Yes. The names are used in the From: but not the e-mail addresses. The payload is inside SecureServer.net's 43.255.154.0/24 - 43.255.154.125 and 43.255.154.66. Headers follow. Note: I think Anne P. Mitchell is a LinkedIn contact of mine. Message 1) Delivered-To: a.harrowell@gmail.com Received: by 10.80.169.228 with SMTP id n91csp49041edc; Wed, 8 Feb 2017 16:09:01 -0800 (PST) X-Received: by 10.223.131.34 with SMTP id 31mr179054wrd.119.1486598941445; Wed, 08 Feb 2017 16:09:01 -0800 (PST) Return-Path: <wolfgang@cziczatka.com> Received: from mx21lb.world4you.com (mx21lb.world4you.com. [81.19.149.131]) by mx.google.com with ESMTPS id p26si10875705wrp.311.2017.02.08.16.09.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 16:09:01 -0800 (PST) Received-SPF: pass (google.com: domain of wolfgang@cziczatka.com designates 81.19.149.131 as permitted sender) client-ip=81.19.149.131; Authentication-Results: mx.google.com; spf=pass (google.com: domain of wolfgang@cziczatka.com designates 81.19.149.131 as permitted sender) smtp.mailfrom=wolfgang@cziczatka.com Received: from [117.243.182.154] (helo=dydt-PC) by mx21lb.world4you.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <wolfgang@cziczatka.com>) id 1cbcIF-0005OX-87; Thu, 09 Feb 2017 01:09:00 +0100 From: Brandon Galbraith <wolfgang@cziczatka.com> To: Alexander Harrowell <a.harrowell@gmail.com>, "Nathanael C. Cariaga" <nccariaga@stluke.com.ph>, aduitsis <aduitsis@gmail.com>, David Ulevitch <davidu@everydns.net> Subject: take a look at that Date: Thu, 9 Feb 2017 00:08:49 +0000 Message-ID: <1514273443.20170209030849@cziczatka.com> Content-Type: multipart/alternative; boundary="----=_NextPart_000_0016_017DBA64.1747A7CE" Content-Language: en-gb MIME-Version: 1.0 X-SA-Do-Not-Run: Yes X-AV-Do-Run: Yes X-SA-Exim-Connect-IP: 117.243.182.154 X-SA-Exim-Mail-From: wolfgang@cziczatka.com X-SA-Exim-Scanned: No (on mx21lb.world4you.com); SAEximRunCond expanded to false ------=_NextPart_000_0016_017DBA64.1747A7CE Message 2) Delivered-To: a.harrowell@gmail.com Received: by 10.80.169.228 with SMTP id n91csp50480edc; Wed, 8 Feb 2017 16:14:21 -0800 (PST) X-Received: by 10.28.135.82 with SMTP id j79mr18959559wmd.19.1486599261495; Wed, 08 Feb 2017 16:14:21 -0800 (PST) Return-Path: <info@ocreschauvin.fr> Received: from smtp.nfrance.com (smtp-4.nfrance.com. [80.247.229.46]) by mx.google.com with ESMTPS id f124si4142408wmd.153.2017.02.08.16.14.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 16:14:21 -0800 (PST) Received-SPF: neutral (google.com: 80.247.229.46 is neither permitted nor denied by best guess record for domain of info@ocreschauvin.fr) client-ip=80.247.229.46; Authentication-Results: mx.google.com; spf=neutral (google.com: 80.247.229.46 is neither permitted nor denied by best guess record for domain of info@ocreschauvin.fr) smtp.mailfrom=info@ocreschauvin.fr Received: from tqzb-PC (unknown [197.45.161.242]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.nfrance.com (Postfix) with ESMTPSA id 28E1612D7A7; Thu, 9 Feb 2017 01:14:18 +0100 (CET) From: Owen DeLong <info@ocreschauvin.fr> To: Brian Mengel <bmengel@gmail.com>, Andrew Latham <lathama@gmail.com>, Alexander Harrowell <a.harrowell@gmail.com>, "Anne P. Mitchell Esq." <amitchell@isipp.com> Subject: do you have any ideas? Date: Thu, 9 Feb 2017 06:14:13 +0600 Message-ID: <1846552645.20170209031413@ocreschauvin.fr> Content-Type: multipart/alternative; boundary="----=_NextPart_000_005C_010D479E.32101F4A" Content-Language: en-us MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 80.247.229.46 ------=_NextPart_000_005C_010D479E.32101F4A Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RGVhciBmcmllbmQhIA0KDQpJJ3ZlIGJlZW4gd3JpdGluZyBhbiAgYXJ0aWNsZSBhbmQgSSd2ZSBj b21lIGFjcm9zcyB0aGF0ICBzdHJhbmdlICBzdHVmZiwgIGRvIHlvdSBoYXZlICBhbnkgIGlkZWFz IHdoYXQgY291bGQgaXQgYmU/IEp1c3QgdGFrZSBhICBsb29rIGh0dHA6Ly9tYXgudHJpcHN0aXht ZW1vcmllcy5jb20vZjRmNQ0KDQpCZXN0IHdpc2hlcywgT3dlbiBEZUxvbmcNCg0K ------=_NextPart_000_005C_010D479E.32101F4A ------=_NextPart_000_005C_010D479E.32101F4A-- On Fri, Feb 10, 2017 at 5:46 PM, Suresh Ramasubramanian <ops.lists@gmail.com
wrote:
Or a nanog member might be infected and the malware is scraping his mailbox for bogus froms. Got headers?
On 10/02/17, 9:40 AM, "NANOG on behalf of Alexander Harrowell" < nanog-bounces@nanog.org on behalf of a.harrowell@gmail.com> wrote:
I'm getting suspicious e-mail pretending to come from leading NANOGers. Not the first time this has happened, but you may want to be warned.
Yours,
Alex Harrowell