Does anyone have any stories about working with or near John they > would like to share with the
malware email is so common i normally do not warn of it. but, in this case, the attacker is extracting quotes from nanog and luring folk into clicking. e.g. From: takahashi@fukushitrust.com Subject: Re: jon postel To: Randy Bush <randy@psg.com> Date: Mon, 17 Jul 2023 04:01:47 -0700 Hello! We would like to present to you several alternatives for presentations and find out your thoughts and opinions, please let us know whatever you think about it. https://dognibs.com/8jh/ogr/g0h436ttqbw Waiting for your reply list? It would definitely make my day > to hear more about the early internet somewhere around i have a protocol violation ticket he issued. --- Who says that routing unallocated address space is ungood? -- Randy Bush Routing unallocated address space is ungood! -- Jon Postel randy ---- and From: office@daimontrade.com.ua Subject: Re: Reverse DNS for eyeballs? To: Randy Bush <randy@psg.com> Date: Tue, 18 Jul 2023 02:56:36 -0700 Hello, Modified paperwork regarding For this month. Kindly read through it attentively. https://soocoop.net/e24/1s0/7ckl0icu7h We appreciate your attention.
I would say the absence of reverse DNS tells useful info to receiving > MTAs - to preferably not accept. yep
I get quite a bit of spam that is a "reply" to old NANOG posts (some dating back a year or more). Seems to only happen on some specific threads, dunno why though. Definitely recommend using a nanog-specific alias and auto-spam-folder'ing anything to that alias that isn't CC nanog@nanog, that seems to get rid of it. Matt On 7/18/23 5:02 PM, Randy Bush wrote:
malware email is so common i normally do not warn of it. but, in this case, the attacker is extracting quotes from nanog and luring folk into clicking. e.g.
From: takahashi@fukushitrust.com Subject: Re: jon postel To: Randy Bush <randy@psg.com> Date: Mon, 17 Jul 2023 04:01:47 -0700
Hello!
We would like to present to you several alternatives for presentations and find out your thoughts and opinions, please let us know whatever you think about it.
https://dognibs.com/8jh/ogr/g0h436ttqbw
Waiting for your reply
Does anyone have any stories about working with or near John they > would like to share with the list? It would definitely make my day > to hear more about the early internet somewhere around i have a protocol violation ticket he issued. --- Who says that routing unallocated address space is ungood? -- Randy Bush Routing unallocated address space is ungood! -- Jon Postel randy
----
and
From: office@daimontrade.com.ua Subject: Re: Reverse DNS for eyeballs? To: Randy Bush <randy@psg.com> Date: Tue, 18 Jul 2023 02:56:36 -0700
Hello,
Modified paperwork regarding For this month. Kindly read through it attentively.
https://soocoop.net/e24/1s0/7ckl0icu7h
We appreciate your attention.
I would say the absence of reverse DNS tells useful info to receiving > MTAs - to preferably not accept. yep
Brothers the latest thread is direct reference to ROGERS - CANADA -July 08 2022 outage.......... and My Ref in General.............. NANOG can be considered " Com Pro Mised"...... sad.......... but ......... True! On Tue, Jul 18, 2023 at 8:10 PM Matt Corallo <nanog@as397444.net> wrote:
I get quite a bit of spam that is a "reply" to old NANOG posts (some dating back a year or more). Seems to only happen on some specific threads, dunno why though.
Definitely recommend using a nanog-specific alias and auto-spam-folder'ing anything to that alias that isn't CC nanog@nanog, that seems to get rid of it.
Matt
On 7/18/23 5:02 PM, Randy Bush wrote:
malware email is so common i normally do not warn of it. but, in this case, the attacker is extracting quotes from nanog and luring folk into clicking. e.g.
From: takahashi@fukushitrust.com Subject: Re: jon postel To: Randy Bush <randy@psg.com> Date: Mon, 17 Jul 2023 04:01:47 -0700
Hello!
We would like to present to you several alternatives for presentations and find out your thoughts and opinions, please let us know whatever you think about it.
https://dognibs.com/8jh/ogr/g0h436ttqbw
Waiting for your reply
Does anyone have any stories about working with or near John they > would like to share with the list? It would definitely make my day > to hear more about the early internet somewhere around i have a protocol violation ticket he issued. --- Who says that routing unallocated address space is ungood? -- Randy Bush Routing unallocated address space is ungood! -- Jon Postel randy
----
and
From: office@daimontrade.com.ua Subject: Re: Reverse DNS for eyeballs? To: Randy Bush <randy@psg.com> Date: Tue, 18 Jul 2023 02:56:36 -0700
Hello,
Modified paperwork regarding For this month. Kindly read through it attentively.
https://soocoop.net/e24/1s0/7ckl0icu7h
We appreciate your attention.
I would say the absence of reverse DNS tells useful info to receiving > MTAs - to preferably not accept. yep
-- Liz ******* 416.660.5456
I've also gotten these, ironic that it was in "reply" to my "Not sure if this is a phishing E-mail or real..." thread. I initially thought someone was spamming the whole list, it took a while before I looked close enough to realize it was directly to the address I use for the mailing list and not through the mailing list. (Which explained why it wasn't showing up in the list archive on the web.) Also continued much after the thread died out in my case too. On 18/07/2023 6:06 p.m., Matt Corallo wrote:
I get quite a bit of spam that is a "reply" to old NANOG posts (some dating back a year or more). Seems to only happen on some specific threads, dunno why though.
Definitely recommend using a nanog-specific alias and auto-spam-folder'ing anything to that alias that isn't CC nanog@nanog, that seems to get rid of it.
Matt
On 7/18/23 5:02 PM, Randy Bush wrote:
malware email is so common i normally do not warn of it. but, in this case, the attacker is extracting quotes from nanog and luring folk into clicking. e.g.
From: takahashi@fukushitrust.com Subject: Re: jon postel To: Randy Bush <randy@psg.com> Date: Mon, 17 Jul 2023 04:01:47 -0700
Hello!
We would like to present to you several alternatives for presentations and find out your thoughts and opinions, please let us know whatever you think about it.
https://dognibs.com/8jh/ogr/g0h436ttqbw
Waiting for your reply > Does anyone have any stories about working with or near John they > would like to share with the list? It would definitely make my day > to hear more about the early internet somewhere around i have a protocol violation ticket he issued. --- Who says that routing unallocated address space is ungood? -- Randy Bush Routing unallocated address space is ungood! -- Jon Postel randy
----
and
From: office@daimontrade.com.ua Subject: Re: Reverse DNS for eyeballs? To: Randy Bush <randy@psg.com> Date: Tue, 18 Jul 2023 02:56:36 -0700
Hello,
Modified paperwork regarding For this month. Kindly read through it attentively.
https://soocoop.net/e24/1s0/7ckl0icu7h
We appreciate your attention. > I would say the absence of reverse DNS tells useful info to receiving > MTAs - to preferably not accept. yep
-- Glen A. Pearce gap@ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17
I started noticing this a few months ago when I began receiving them, and just ignored them and reported them as spam. Didn't think that anyone else was getting them, but I guess I thought wrong. - Peter On Tue, Jul 18, 2023 at 8:06 PM Randy Bush <randy@psg.com> wrote:
malware email is so common i normally do not warn of it. but, in this case, the attacker is extracting quotes from nanog and luring folk into clicking. e.g.
From: takahashi@fukushitrust.com Subject: Re: jon postel To: Randy Bush <randy@psg.com> Date: Mon, 17 Jul 2023 04:01:47 -0700
Hello!
We would like to present to you several alternatives for presentations and find out your thoughts and opinions, please let us know whatever you think about it.
https://dognibs.com/8jh/ogr/g0h436ttqbw
Waiting for your reply
Does anyone have any stories about working with or near John they > would like to share with the list? It would definitely make my day > to hear more about the early internet somewhere around i have a protocol violation ticket he issued. --- Who says that routing unallocated address space is ungood? -- Randy Bush Routing unallocated address space is ungood! -- Jon Postel randy
----
and
From: office@daimontrade.com.ua Subject: Re: Reverse DNS for eyeballs? To: Randy Bush <randy@psg.com> Date: Tue, 18 Jul 2023 02:56:36 -0700
Hello,
Modified paperwork regarding For this month. Kindly read through it attentively.
https://soocoop.net/e24/1s0/7ckl0icu7h
We appreciate your attention.
I would say the absence of reverse DNS tells useful info to receiving > MTAs - to preferably not accept. yep
I've been getting them for a while. I just delete them so I have no history. On Tue, Jul 18, 2023 at 8:12 PM Peter Potvin via NANOG <nanog@nanog.org> wrote:
I started noticing this a few months ago when I began receiving them, and just ignored them and reported them as spam. Didn't think that anyone else was getting them, but I guess I thought wrong.
- Peter
On Tue, Jul 18, 2023 at 8:06 PM Randy Bush <randy@psg.com> wrote:
malware email is so common i normally do not warn of it. but, in this case, the attacker is extracting quotes from nanog and luring folk into clicking. e.g.
From: takahashi@fukushitrust.com Subject: Re: jon postel To: Randy Bush <randy@psg.com> Date: Mon, 17 Jul 2023 04:01:47 -0700
Hello!
We would like to present to you several alternatives for presentations and find out your thoughts and opinions, please let us know whatever you think about it.
https://dognibs.com/8jh/ogr/g0h436ttqbw
Waiting for your reply
Does anyone have any stories about working with or near John they > would like to share with the list? It would definitely make my day > to hear more about the early internet somewhere around i have a protocol violation ticket he issued. --- Who says that routing unallocated address space is ungood? -- Randy Bush Routing unallocated address space is ungood! -- Jon Postel randy
----
and
From: office@daimontrade.com.ua Subject: Re: Reverse DNS for eyeballs? To: Randy Bush <randy@psg.com> Date: Tue, 18 Jul 2023 02:56:36 -0700
Hello,
Modified paperwork regarding For this month. Kindly read through it attentively.
https://soocoop.net/e24/1s0/7ckl0icu7h
We appreciate your attention.
I would say the absence of reverse DNS tells useful info to receiving MTAs - to preferably not accept. yep
i did not think i was special, and assumed everybody is getting them. but i figured that if i kept one or three people from falling for the trap it was worth the pollution. randy
On 7/18/23 9:14 PM, Randy Bush wrote:
i did not think i was special, and assumed everybody is getting them. but i figured that if i kept one or three people from falling for the trap it was worth the pollution.
I've done quite a bit of looking into this, tying to prevent it. It's not being pulled from the archives. The basic premise of it: 1. send email only to direct posters to the list, never through the list. 2. subscribe using a gmail account as a normal member for harvesting 3. scrape the new posts and use email in from: header to send spam to 4. wait some $TIME after the post and send the spam 5. The spam will never be able to be linked to the subscribed account I've been able to track these "ingestion" accounts and kill them when found, but it's impossible to do it without false positives. VERP is used for the list emails, but short of a bounce, that doesn't really help. About the only supported option that would mitigate this is wrapping all posts through the list as from the list. This still would expose the email addresses in the email, and we could rewrite them, but it breaks more than it fixes. I've seen proposals where all messages get wrapped and each individual email address found in the message is re-written to a unique address via a mail forwarding domain, but i can't see this working with such a diverse list. This also would break after some time. This is also not something supported off the shelf in most mailman or other MLMs. I'd love to kill this spam, but the openness of the email discussion list format makes it hard to do. If anyone has ideas on how we can kill this I'd love to shut it down. -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net
Oh, just dont bother. The battle is over and we lost it, because good people are too soft. The only interesting action I ever saw was: "Shutting down email spam factory"; where some network was depeered from internet completly. Well done. (Somehow I cannot find post about that anymore). The only sane action I see is go virtual. I mean, create overlay virtual network, make VPN PoPs and put services there. Looks kinda over kill maybe, but at least, we get back the control. ---------- Original message ---------- From: Bryan Fields <Bryan@bryanfields.net> To: nanog@nanog.org Subject: Re: malware warning Date: Fri, 21 Jul 2023 22:49:18 -0400 On 7/18/23 9:14 PM, Randy Bush wrote:
i did not think i was special, and assumed everybody is getting them. but i figured that if i kept one or three people from falling for the trap it was worth the pollution.
I've done quite a bit of looking into this, tying to prevent it. It's not being pulled from the archives. The basic premise of it: 1. send email only to direct posters to the list, never through the list. 2. subscribe using a gmail account as a normal member for harvesting 3. scrape the new posts and use email in from: header to send spam to 4. wait some $TIME after the post and send the spam 5. The spam will never be able to be linked to the subscribed account I've been able to track these "ingestion" accounts and kill them when found, but it's impossible to do it without false positives. VERP is used for the list emails, but short of a bounce, that doesn't really help. About the only supported option that would mitigate this is wrapping all posts through the list as from the list. This still would expose the email addresses in the email, and we could rewrite them, but it breaks more than it fixes. I've seen proposals where all messages get wrapped and each individual email address found in the message is re-written to a unique address via a mail forwarding domain, but i can't see this working with such a diverse list. This also would break after some time. This is also not something supported off the shelf in most mailman or other MLMs. I'd love to kill this spam, but the openness of the email discussion list format makes it hard to do. If anyone has ideas on how we can kill this I'd love to shut it down. -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net
* borg@uu3.net (borg@uu3.net) [Sat 22 Jul 2023, 10:24 CEST]:
The only interesting action I ever saw was: "Shutting down email spam factory"; where some network was depeered from internet completly. Well done. (Somehow I cannot find post about that anymore).
AGIS: https://en.wikipedia.org/wiki/Apex_Global_Internet_Services -- Niels.
Thats not it.. But I finally found it: https://blog.apnic.net/2018/07/12/shutting-down-the-bgp-hijack-factory/ ---------- Original message ---------- From: Niels Bakker <niels=nanog@bakker.net> To: nanog@nanog.org Subject: Re: malware warning Date: Sat, 22 Jul 2023 19:42:58 +0200 * borg@uu3.net (borg@uu3.net) [Sat 22 Jul 2023, 10:24 CEST]:
The only interesting action I ever saw was: "Shutting down email spam factory"; where some network was depeered from internet completly. Well done. (Somehow I cannot find post about that anymore).
AGIS: https://en.wikipedia.org/wiki/Apex_Global_Internet_Services -- Niels.
On 7/18/23 7:02 PM, Randy Bush wrote:
malware email is so common i normally do not warn of it. but, in this case, the attacker is extracting quotes from nanog and luring folk into clicking. e.g. I've been getting messages like those described on again and off again for quite a while. -- I've been reporting them like spam.
I've seen similar for other mailing lists. I didn't think that NANOG was special in any way. P.S.A. Please do cripple URLs in questionable messages. Let's at least make it so that people have to actively stab themselves and can't simply fall on a knife. Grant. . . .
Yep, been getting SPAM from the list for quite a while now. ☹ Rather from someone harvesting from the list. Dennis Burgess, Mikrotik Certified Trainer MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE, MTCSE, HE IPv6 Sage, Cambium ePMP Certified Author of "Learn RouterOS- Second Edition” Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net Need to Automate MikroTik Backups: https://cloud.linktechs.net Create Wireless Coverage’s with www.towercoverage.com -----Original Message----- From: NANOG <nanog-bounces+dmburgess=linktechs.net@nanog.org> On Behalf Of Randy Bush Sent: Tuesday, July 18, 2023 7:03 PM To: North American Network Operators' Group <nanog@nanog.org> Subject: malware warning malware email is so common i normally do not warn of it. but, in this case, the attacker is extracting quotes from nanog and luring folk into clicking. e.g. From: takahashi@fukushitrust.com Subject: Re: jon postel To: Randy Bush <randy@psg.com> Date: Mon, 17 Jul 2023 04:01:47 -0700 Hello! We would like to present to you several alternatives for presentations and find out your thoughts and opinions, please let us know whatever you think about it. https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fdognibs.com%2f8jh%2fogr%2fg0h436ttqbw&umid=AD2D8C0B-00CB-C606-B620-46056820F8C9&auth=079c058f437b7c6303d36c6513e5e8848d0c5ac4-f36651c1d6f10141663aea6b1fe748c4448756cb Waiting for your reply
Does anyone have any stories about working with or near John they > would like to share with the list? It would definitely make my day > to hear more about the early internet somewhere around i have a protocol violation ticket he issued. --- Who says that routing unallocated address space is ungood? -- Randy Bush Routing unallocated address space is ungood! -- Jon Postel randy
---- and From: office@daimontrade.com.ua Subject: Re: Reverse DNS for eyeballs? To: Randy Bush <randy@psg.com> Date: Tue, 18 Jul 2023 02:56:36 -0700 Hello, Modified paperwork regarding For this month. Kindly read through it attentively. https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fsoocoop.net%2fe24%2f1s0%2f7ckl0icu7h&umid=AD2D8C0B-00CB-C606-B620-46056820F8C9&auth=079c058f437b7c6303d36c6513e5e8848d0c5ac4-d3bde3aae320235c42f1c7b28e3294c7ef572a81 We appreciate your attention.
I would say the absence of reverse DNS tells useful info to receiving > MTAs - to preferably not accept. yep
participants (11)
-
borg@uu3.net
-
Bryan Fields
-
Dennis Burgess
-
Glen A. Pearce
-
Grant Taylor
-
Josh Luthman
-
L F
-
Matt Corallo
-
Niels Bakker
-
Peter Potvin
-
Randy Bush