North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: SPAM and Virus emails to NANOG
- From: George William Herbert
- Date: Fri Mar 19 17:02:09 2004
Steve Bellovin writes:
>"Gregory Taylor" writes:
>>Can somebody explain to me why I keep getting e-mails with no content that are
>> setting off my virus scanners via NANOG list?
>Probably because there's a worm that's sending the messages -- messages
>that purport to be from legitimate NANOG posters. Let me guess -- the
>body of these messages starts <OB JECT STYLE='display:none"...> (I've
>added a blank because the existence of the exact string does trigger
Yeah, exactly. The one last night appeared to come
from one of my old accounts (email@example.com).
CRL (the ISP, in San Francisco) no longer exists,
though the domain is apparently now an alias
for Charles River Labratories in Massachusetts.
Presumably, firstname.lastname@example.org was still in the
nanog-post list database from the Early days
because I didn't delete it when CRL became an
ex-company, so it got in through the filters
at Merit (I have sent them mail to rectify that).
But this was just random bad luck from virus.
A lot of the virus/worm infections now will
pick random pairs of addresses out of people's
mailboxes; one is used as the "from" in a new
virus message, the other as the recipient.
Someone I sent mail to at some point, who had
received nanog mail (or some combination thereof)
got a virus, and it lucked out in picking
a recipient (nanog) that was a closed list
but using a From: address that was a valid
sender for the list.
This could happen again any time if anyone
else on the list gets a virus, if the From/To
pairs that are randomly picked turn out to
line up with the list in a valid way.
The virus came to Merit from 184.108.40.206,
which is a Verizon parent block, and the
particular set of addresses are One FN
(NET-151-202-157-64-1). Who are someone at
1 Park ave, New York. I live in Oakland,
Welcome to the new exciting world of Outlook.
This is why I use nmh as my mail user agent.
But it doesn't protect anyone else out there
from viruses impersonating me in this manner.
Or impersonating you, or anyone else...
-george william herbert