[time-nuts] 2 (Spoofing)

J. Forster jfor at quikus.com
Tue Oct 4 21:55:16 UTC 2011


Most of the spambots are in China, Russia, Brazil, the Netherlands, and
lately India.

Many are spamming for "Canadian Pharmacies", but lately Indian Television
has become a real PITA.

Hosting sites like Serverbeach aka Tier1 will not do anything about such
abuse.

-John

===============




> See my other message for more details, but the spammers often use a
> two-step approach:  (1) harvest address lists from the web, from
> compromised machines, etc., and (2) send those addresses, along with the
> payload, off to the botnets who then send the actual email.  That gives
> legitimate-looking senders along with the volume sending power of the
> botnet.
>
> I think in the past things work as you suggested and probably often still
> do, Chuck, but if you look at the originating IP on these messages they
> often are in blocks assigned to countries unlikely to be the home of the
> victim.
>
> John
>
> On Oct 4, 2011, at 5:11 PM, Chuck Harris <cfharris at erols.com> wrote:
>
>> Take a look at the header on this message, and find the one that
>> says "X-Originating IP:"  It isn't there.  That was added to Jeff's
>> message by the spoofer for some reason or other.
>>
>> The one header that looks like it might be the originating IP points
>> to FEBO.
>>
>> Two other guys that I know of that found themselves spamming Yahoo
>> groups found they were running little spambot programs on their
>> windows machines.
>>
>> That is the simplest answer, and the most likely IMHO.
>>
>> Think about it:  A spammer that is spamming a non yahoo group like
>> time-nuts specially?  Not likely.  This is a spambot that sent a
>> message to all addresses in Jeff's address book, using Jeff's PC.
>>
>> -Chuck Harris
>>
>> gbusg wrote:
>>>> From the looks of it:
>>>
>>> 1. The bad guys imported/stole Jeff's address book (via social
>>> networking
>>> ABI hijack, or PC infection).
>>>
>>> 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to
>>> the
>>> contacts they stole from Jeff's address book (and spoofing as "Jeff").
>>>
>>> This is troubling because it could happen to any one of us (if we have
>>> an
>>> address book and it gets hijacked).
>>>
>>> Per John's previous message, I would be leery of social network ABI
>>> (Address
>>> Book Import) for one thing.
>>>
>>> -Greg
>>>
>>>
>>> ----- Original Message -----
>>> From: "Chuck Harris"<cfharris at erols.com>
>>> To: "Discussion of precise time and frequency measurement"
>>> <time-nuts at febo.com>
>>> Sent: Tuesday, October 04, 2011 2:04 PM
>>> Subject: Re: [time-nuts] 2 (Spoofing)
>>>
>>>
>>> I'm not convinced.  Notice that the to: line contains a list of
>>> addresses
>>> that
>>> look like they would belong in a time-nut's address book.  That
>>> wouldn't be
>>> beneficial, or necessary if the spammer was spoofing his way into
>>> febo's
>>> servers.
>>>
>>> I think this came from a spambot running on jeff's machine, and it
>>> emailed
>>> the
>>> payload to as many places as it dared... one of them happened to be the
>>> time-nuts
>>> address used for posting messages.
>>>
>>> -Chuck Harris
>>>
>>> gbusg wrote:
>>>> The spam message in question was apparently spoofed and did *not*
>>>> originate
>>>> from Jeff's PC. In the message header, note the Originating-IP was
>>>> [84.27.224.19]. That IP address originates from a server at
>>>> [Netherlands
>>>> Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat
>>>> here)
>>>> is significantly different and is located in the U.S.A.
>>>>
>>>> Chuck, I think somehow the spoofers have overcome the obstacle you
>>>> mention,
>>>> unfortunately. (Otherwise how did the user of the Netherlands server
>>>> manage
>>>> to get spam through to our group?)
>>>>
>>>> -Greg
>>>
>>> _______________________________________________
>>> time-nuts mailing list -- time-nuts at febo.com
>>> To unsubscribe, go to
>>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
>>> and follow the instructions there.
>>>
>>>
>>> _______________________________________________
>>> time-nuts mailing list -- time-nuts at febo.com
>>> To unsubscribe, go to
>>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
>>> and follow the instructions there.
>>>
>>
>> _______________________________________________
>> time-nuts mailing list -- time-nuts at febo.com
>> To unsubscribe, go to
>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
>> and follow the instructions there.
>
> _______________________________________________
> time-nuts mailing list -- time-nuts at febo.com
> To unsubscribe, go to
> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
> and follow the instructions there.
>
>






More information about the Time-nuts_lists.febo.com mailing list