Someone's scraping NANOG for phishing purposes again

Rich Kulawiec rsk at
Fri Feb 10 18:22:31 UTC 2017

On Fri, Feb 10, 2017 at 11:56:02AM -0600, Andrew Latham wrote:
> On a great many mailing lists, Suresh is spot on as this looks more like
> infected user but headers would be good.

Here are a couple recent specimens that appear to fit this pattern:

Received: from ( [])
	by (8.15.1/8.14.9) with ESMTPS id v190EnHs001330
	(version=TLSv1 cipher=AES128-SHA bits=128 verify=NO)
	for <rsk at>; Wed, 8 Feb 2017 19:15:01 -0500 (EST)
From: <info at>
To: Jon Lewis <jlewis at>, jamie rishaw <j at>,
        Michael Thomas
	<mike at>, Rich Kulawiec <rsk at>
Subject: =?utf-8?B?d2hhdCBhIG5pY2Ugc3VycHJpc2U=?=
Date: Wed, 8 Feb 2017 19:14:20 -0500
Message-ID: <1355759249.20170209031420 at>

Received: from ( [])
	by (8.15.1/8.14.9) with ESMTP id v0B5dsb7001374
	for <rsk at>; Wed, 11 Jan 2017 00:40:06 -0500 (EST)
From: "Mikael Abrahamsson" <jdenoy at>
To: "John Curran" <jcurran at>,
        "Paul Graydon" 
 <paul at>,
        "Rich Kulawiec" <rsk at>, "Seth Mattinen" <sethm at>
Subject: =?utf-8?B?ZmFudGFzdGljIHBsYWNl?=
Date: Wed, 11 Jan 2017 01:38:43 -0400
Message-ID: <1961406061.20170111083843 at>


More information about the NANOG mailing list