A fascinating piece of spam

Steven Bellovin smb at cs.columbia.edu
Tue Dec 7 23:47:46 UTC 2010


Yup, same purported sender...


On Dec 7, 2010, at 6:46 40PM, Joe Greco wrote:

>> Well -- spammers are following the NANOG list in real-time, it seems.  A =
>> few hours after my post this afternoon, I received some spam with a =
>> correct Subject: line for that post.  I'll be happy to forward the email =
>> to anyone who wants to analyze it or find the offender and permanently =
>> blacklist "her" from NANOG...
> 
> Funny you should mention that.  About two seconds before your message,
> I got such a bit of spam.
> 
>> From carlafletcher24 at yahoo.com  Tue Dec  7 17:43:02 2010
>> Return-Path: <carlafletcher24 at yahoo.com>
>> Received: from nm15.bullet.mail.ne1.yahoo.com (nm15.bullet.mail.ne1.yahoo.com [98.138.90.78])
>>        by mx1.sol.net (8.14.4/8.14.4/SNNS-1.04) with SMTP id oB7Ngtf7002716
>>        for <jgreco at ns.sol.net>; Tue, 7 Dec 2010 17:43:00 -0600 (CST)
>> Received: from [98.138.90.51] by nm15.bullet.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000
>> Received: from [98.138.87.1] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000
>> Received: from [127.0.0.1] by omp1001.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000
>> X-Yahoo-Newman-Property: ymail-3
>> X-Yahoo-Newman-Id: 9187.54043.bm at omp1001.mail.ne1.yahoo.com
>> Received: (qmail 17052 invoked by uid 60001); 7 Dec 2010 23:42:49 -0000
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1291765369; bh=Nwik8gyzMPW2hSR2Fc+0a6ZUu1s5oHBhOjv0Shs9wCE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=4Yw5bYZ0DJq7pbortuz7YK0J5opr+dQ0vk3FJ3V5uTF/jVuFRcu9hJxBZ/8u4xakvycmSMYOFDMR3oFL6t2JmSt3x4JZmCnDjlS79cL3arFsW/a0aBm9pubfPCYqijis3iCY6uNhji6JxYe0OWsMlHU3qTNohvs+dwMUl/gQ8R0=
>> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
>>  s=s1024; d=yahoo.com;
>>  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
>>  b=a+L6kibArtNLl3qtSuIHEDxKt2dZfrXLRiUE91IWnNsW6NZ11W6RG51LRXFK288erRYh7k9t2evvpBxbkAH7XKQ/B/+lIBaZqgZ5ON3MC3ziMmhrjn3UIX1o1obMDz0vO7R94K4iapDIpVlD9xXPOSgc1ENMoW8GA6eoKKRDUbs=;
>> Message-ID: <828073.58184.qm at web120306.mail.ne1.yahoo.com>
>> X-YMail-OSG: tTFoZPoVM1lORXP10bFDAvyxx.jFIQDoUGJ6hUxCf6q8Tbk
>> 8RkTR2Q6BakFB1l6t1W5BdZ4fPFVQEWRX_TSB16hGCUxPmFhrTru8ItaSrSg
>> oF9x5JBC6GwAHAwzXaeCohqEqZsyOLa9vBCXu_kKyxJv_zCea2QtIZ_PFH23
>> rGr_j.u85nfOQA_6VJ3uLvtpJ75N0.ufEudhqcR6ZhL4bPb8LTxKYxAtZQ2N
>> _j50f7Uf_DOQ-
>> Received: from [173.208.43.151] by web120306.mail.ne1.yahoo.com via HTTP; Tue, 07 Dec 2010 15:42:49 PST
>> X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.107.285259
>> Date: Tue, 7 Dec 2010 15:42:49 -0800 (PST)
>> From: Carla Fletcher <carlafletcher24 at yahoo.com>
>> Reply-To: carlafletcher24 at yahoo.com
>> Subject: Re: Re: Abuse@ contacts
>> To: jgreco at ns.sol.net
> 
> I didn't know that anybody was still keying on subject lines; our spam
> filter tossed it anyways.
> 
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
> With 24 million small businesses in the US alone, that's way too many apples.
> 


		--Steve Bellovin, http://www.cs.columbia.edu/~smb









More information about the NANOG mailing list