Take a look at the header on this message, and find the one that
says "X-Originating IP:" It isn't there. That was added to Jeff's
message by the spoofer for some reason or other.
The one header that looks like it might be the originating IP points
to FEBO.
Two other guys that I know of that found themselves spamming Yahoo
groups found they were running little spambot programs on their
windows machines.
That is the simplest answer, and the most likely IMHO.
Think about it: A spammer that is spamming a non yahoo group like
time-nuts specially? Not likely. This is a spambot that sent a
message to all addresses in Jeff's address book, using Jeff's PC.
-Chuck Harris
gbusg wrote:
From the looks of it:
1. The bad guys imported/stole Jeff's address book (via social networking
ABI hijack, or PC infection).
2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to the
contacts they stole from Jeff's address book (and spoofing as "Jeff").
This is troubling because it could happen to any one of us (if we have an
address book and it gets hijacked).
Per John's previous message, I would be leery of social network ABI (Address
Book Import) for one thing.
-Greg
----- Original Message -----
From: "Chuck Harris"<cfhar...@erols.com>
To: "Discussion of precise time and frequency measurement"
<time-nuts@febo.com>
Sent: Tuesday, October 04, 2011 2:04 PM
Subject: Re: [time-nuts] 2 (Spoofing)
I'm not convinced. Notice that the to: line contains a list of addresses
that
look like they would belong in a time-nut's address book. That wouldn't be
beneficial, or necessary if the spammer was spoofing his way into febo's
servers.
I think this came from a spambot running on jeff's machine, and it emailed
the
payload to as many places as it dared... one of them happened to be the
time-nuts
address used for posting messages.
-Chuck Harris
gbusg wrote:
The spam message in question was apparently spoofed and did *not*
originate
from Jeff's PC. In the message header, note the Originating-IP was
[84.27.224.19]. That IP address originates from a server at [Netherlands
Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat here)
is significantly different and is located in the U.S.A.
Chuck, I think somehow the spoofers have overcome the obstacle you
mention,
unfortunately. (Otherwise how did the user of the Netherlands server
manage
to get spam through to our group?)
-Greg
_______________________________________________
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to
https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
_______________________________________________
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
_______________________________________________
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
