Steve Bellovin writes:
"Gregory Taylor" writes:
Can somebody explain to me why I keep getting e-mails with no content that are setting off my virus scanners via NANOG list?
Probably because there's a worm that's sending the messages -- messages that purport to be from legitimate NANOG posters. Let me guess -- the body of these messages starts <OB JECT STYLE='display:none"...> (I've added a blank because the existence of the exact string does trigger some filters.)
Yeah, exactly. The one last night appeared to come from one of my old accounts (gherbert@crl.com). CRL (the ISP, in San Francisco) no longer exists, though the domain is apparently now an alias for Charles River Labratories in Massachusetts. Presumably, gherbert@crl.com was still in the nanog-post list database from the Early days because I didn't delete it when CRL became an ex-company, so it got in through the filters at Merit (I have sent them mail to rectify that). But this was just random bad luck from virus. A lot of the virus/worm infections now will pick random pairs of addresses out of people's mailboxes; one is used as the "from" in a new virus message, the other as the recipient. Someone I sent mail to at some point, who had received nanog mail (or some combination thereof) got a virus, and it lucked out in picking a recipient (nanog) that was a closed list but using a From: address that was a valid sender for the list. This could happen again any time if anyone else on the list gets a virus, if the From/To pairs that are randomly picked turn out to line up with the list in a valid way. The virus came to Merit from 151.202.157.67, which is a Verizon parent block, and the particular set of addresses are One FN (NET-151-202-157-64-1). Who are someone at 1 Park ave, New York. I live in Oakland, California. Welcome to the new exciting world of Outlook. This is why I use nmh as my mail user agent. But it doesn't protect anyone else out there from viruses impersonating me in this manner. Or impersonating you, or anyone else... -george william herbert gherbert@retro.com