[time-nuts] 2 (Spoofing)
gbusg at comcast.net
Tue Oct 4 20:34:18 UTC 2011
>From the looks of it:
1. The bad guys imported/stole Jeff's address book (via social networking
ABI hijack, or PC infection).
2. The bad guys then spammed (from 220.127.116.11 in the Netherlands) to the
contacts they stole from Jeff's address book (and spoofing as "Jeff").
This is troubling because it could happen to any one of us (if we have an
address book and it gets hijacked).
Per John's previous message, I would be leery of social network ABI (Address
Book Import) for one thing.
----- Original Message -----
From: "Chuck Harris" <cfharris at erols.com>
To: "Discussion of precise time and frequency measurement"
<time-nuts at febo.com>
Sent: Tuesday, October 04, 2011 2:04 PM
Subject: Re: [time-nuts] 2 (Spoofing)
I'm not convinced. Notice that the to: line contains a list of addresses
look like they would belong in a time-nut's address book. That wouldn't be
beneficial, or necessary if the spammer was spoofing his way into febo's
I think this came from a spambot running on jeff's machine, and it emailed
payload to as many places as it dared... one of them happened to be the
address used for posting messages.
> The spam message in question was apparently spoofed and did *not*
> from Jeff's PC. In the message header, note the Originating-IP was
> [18.104.22.168]. That IP address originates from a server at [Netherlands
> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat here)
> is significantly different and is located in the U.S.A.
> Chuck, I think somehow the spoofers have overcome the obstacle you
> unfortunately. (Otherwise how did the user of the Netherlands server
> to get spam through to our group?)
time-nuts mailing list -- time-nuts at febo.com
To unsubscribe, go to
and follow the instructions there.
More information about the time-nuts