RE: [Groff] Spam from list member addresses

[Ted Harding]

On 31-Mar-05 Peter Schaffter wrote:
> Hi.
> 
> I got two pornographic-sounding spams today, one apparently from
> Werner, the other apparently from Ted Harding.  Rather than wait to
> see if these are isolated incidents, I'm cut 'n' pasting both
> emails with full headers into this post.
> 
> I'm not an expert in mail header forensics, but someone else may
> spot something useful.  I'm operating on the "an ounce of
> prevention is worth a pound of cure" theory here.  I can deal with
> spams like these easily myself, provided they remain sporadic.  But
> in the event they become systematic and affect other list members,
> these two messages may prove useful in isolating the source of the
> problem.

Thanks, Peter, for putting up this info.

We've been here before, from time to time, over recent years.

There's been a new cluster of these since a couple of months ago,
and I started collecting them to see if there was a pattern.

There's not a lot any of us can do to stop these being sent,
since just about eveything in them is spoofed. The only solution
(and that's only got a thin chance, seing how they operate) would
be to install filters on the servers which receive them in the
first place.

Out of the 25 messages I've collected since 14 Feb 2005, 13 were
sent to the groff list of which 11 were sent in my name and 2 in
Werner's (the "senders" in the "From:" headers are of course
spoofed).

The remaining 12 were sent directly to me (not via the list):
10 in my name and 1 in Werner's.

All the ones sent to the groff list faked their "helo" identity
to be the IP address 199.232.76.166 of rev-c76-166.gnu.org,
which is presumably the server at gnu.org which is the front
door of the gnu.org mail system, though the headers say that
they were received by monty-python.gnu.org
(IP address 199.232.76.173).

The ones sent directly to me helo'd themselves variously to
SMTP servers at mcc.ac.uk/man.ac.uk:
-- 130.88.200.94 probity.mcc.ac.uk
-- 130.88.200.93 serenity.mcc.ac.uk
-- 130.88.13.7 curlew.cs.man.ac.uk
-- 130.88.94.110 gannet.scg.man.ac.uk
in each case idenitifying itself in "helo" with the same
IP address as it was talking to.

The "Received: from ..." headers give either of

-- 194.2.232.250 nat.isep.fr
-- 218.254.223.228 cm218-254-223-228.hkcable.com.hk

as the source servers. "Werner"'s two are from nat.isep.fr
and "mine" are a mixture of both.

In previous clusters of these, it hasn't been just Werner
and me who have been spoofed as senders -- one or two
other people on the list have also come up.

What seems to be a bit special about this is that the
groff list is the only one, of the many I'm on, where this
sort of pattern as described above occurs.

I don't know what to suggest about it. It's extremely
irritating, and could be misinterpreted by people who don't
understand how it works, leaving a few of us with bad
reputations! What's intriguing is that only 3-4 groff
subscribers have ever appeared as "senders", most often
myself. If this were one of the standard spoofers, then
"senders" would be randomly chosen from someone's address
book or whatever, and by now many of us should have appeared.
Nor am I aware of this particular genre appearing on
other lists to which I belong (nor sent to other lists
which I manage, where I would see them in any case whether
they made it through or not). This tends to suggest
a certain selectivity or even targeting.

Best wishes to all,
Ted.


--------------------------------------------------------------------
E-Mail: (Ted Harding) <address@hidden>
Fax-to-email: +44 (0)870 094 0861
Date: 31-Mar-05                                       Time: 21:33:24
------------------------------ XFMail ------------------------------