SPAM and Virus emails to NANOG
George William Herbert
gherbert at retro.com
Fri Mar 19 22:03:06 UTC 2004
Steve Bellovin writes:
>"Gregory Taylor" writes:
>>Can somebody explain to me why I keep getting e-mails with no content that are
>> setting off my virus scanners via NANOG list?
>
>Probably because there's a worm that's sending the messages -- messages
>that purport to be from legitimate NANOG posters. Let me guess -- the
>body of these messages starts <OB JECT STYLE='display:none"...> (I've
>added a blank because the existence of the exact string does trigger
>some filters.)
Yeah, exactly. The one last night appeared to come
from one of my old accounts (gherbert at crl.com).
CRL (the ISP, in San Francisco) no longer exists,
though the domain is apparently now an alias
for Charles River Labratories in Massachusetts.
Presumably, gherbert at crl.com was still in the
nanog-post list database from the Early days
because I didn't delete it when CRL became an
ex-company, so it got in through the filters
at Merit (I have sent them mail to rectify that).
But this was just random bad luck from virus.
A lot of the virus/worm infections now will
pick random pairs of addresses out of people's
mailboxes; one is used as the "from" in a new
virus message, the other as the recipient.
Someone I sent mail to at some point, who had
received nanog mail (or some combination thereof)
got a virus, and it lucked out in picking
a recipient (nanog) that was a closed list
but using a From: address that was a valid
sender for the list.
This could happen again any time if anyone
else on the list gets a virus, if the From/To
pairs that are randomly picked turn out to
line up with the list in a valid way.
The virus came to Merit from 151.202.157.67,
which is a Verizon parent block, and the
particular set of addresses are One FN
(NET-151-202-157-64-1). Who are someone at
1 Park ave, New York. I live in Oakland,
California.
Welcome to the new exciting world of Outlook.
This is why I use nmh as my mail user agent.
But it doesn't protect anyone else out there
from viruses impersonating me in this manner.
Or impersonating you, or anyone else...
-george william herbert
gherbert at retro.com
More information about the NANOG
mailing list