Strange message possibly through nanog mail server
I Just received this. I would like to check if others have received it and did it indeed come through nanog mailist:
Date: Wed, 17 Mar 2004 21:10:38 +0000 From: Deep Throat <deepthroat20004@hotmail.com> To: schroebel6@aol.com Subject: Spamhaus Exposed
Disturbing information on one of the founders of Spamhaus.org
_______________________________________________________________________ And while the website was unavailable and the sender is being anonymous (whichis against nanog list policies if this was sent through it), what I do find worse is that they managed to do it so that nanog@merit.edu is not added to "CC" (which if I understood is always supposed to happen when something through this mail list, which makes me think it might have come through merit mail machine but not actually though mail list). What I find even more disturbing is that ip address listed as origin (which may well have been forged if they managed to gain some highier level access to merit servers) is that of US Military. Below is the header for your review. I do however find it slightly more likely that its some kind of sophisticated joe-job on spamhaus and that info is forged but they may have used some bug on merit mail software. Return-Path: <owner-nanog@merit.edu> Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) by sokol.elan.net (8.12.5/8.12.5) with ESMTP id i2HMKZdw015368 for <william@elan.net>; Wed, 17 Mar 2004 14:20:35 -0800 Received: by trapdoor.merit.edu (Postfix) id CF8FA91307; Wed, 17 Mar 2004 16:11:00 -0500 (EST) Delivered-To: nanog-outgoing@trapdoor.merit.edu Received: by trapdoor.merit.edu (Postfix, from userid 56) id 92B3591328; Wed, 17 Mar 2004 16:11:00 -0500 (EST) Delivered-To: nanog@trapdoor.merit.edu Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id BCC5691307 for <nanog@trapdoor.merit.edu>; Wed, 17 Mar 2004 16:10:39 -0500 (EST) Received: by segue.merit.edu (Postfix) id A27775DE7B; Wed, 17 Mar 2004 16:10:39 -0500 (EST) Delivered-To: nanog@merit.edu Received: from hotmail.com (bay13-f78.bay13.hotmail.com [64.4.31.78]) by segue.merit.edu (Postfix) with ESMTP id 5C2B05DE72 for <nanog@merit.edu>; Wed, 17 Mar 2004 16:10:39 -0500 (EST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 17 Mar 2004 13:10:38 -0800 Received: from 198.26.130.36 by by13fd.bay13.hotmail.msn.com with HTTP; Wed, 17 Mar 2004 21:10:38 GMT X-Originating-IP: [198.26.130.36] <---- Note this, see below X-Originating-Email: [deepthroat20004@hotmail.com] X-Sender: deepthroat20004@hotmail.com From: "Deep Throat" <deepthroat20004@hotmail.com> To: schroebel6@aol.com Subject: Spamhaus Exposed Date: Wed, 17 Mar 2004 21:10:38 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: <BAY13-F78KxAh5hMpAn0002ba61@hotmail.com> X-OriginalArrivalTime: 17 Mar 2004 21:10:38.0810 (UTC) FILETIME=[4C3633A0:01C40C64] Sender: owner-nanog@merit.edu Precedence: bulk Errors-To: owner-nanog-outgoing@merit.edu X-Loop: nanog Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ ---------------------------------------------------------------------- $ host 198.26.130.36 36.130.26.[98.in-addr.arpa domain name pointer BU-WCS1-SAND.NIPR.MIL. [whois.completewhois.com] Elan Completewhois.Com Whois Server, Version 0.91a6, compiled on Jan 02, 2004 Please see http://www.completewhois.com/help.htm for command-line options Use of this server and any information obtained here is allowed only if you follow our policies at http://www.completewhois.com/policies.htm [IPv4 whois information on 198.26.130.36 ] [Query Origin: Main Whois Query ] [whois.arin.net] OrgName: The Defense Information Systems Agency OrgID: DISA Address: DISA/DSSO/JCLCC Address: Room BF655A, The Pentagon City: Washington StateProv: DC PostalCode: 20301 Country: US NetRange: 198.25.0.0 - 198.26.255.255 CIDR: 198.25.0.0/16, 198.26.0.0/16 NetName: NETBLK-DISA-C NetHandle: NET-198-25-0-0-1 Parent: NET-198-0-0-0-0 NetType: Direct Allocation NameServer: AAA-KELLY.NIPR.MIL NameServer: AAA-VAIHINGEN.NIPR.MIL NameServer: AAA-WHEELER.NIPR.MIL NameServer: AAA-VIENNA.NIPR.MIL Comment: RegDate: 1992-12-05 Updated: 2004-01-13
On 17.03.2004 23:57 william(at)elan.net wrote:
And while the website was unavailable and the sender is being anonymous (whichis against nanog list policies if this was sent through it), what I do find worse is that they managed to do it so that nanog@merit.edu is not added to "CC" (which if I understood is always supposed to happen when something through this mail list, which makes me think it might have come through merit mail machine but not actually though mail list).
The envelope-to decides where a mail goes to. All of your body header fields are actually meaningless. What I can say it came thru NANOG. Mozilla junk tool perfectly classified this email as SPAM :-) Arnold
On Wednesday, March 17, 2004 5:57 PM [EST], william(at)elan.net <william@elan.net> wrote:
I Just received this. I would like to check if others have received it and did it indeed come through nanog mailist:
Date: Wed, 17 Mar 2004 21:10:38 +0000 From: Deep Throat <deepthroat20004@hotmail.com> To: schroebel6@aol.com Subject: Spamhaus Exposed
Disturbing information on one of the founders of Spamhaus.org
_______________________________________________________________________
And while the website was unavailable and the sender is being anonymous (whichis against nanog list policies if this was sent through it), what I do find worse is that they managed to do it so that nanog@merit.edu is not added to "CC" (which if I understood is always supposed to happen when something through this mail list, which makes me think it might have come through merit mail machine but not actually though mail list). What I find even more disturbing is that ip address listed as origin (which may well have been forged if they managed to gain some highier level access to merit servers) is that of US Military.
Below is the header for your review. I do however find it slightly more likely that its some kind of sophisticated joe-job on spamhaus and that info is forged but they may have used some bug on merit mail software.
I got it to. Let me throw some insight into this - notice the To line: To: schroebel6@aol.com IIRC, thats Peter Schroebel, aka SMS Online. Peter has it out for Steve Linford of SpamHaus because SMS Online is listed for hosting spammers. He claims that SpamHaus wanted $10k from him to be removed. Peter tried to bribe the AHBL a few weeks ago to get us to remove him from our system. Peter likes to gloat about all the connections he has, and how powerful he is (though I have yet to see proof of this). So, I'm not exactly sure what to make of this... It could be Peter, and the mirror of the page I've seen certainly makes it look like something he'd write. But, could be a joe job too. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
participants (3)
-
Arnold Nipper
-
Brian Bruns
-
william(at)elan.net