[time-nuts] 2 (Spoofing)

gbusg gbusg at comcast.net
Tue Oct 4 20:34:18 UTC 2011

>From the looks of it:

1. The bad guys imported/stole Jeff's address book (via social networking 
ABI hijack, or PC infection).

2. The bad guys then spammed (from in the Netherlands) to the 
contacts they stole from Jeff's address book (and spoofing as "Jeff").

This is troubling because it could happen to any one of us (if we have an 
address book and it gets hijacked).

Per John's previous message, I would be leery of social network ABI (Address 
Book Import) for one thing.


----- Original Message ----- 
From: "Chuck Harris" <cfharris at erols.com>
To: "Discussion of precise time and frequency measurement" 
<time-nuts at febo.com>
Sent: Tuesday, October 04, 2011 2:04 PM
Subject: Re: [time-nuts] 2 (Spoofing)

I'm not convinced.  Notice that the to: line contains a list of addresses 
look like they would belong in a time-nut's address book.  That wouldn't be
beneficial, or necessary if the spammer was spoofing his way into febo's 

I think this came from a spambot running on jeff's machine, and it emailed 
payload to as many places as it dared... one of them happened to be the 
address used for posting messages.

-Chuck Harris

gbusg wrote:
> The spam message in question was apparently spoofed and did *not* 
> originate
> from Jeff's PC. In the message header, note the Originating-IP was
> []. That IP address originates from a server at [Netherlands
> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat here)
> is significantly different and is located in the U.S.A.
> Chuck, I think somehow the spoofers have overcome the obstacle you 
> mention,
> unfortunately. (Otherwise how did the user of the Netherlands server 
> manage
> to get spam through to our group?)
> -Greg

time-nuts mailing list -- time-nuts at febo.com
To unsubscribe, go to 
and follow the instructions there. 

More information about the time-nuts mailing list