Most of the spambots are in China, Russia, Brazil, the Netherlands, and lately India.
Many are spamming for "Canadian Pharmacies", but lately Indian Television has become a real PITA. Hosting sites like Serverbeach aka Tier1 will not do anything about such abuse. -John =============== > See my other message for more details, but the spammers often use a > two-step approach: (1) harvest address lists from the web, from > compromised machines, etc., and (2) send those addresses, along with the > payload, off to the botnets who then send the actual email. That gives > legitimate-looking senders along with the volume sending power of the > botnet. > > I think in the past things work as you suggested and probably often still > do, Chuck, but if you look at the originating IP on these messages they > often are in blocks assigned to countries unlikely to be the home of the > victim. > > John > > On Oct 4, 2011, at 5:11 PM, Chuck Harris <cfhar...@erols.com> wrote: > >> Take a look at the header on this message, and find the one that >> says "X-Originating IP:" It isn't there. That was added to Jeff's >> message by the spoofer for some reason or other. >> >> The one header that looks like it might be the originating IP points >> to FEBO. >> >> Two other guys that I know of that found themselves spamming Yahoo >> groups found they were running little spambot programs on their >> windows machines. >> >> That is the simplest answer, and the most likely IMHO. >> >> Think about it: A spammer that is spamming a non yahoo group like >> time-nuts specially? Not likely. This is a spambot that sent a >> message to all addresses in Jeff's address book, using Jeff's PC. >> >> -Chuck Harris >> >> gbusg wrote: >>>> From the looks of it: >>> >>> 1. The bad guys imported/stole Jeff's address book (via social >>> networking >>> ABI hijack, or PC infection). >>> >>> 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to >>> the >>> contacts they stole from Jeff's address book (and spoofing as "Jeff"). >>> >>> This is troubling because it could happen to any one of us (if we have >>> an >>> address book and it gets hijacked). >>> >>> Per John's previous message, I would be leery of social network ABI >>> (Address >>> Book Import) for one thing. >>> >>> -Greg >>> >>> >>> ----- Original Message ----- >>> From: "Chuck Harris"<cfhar...@erols.com> >>> To: "Discussion of precise time and frequency measurement" >>> <time-nuts@febo.com> >>> Sent: Tuesday, October 04, 2011 2:04 PM >>> Subject: Re: [time-nuts] 2 (Spoofing) >>> >>> >>> I'm not convinced. Notice that the to: line contains a list of >>> addresses >>> that >>> look like they would belong in a time-nut's address book. That >>> wouldn't be >>> beneficial, or necessary if the spammer was spoofing his way into >>> febo's >>> servers. >>> >>> I think this came from a spambot running on jeff's machine, and it >>> emailed >>> the >>> payload to as many places as it dared... one of them happened to be the >>> time-nuts >>> address used for posting messages. >>> >>> -Chuck Harris >>> >>> gbusg wrote: >>>> The spam message in question was apparently spoofed and did *not* >>>> originate >>>> from Jeff's PC. In the message header, note the Originating-IP was >>>> [84.27.224.19]. That IP address originates from a server at >>>> [Netherlands >>>> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat >>>> here) >>>> is significantly different and is located in the U.S.A. >>>> >>>> Chuck, I think somehow the spoofers have overcome the obstacle you >>>> mention, >>>> unfortunately. (Otherwise how did the user of the Netherlands server >>>> manage >>>> to get spam through to our group?) >>>> >>>> -Greg >>> >>> _______________________________________________ >>> time-nuts mailing list -- time-nuts@febo.com >>> To unsubscribe, go to >>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >>> and follow the instructions there. >>> >>> >>> _______________________________________________ >>> time-nuts mailing list -- time-nuts@febo.com >>> To unsubscribe, go to >>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >>> and follow the instructions there. >>> >> >> _______________________________________________ >> time-nuts mailing list -- time-nuts@febo.com >> To unsubscribe, go to >> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts >> and follow the instructions there. > > _______________________________________________ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to > https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there. > > _______________________________________________ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.