Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SPAM and Virus emails to NANOG

  • From: George William Herbert
  • Date: Fri Mar 19 17:02:09 2004


Steve Bellovin writes:
>"Gregory Taylor" writes:
>>Can somebody explain to me why I keep getting e-mails with no content that are
>> setting off my virus scanners via NANOG list?
>
>Probably because there's a worm that's sending the messages -- messages 
>that purport to be from legitimate NANOG posters.  Let me guess -- the 
>body of these messages starts <OB JECT STYLE='display:none"...>  (I've 
>added a blank because the existence of the exact string does trigger 
>some filters.)

Yeah, exactly.  The one last night appeared to come
from one of my old accounts (gherbert@crl.com).
CRL (the ISP, in San Francisco) no longer exists,
though the domain is apparently now an alias
for Charles River Labratories in Massachusetts.
Presumably, gherbert@crl.com was still in the
nanog-post list database from the Early days
because I didn't delete it when CRL became an
ex-company, so it got in through the filters
at Merit (I have sent them mail to rectify that).

But this was just random bad luck from virus.
A lot of the virus/worm infections now will
pick random pairs of addresses out of people's
mailboxes; one is used as the "from" in a new
virus message, the other as the recipient.
Someone I sent mail to at some point, who had
received nanog mail (or some combination thereof)
got a virus, and it lucked out in picking
a recipient (nanog) that was a closed list
but using a From: address that was a valid
sender for the list.

This could happen again any time if anyone
else on the list gets a virus, if the From/To
pairs that are randomly picked turn out to
line up with the list in a valid way.

The virus came to Merit from 151.202.157.67,
which is a Verizon parent block, and the
particular set of addresses are One FN 
(NET-151-202-157-64-1).  Who are someone at
1 Park ave, New York.  I live in Oakland,
California. 

Welcome to the new exciting world of Outlook.

This is why I use nmh as my mail user agent.
But it doesn't protect anyone else out there
from viruses impersonating me in this manner.
Or impersonating you, or anyone else...


-george william herbert
gherbert@retro.com





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.