See my other message for more details, but the spammers often use a two-step approach: (1) harvest address lists from the web, from compromised machines, etc., and (2) send those addresses, along with the payload, off to the botnets who then send the actual email. That gives legitimate-looking senders along with the volume sending power of the botnet.
I think in the past things work as you suggested and probably often still do, Chuck, but if you look at the originating IP on these messages they often are in blocks assigned to countries unlikely to be the home of the victim. John On Oct 4, 2011, at 5:11 PM, Chuck Harris <cfhar...@erols.com> wrote: > Take a look at the header on this message, and find the one that > says "X-Originating IP:" It isn't there. That was added to Jeff's > message by the spoofer for some reason or other. > > The one header that looks like it might be the originating IP points > to FEBO. > > Two other guys that I know of that found themselves spamming Yahoo > groups found they were running little spambot programs on their > windows machines. > > That is the simplest answer, and the most likely IMHO. > > Think about it: A spammer that is spamming a non yahoo group like > time-nuts specially? Not likely. This is a spambot that sent a > message to all addresses in Jeff's address book, using Jeff's PC. > > -Chuck Harris > > gbusg wrote: >>> From the looks of it: >> >> 1. The bad guys imported/stole Jeff's address book (via social networking >> ABI hijack, or PC infection). >> >> 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to the >> contacts they stole from Jeff's address book (and spoofing as "Jeff"). >> >> This is troubling because it could happen to any one of us (if we have an >> address book and it gets hijacked). >> >> Per John's previous message, I would be leery of social network ABI (Address >> Book Import) for one thing. >> >> -Greg >> >> >> ----- Original Message ----- >> From: "Chuck Harris"<cfhar...@erols.com> >> To: "Discussion of precise time and frequency measurement" >> <time-nuts@febo.com> >> Sent: Tuesday, October 04, 2011 2:04 PM >> Subject: Re: [time-nuts] 2 (Spoofing) >> >> >> I'm not convinced. Notice that the to: line contains a list of addresses >> that >> look like they would belong in a time-nut's address book. That wouldn't be >> beneficial, or necessary if the spammer was spoofing his way into febo's >> servers. >> >> I think this came from a spambot running on jeff's machine, and it emailed >> the >> payload to as many places as it dared... one of them happened to be the >> time-nuts >> address used for posting messages. >> >> -Chuck Harris >> >> gbusg wrote: >>> The spam message in question was apparently spoofed and did *not* >>> originate >>> from Jeff's PC. In the message header, note the Originating-IP was >>> [84.27.224.19]. That IP address originates from a server at [Netherlands >>> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat here) >>> is significantly different and is located in the U.S.A. >>> >>> Chuck, I think somehow the spoofers have overcome the obstacle you >>> mention, >>> unfortunately. (Otherwise how did the user of the Netherlands server >>> manage >>> to get spam through to our group?) >>> >>> -Greg >> >> _______________________________________________ >> time-nuts mailing list -- time-nuts@febo.com >> To unsubscribe, go to >> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >> and follow the instructions there. >> >> >> _______________________________________________ >> time-nuts mailing list -- time-nuts@febo.com >> To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >> and follow the instructions there. >> > > _______________________________________________ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there. _______________________________________________ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
