[time-nuts] 2 (Spoofing)

John Ackermann N8UR jra at febo.com
Tue Oct 4 21:18:20 UTC 2011


All, this has become a common occurrence.  It's virtually always a forged email address sent from a botnet and almost never sent from the user's actual email.  If I see multiple posts from the same address, I will disable it for time-nuts but interestingly multiple posts "from" the same address are rare.  I think the botnets are clever enough (and there are enough compromised addresses around) that they use each address for only one round of mailings, though perhaps to thousands of addressees, and then discard it, or retire it for use much later.

Unfortunately, this sort of problem is inherent in the very naive email protocol we're stuck with.  forging is dead simple and there are no truly workable defenses.  The best thing to do is recognize these situations for what they are, take a deep breath, and ignore them.

John

On Oct 4, 2011, at 5:07 PM, Robert Darlington <rdarlington at gmail.com> wrote:

> So that no more goes out to the list.  It does nothing to stop the problem.
> I'd have to look at the headers but based on what I'm hearing it sounds like
> his mail server is wide open, OR, somebody on the same network/isp is
> spamming.
> 
> -Bob
> 
> On Tue, Oct 4, 2011 at 2:54 PM, J. Forster <jfor at quikus.com> wrote:
> 
>> I agree with that picture.
>> 
>> The sad thing is that the spammer can do it to Jeff essentially forever.
>> There is little that can be done, other than change his email address,
>> because the spammer has both his email address and a list of sites where
>> that email address is trusted.
>> 
>> As a Moderator (not of this group) I immediately moderate any such
>> spamming email addresses, so at least no further spam goes out.
>> 
>> Best,
>> 
>> -John
>> 
>> ====================
>> 
>>> From the looks of it:
>>> 
>>> 1. The bad guys imported/stole Jeff's address book (via social networking
>>> ABI hijack, or PC infection).
>>> 
>>> 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to
>> the
>>> contacts they stole from Jeff's address book (and spoofing as "Jeff").
>>> 
>>> This is troubling because it could happen to any one of us (if we have an
>>> address book and it gets hijacked).
>>> 
>>> Per John's previous message, I would be leery of social network ABI
>>> (Address
>>> Book Import) for one thing.
>>> 
>>> -Greg
>>> 
>>> 
>>> ----- Original Message -----
>>> From: "Chuck Harris" <cfharris at erols.com>
>>> To: "Discussion of precise time and frequency measurement"
>>> <time-nuts at febo.com>
>>> Sent: Tuesday, October 04, 2011 2:04 PM
>>> Subject: Re: [time-nuts] 2 (Spoofing)
>>> 
>>> 
>>> I'm not convinced.  Notice that the to: line contains a list of addresses
>>> that
>>> look like they would belong in a time-nut's address book.  That wouldn't
>>> be
>>> beneficial, or necessary if the spammer was spoofing his way into febo's
>>> servers.
>>> 
>>> I think this came from a spambot running on jeff's machine, and it
>> emailed
>>> the
>>> payload to as many places as it dared... one of them happened to be the
>>> time-nuts
>>> address used for posting messages.
>>> 
>>> -Chuck Harris
>>> 
>>> gbusg wrote:
>>>> The spam message in question was apparently spoofed and did *not*
>>>> originate
>>>> from Jeff's PC. In the message header, note the Originating-IP was
>>>> [84.27.224.19]. That IP address originates from a server at [Netherlands
>>>> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat
>>>> here)
>>>> is significantly different and is located in the U.S.A.
>>>> 
>>>> Chuck, I think somehow the spoofers have overcome the obstacle you
>>>> mention,
>>>> unfortunately. (Otherwise how did the user of the Netherlands server
>>>> manage
>>>> to get spam through to our group?)
>>>> 
>>>> -Greg
>>> 
>>> _______________________________________________
>>> time-nuts mailing list -- time-nuts at febo.com
>>> To unsubscribe, go to
>>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
>>> and follow the instructions there.
>>> 
>>> 
>>> _______________________________________________
>>> time-nuts mailing list -- time-nuts at febo.com
>>> To unsubscribe, go to
>>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
>>> and follow the instructions there.
>>> 
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> time-nuts mailing list -- time-nuts at febo.com
>> To unsubscribe, go to
>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
>> and follow the instructions there.
>> 
> _______________________________________________
> time-nuts mailing list -- time-nuts at febo.com
> To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
> and follow the instructions there.



More information about the time-nuts mailing list