 2:04 PM >> Subject: Re: [time-nuts] 2 (Spoofing) >> >> >> I'm not convinced. Notice that the to: line contains a list of addresses >> that >> look like they would belong in a time-nut's address book. That wouldn't be >> beneficial, or necessary if the spammer was spoofing his way into febo's >> servers. >> >> I think this came from a spambot running on jeff's machine, and it emailed >> the >> payload to as many places as it dared... one of them happened to be the >> time-nuts >> address used for posting messages. >> >> -Chuck Harris >> >> gbusg wrote: >>> The spam message in question was apparently spoofed and did *not* >>> originate >>> from Jeff's PC. In the message header, note the Originating-IP was >>> [84.27.224.19]. That IP address originates from a server at [Netherlands >>> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat here) >>> is significantly different and is located in the U.S.A. >>> >>> Chuck, I think somehow the spoofers have overcome the obstacle you >>> mention, >>> unfortunately. (Otherwise how did the user of the Netherlands server >>> manage >>> to get spam through to our group?) >>> >>> -Greg >> >> ___ >> time-nuts mailing list -- time-nuts@febo.com >> To unsubscribe, go to >> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >> and follow the instructions there. >> >> >> ___ >> time-nuts mailing list -- time-nuts@febo.com >> To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >> and follow the instructions there. >> > > ___ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
Chuck there have been several cases of Yahoo webmail address lists being hacked into recently, one was reported from the HP_Agilent group I think a couple of weeks back. I have also had several that seem come from "clean" machines on Groups I moderate but you have no control of how carefully your ISP looks after your webmail address list. Alan G3NYK - Original Message - From: "Chuck Harris" To: "Discussion of precise time and frequency measurement" Sent: Tuesday, October 04, 2011 9:04 PM Subject: Re: [time-nuts] 2 (Spoofing) > I'm not convinced. Notice that the to: line contains a list of addresses that > look like they would belong in a time-nut's address book. That wouldn't be > beneficial, or necessary if the spammer was spoofing his way into febo's servers. > > I think this came from a spambot running on jeff's machine, and it emailed the > payload to as many places as it dared... one of them happened to be the time-nuts > address used for posting messages. > > -Chuck Harris there. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
What can be done: The Owner/Moderator of any Group that is spammed can put the hijacked email address on Moderation or Ban it. The spam email can be sent to SpamCop or equal, but be sure to delete febo.com from the spam report. It is not febo's fault. >From the SpamCop report, file abuse complaints with: The spammer's ISP (Dutch in this case) The ISP of the site being spammed for And, you can put the URL of the site being spammed for into xwhois.com and do a WHOIS and a TRACE. Given this info, you can then file abuse omplaints with: The ISP that hosts the spam site. The Domain Registrar for the spam site's URL. However, not of this will help Jeff any. The spammer will, in all likelihood, continue to use his email address and address book. Best, -John == > So that no more goes out to the list. It does nothing to stop the > problem. > I'd have to look at the headers but based on what I'm hearing it sounds > like > his mail server is wide open, OR, somebody on the same network/isp is > spamming. > > -Bob > > On Tue, Oct 4, 2011 at 2:54 PM, J. Forster wrote: > >> I agree with that picture. >> >> The sad thing is that the spammer can do it to Jeff essentially forever. >> There is little that can be done, other than change his email address, >> because the spammer has both his email address and a list of sites where >> that email address is trusted. >> >> As a Moderator (not of this group) I immediately moderate any such >> spamming email addresses, so at least no further spam goes out. >> >> Best, >> >> -John >> >> >> >> > From the looks of it: >> > >> > 1. The bad guys imported/stole Jeff's address book (via social >> networking >> > ABI hijack, or PC infection). >> > >> > 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to >> the >> > contacts they stole from Jeff's address book (and spoofing as "Jeff"). >> > >> > This is troubling because it could happen to any one of us (if we have >> an >> > address book and it gets hijacked). >> > >> > Per John's previous message, I would be leery of social network ABI >> > (Address >> > Book Import) for one thing. >> > >> > -Greg >> > >> > >> > - Original Message - >> > From: "Chuck Harris" >> > To: "Discussion of precise time and frequency measurement" >> > >> > Sent: Tuesday, October 04, 2011 2:04 PM >> > Subject: Re: [time-nuts] 2 (Spoofing) >> > >> > >> > I'm not convinced. Notice that the to: line contains a list of >> addresses >> > that >> > look like they would belong in a time-nut's address book. That >> wouldn't >> > be >> > beneficial, or necessary if the spammer was spoofing his way into >> febo's >> > servers. >> > >> > I think this came from a spambot running on jeff's machine, and it >> emailed >> > the >> > payload to as many places as it dared... one of them happened to be >> the >> > time-nuts >> > address used for posting messages. >> > >> > -Chuck Harris >> > >> > gbusg wrote: >> >> The spam message in question was apparently spoofed and did *not* >> >> originate >> >> from Jeff's PC. In the message header, note the Originating-IP was >> >> [84.27.224.19]. That IP address originates from a server at >> [Netherlands >> >> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat >> >> here) >> >> is significantly different and is located in the U.S.A. >> >> >> >> Chuck, I think somehow the spoofers have overcome the obstacle you >> >> mention, >> >> unfortunately. (Otherwise how did the user of the Netherlands server >> >> manage >> >> to get spam through to our group?) >> >> >> >> -Greg >> > >> > ___ >> > time-nuts mailing list -- time-nuts@febo.com >> > To unsubscribe, go to >> > https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >> > and follow the instructions there. >> > >> > >> > ___ >> > time-nuts mailing list -- time-nuts@febo.com >> > To unsubscribe, go to >> > https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >> > and follow the instructions there. >> > >> > >> >> >> >> ___ >> time-nuts mailing list -- time-nuts@febo.com >> To unsubscribe, go to >> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >> and follow the instructions there. >> > ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
All, this has become a common occurrence. It's virtually always a forged email address sent from a botnet and almost never sent from the user's actual email. If I see multiple posts from the same address, I will disable it for time-nuts but interestingly multiple posts "from" the same address are rare. I think the botnets are clever enough (and there are enough compromised addresses around) that they use each address for only one round of mailings, though perhaps to thousands of addressees, and then discard it, or retire it for use much later. Unfortunately, this sort of problem is inherent in the very naive email protocol we're stuck with. forging is dead simple and there are no truly workable defenses. The best thing to do is recognize these situations for what they are, take a deep breath, and ignore them. John On Oct 4, 2011, at 5:07 PM, Robert Darlington wrote: > So that no more goes out to the list. It does nothing to stop the problem. > I'd have to look at the headers but based on what I'm hearing it sounds like > his mail server is wide open, OR, somebody on the same network/isp is > spamming. > > -Bob > > On Tue, Oct 4, 2011 at 2:54 PM, J. Forster wrote: > >> I agree with that picture. >> >> The sad thing is that the spammer can do it to Jeff essentially forever. >> There is little that can be done, other than change his email address, >> because the spammer has both his email address and a list of sites where >> that email address is trusted. >> >> As a Moderator (not of this group) I immediately moderate any such >> spamming email addresses, so at least no further spam goes out. >> >> Best, >> >> -John >> >> >> >>> From the looks of it: >>> >>> 1. The bad guys imported/stole Jeff's address book (via social networking >>> ABI hijack, or PC infection). >>> >>> 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to >> the >>> contacts they stole from Jeff's address book (and spoofing as "Jeff"). >>> >>> This is troubling because it could happen to any one of us (if we have an >>> address book and it gets hijacked). >>> >>> Per John's previous message, I would be leery of social network ABI >>> (Address >>> Book Import) for one thing. >>> >>> -Greg >>> >>> >>> - Original Message - >>> From: "Chuck Harris" >>> To: "Discussion of precise time and frequency measurement" >>> >>> Sent: Tuesday, October 04, 2011 2:04 PM >>> Subject: Re: [time-nuts] 2 (Spoofing) >>> >>> >>> I'm not convinced. Notice that the to: line contains a list of addresses >>> that >>> look like they would belong in a time-nut's address book. That wouldn't >>> be >>> beneficial, or necessary if the spammer was spoofing his way into febo's >>> servers. >>> >>> I think this came from a spambot running on jeff's machine, and it >> emailed >>> the >>> payload to as many places as it dared... one of them happened to be the >>> time-nuts >>> address used for posting messages. >>> >>> -Chuck Harris >>> >>> gbusg wrote: >>>> The spam message in question was apparently spoofed and did *not* >>>> originate >>>> from Jeff's PC. In the message header, note the Originating-IP was >>>> [84.27.224.19]. That IP address originates from a server at [Netherlands >>>> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat >>>> here) >>>> is significantly different and is located in the U.S.A. >>>> >>>> Chuck, I think somehow the spoofers have overcome the obstacle you >>>> mention, >>>> unfortunately. (Otherwise how did the user of the Netherlands server >>>> manage >>>> to get spam through to our group?) >>>> >>>> -Greg >>> >>> ___ >>> time-nuts mailing list -- time-nuts@febo.com >>> To unsubscribe, go to >>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >>> and follow the instructions there. >>> >>> >>> ___ >>> time-nuts mailing list -- time-nuts@febo.com >>> To unsubscribe, go to >>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >>> and follow the instructions there. >>> >>> >> >> >> >> ___ >> time-nuts mailing list -- time-nuts@febo.com >> To unsubscribe, go to >> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >> and follow the instructions there. >> > ___ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
Take a look at the header on this message, and find the one that says "X-Originating IP:" It isn't there. That was added to Jeff's message by the spoofer for some reason or other. The one header that looks like it might be the originating IP points to FEBO. Two other guys that I know of that found themselves spamming Yahoo groups found they were running little spambot programs on their windows machines. That is the simplest answer, and the most likely IMHO. Think about it: A spammer that is spamming a non yahoo group like time-nuts specially? Not likely. This is a spambot that sent a message to all addresses in Jeff's address book, using Jeff's PC. -Chuck Harris gbusg wrote: From the looks of it: 1. The bad guys imported/stole Jeff's address book (via social networking ABI hijack, or PC infection). 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to the contacts they stole from Jeff's address book (and spoofing as "Jeff"). This is troubling because it could happen to any one of us (if we have an address book and it gets hijacked). Per John's previous message, I would be leery of social network ABI (Address Book Import) for one thing. -Greg - Original Message - From: "Chuck Harris" To: "Discussion of precise time and frequency measurement" Sent: Tuesday, October 04, 2011 2:04 PM Subject: Re: [time-nuts] 2 (Spoofing) I'm not convinced. Notice that the to: line contains a list of addresses that look like they would belong in a time-nut's address book. That wouldn't be beneficial, or necessary if the spammer was spoofing his way into febo's servers. I think this came from a spambot running on jeff's machine, and it emailed the payload to as many places as it dared... one of them happened to be the time-nuts address used for posting messages. -Chuck Harris gbusg wrote: The spam message in question was apparently spoofed and did *not* originate from Jeff's PC. In the message header, note the Originating-IP was [84.27.224.19]. That IP address originates from a server at [Netherlands Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat here) is significantly different and is located in the U.S.A. Chuck, I think somehow the spoofers have overcome the obstacle you mention, unfortunately. (Otherwise how did the user of the Netherlands server manage to get spam through to our group?) -Greg ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
So that no more goes out to the list. It does nothing to stop the problem. I'd have to look at the headers but based on what I'm hearing it sounds like his mail server is wide open, OR, somebody on the same network/isp is spamming. -Bob On Tue, Oct 4, 2011 at 2:54 PM, J. Forster wrote: > I agree with that picture. > > The sad thing is that the spammer can do it to Jeff essentially forever. > There is little that can be done, other than change his email address, > because the spammer has both his email address and a list of sites where > that email address is trusted. > > As a Moderator (not of this group) I immediately moderate any such > spamming email addresses, so at least no further spam goes out. > > Best, > > -John > > > > > From the looks of it: > > > > 1. The bad guys imported/stole Jeff's address book (via social networking > > ABI hijack, or PC infection). > > > > 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to > the > > contacts they stole from Jeff's address book (and spoofing as "Jeff"). > > > > This is troubling because it could happen to any one of us (if we have an > > address book and it gets hijacked). > > > > Per John's previous message, I would be leery of social network ABI > > (Address > > Book Import) for one thing. > > > > -Greg > > > > > > - Original Message - > > From: "Chuck Harris" > > To: "Discussion of precise time and frequency measurement" > > > > Sent: Tuesday, October 04, 2011 2:04 PM > > Subject: Re: [time-nuts] 2 (Spoofing) > > > > > > I'm not convinced. Notice that the to: line contains a list of addresses > > that > > look like they would belong in a time-nut's address book. That wouldn't > > be > > beneficial, or necessary if the spammer was spoofing his way into febo's > > servers. > > > > I think this came from a spambot running on jeff's machine, and it > emailed > > the > > payload to as many places as it dared... one of them happened to be the > > time-nuts > > address used for posting messages. > > > > -Chuck Harris > > > > gbusg wrote: > >> The spam message in question was apparently spoofed and did *not* > >> originate > >> from Jeff's PC. In the message header, note the Originating-IP was > >> [84.27.224.19]. That IP address originates from a server at [Netherlands > >> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat > >> here) > >> is significantly different and is located in the U.S.A. > >> > >> Chuck, I think somehow the spoofers have overcome the obstacle you > >> mention, > >> unfortunately. (Otherwise how did the user of the Netherlands server > >> manage > >> to get spam through to our group?) > >> > >> -Greg > > > > ___ > > time-nuts mailing list -- time-nuts@febo.com > > To unsubscribe, go to > > https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > > and follow the instructions there. > > > > > > ___ > > time-nuts mailing list -- time-nuts@febo.com > > To unsubscribe, go to > > https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > > and follow the instructions there. > > > > > > > > ___ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to > https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there. > ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
I agree with that picture. The sad thing is that the spammer can do it to Jeff essentially forever. There is little that can be done, other than change his email address, because the spammer has both his email address and a list of sites where that email address is trusted. As a Moderator (not of this group) I immediately moderate any such spamming email addresses, so at least no further spam goes out. Best, -John > From the looks of it: > > 1. The bad guys imported/stole Jeff's address book (via social networking > ABI hijack, or PC infection). > > 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to the > contacts they stole from Jeff's address book (and spoofing as "Jeff"). > > This is troubling because it could happen to any one of us (if we have an > address book and it gets hijacked). > > Per John's previous message, I would be leery of social network ABI > (Address > Book Import) for one thing. > > -Greg > > > - Original Message - > From: "Chuck Harris" > To: "Discussion of precise time and frequency measurement" > > Sent: Tuesday, October 04, 2011 2:04 PM > Subject: Re: [time-nuts] 2 (Spoofing) > > > I'm not convinced. Notice that the to: line contains a list of addresses > that > look like they would belong in a time-nut's address book. That wouldn't > be > beneficial, or necessary if the spammer was spoofing his way into febo's > servers. > > I think this came from a spambot running on jeff's machine, and it emailed > the > payload to as many places as it dared... one of them happened to be the > time-nuts > address used for posting messages. > > -Chuck Harris > > gbusg wrote: >> The spam message in question was apparently spoofed and did *not* >> originate >> from Jeff's PC. In the message header, note the Originating-IP was >> [84.27.224.19]. That IP address originates from a server at [Netherlands >> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat >> here) >> is significantly different and is located in the U.S.A. >> >> Chuck, I think somehow the spoofers have overcome the obstacle you >> mention, >> unfortunately. (Otherwise how did the user of the Netherlands server >> manage >> to get spam through to our group?) >> >> -Greg > > ___ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to > https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there. > > > ___ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to > https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there. > > ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
>From the looks of it: 1. The bad guys imported/stole Jeff's address book (via social networking ABI hijack, or PC infection). 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to the contacts they stole from Jeff's address book (and spoofing as "Jeff"). This is troubling because it could happen to any one of us (if we have an address book and it gets hijacked). Per John's previous message, I would be leery of social network ABI (Address Book Import) for one thing. -Greg - Original Message - From: "Chuck Harris" To: "Discussion of precise time and frequency measurement" Sent: Tuesday, October 04, 2011 2:04 PM Subject: Re: [time-nuts] 2 (Spoofing) I'm not convinced. Notice that the to: line contains a list of addresses that look like they would belong in a time-nut's address book. That wouldn't be beneficial, or necessary if the spammer was spoofing his way into febo's servers. I think this came from a spambot running on jeff's machine, and it emailed the payload to as many places as it dared... one of them happened to be the time-nuts address used for posting messages. -Chuck Harris gbusg wrote: > The spam message in question was apparently spoofed and did *not* > originate > from Jeff's PC. In the message header, note the Originating-IP was > [84.27.224.19]. That IP address originates from a server at [Netherlands > Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat here) > is significantly different and is located in the U.S.A. > > Chuck, I think somehow the spoofers have overcome the obstacle you > mention, > unfortunately. (Otherwise how did the user of the Netherlands server > manage > to get spam through to our group?) > > -Greg ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
I'm not convinced. Notice that the to: line contains a list of addresses that look like they would belong in a time-nut's address book. That wouldn't be beneficial, or necessary if the spammer was spoofing his way into febo's servers. I think this came from a spambot running on jeff's machine, and it emailed the payload to as many places as it dared... one of them happened to be the time-nuts address used for posting messages. -Chuck Harris gbusg wrote: The spam message in question was apparently spoofed and did *not* originate from Jeff's PC. In the message header, note the Originating-IP was [84.27.224.19]. That IP address originates from a server at [Netherlands Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat here) is significantly different and is located in the U.S.A. Chuck, I think somehow the spoofers have overcome the obstacle you mention, unfortunately. (Otherwise how did the user of the Netherlands server manage to get spam through to our group?) -Greg ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
Re: [time-nuts] 2 (Spoofing)
The spam message in question was apparently spoofed and did *not* originate from Jeff's PC. In the message header, note the Originating-IP was [84.27.224.19]. That IP address originates from a server at [Netherlands Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat here) is significantly different and is located in the U.S.A. Chuck, I think somehow the spoofers have overcome the obstacle you mention, unfortunately. (Otherwise how did the user of the Netherlands server manage to get spam through to our group?) -Greg - Original Message - From: "Chuck Harris" To: ; "Discussion of precise time and frequency measurement" Sent: Tuesday, October 04, 2011 9:20 AM Subject: Re: [time-nuts] 2 There has to be more to it than that. Knowing a member's email address is not a key into the time-nuts (or yahoo) lists. For instance, if I spoof my return and from addresses to be the same as my time-nuts subscribed email address, and send a message to time-nuts@febo.com from one of my non-subscribed email servers, it gets dutifully ignored. It came from the wrong email account on the wrong server. The simple Occam's Razor style answer, in my opinion, is the hijacked user's PC has been breached by a typical Windows PC trojan horse spambot program, and is spewing out spam emails through the hijacked user's PC's email program. Right? -Chuck Harris ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there. ___ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
