Someone's scraping NANOG for phishing purposes again

valdis.kletnieks at valdis.kletnieks at
Fri Feb 10 19:09:02 UTC 2017

On Fri, 10 Feb 2017 13:22:31 -0500, Rich Kulawiec said:
> On Fri, Feb 10, 2017 at 11:56:02AM -0600, Andrew Latham wrote:
> > On a great many mailing lists, Suresh is spot on as this looks more like
> > infected user but headers would be good.

The one I found in my mailbox yesterday tends to support "multiple users
infected with a spamming botnet":

Received: from ( []) by (8.14.7/8.14.7) with ESMTP id v190Ro7i021554 for  <Valdis.Kletnieks at>; Wed, 8 Feb 2017 19:27:56 -0500
Received: from [] (helo=jame-PC) by with esmtpsa  (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from <bazzanie at>) id  1cbcaI-0007Zj-Cz; Thu, 09 Feb 2017 01:27:42 +0100
Message-id: <1427704941.20170209032724 at>

Subject: look at that, it's amazing!
From: "William Herrin" <bazzanie at>
Date: Thu, 9 Feb 2017 06:27:24 +0600 (Wed 19:27 EST)
To: "Ronald F. Guilmette" <rfg at>,         "Robert Webb"  <rwebb at>,         "Valdis Kletnieks" <Valdis.Kletnieks at>,         "Scott  Brim" <scott.brim at>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list