North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NANOG Spam?

  • From: William Allen Simpson
  • Date: Wed Jul 05 17:00:38 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=Hjr3+KnSxeSVhvamnv+1BvH3YhqqKCarbIUg8+1E68Sp7Ob6MPNeK5MYsJYk3RbDwwSSpBs0aRfoKw6pbd3jGyAYOVFHTtpULxlEO01LIn6YnQDXI6QqNgH6m0mO/HR/TeajeSgMwp9LzBcOXH4T0UOSStP+BJ31ZNhOfkI2xns=

Gregory Hicks wrote: 
Just a "joe-job" though.  The headers are forged.  See the IP address
in thi FIRST "Received-by:" header.  Came from Spain.

[...snip later headers...]
Received: from trapdoor.merit.edu (unknown [84.232.124.32])
by trapdoor.merit.edu (Postfix) with SMTP id AD0CF91265
for <[email protected]>; Wed, 5 Jul 2006 13:39:15 -0400 (EDT)
From: "[email protected]" <[email protected]>
To: [email protected] 

Yes, we all got it, and Google spam filters let it through, as it
matches a valid mailing list.

No, the received headers are not forged. The From and To are forged.

The spammers have figured out how to bypass the NANOG members-only
posting, in this case by pretending to be John Fraizer and sending
directly to trapdoor.

They're using old lists. He hasn't sent anything to NANOG from that
address since 15 Feb 2005 14:30:47 -0500.

Anyway, it's probably a "good thing" to nip this in the bud.  It
should hurt (a lot) to send spam to network operators themselves.

AS      | IP               | AS Name
29119   | 84.232.124.32    | SERVIHOSTING-AS ServiHosting N

PEER_AS | IP               | AS Name
6739    | 84.232.124.32    | ONO-AS Cableuropa - ONO