Steve Bellovin writes:
"Gregory Taylor" writes:
Can somebody explain to me why I keep getting e-mails with no content that are setting off my virus scanners via NANOG list?
Probably because there's a worm that's sending the messages -- messages that purport to be from legitimate NANOG posters. Let me guess -- the body of these messages starts <OB JECT STYLE='display:none"...> (I've added a blank because the existence of the exact string does trigger some filters.)
Yeah, exactly. The one last night appeared to come from one of my old accounts (gherbert@crl.com). CRL (the ISP, in San Francisco) no longer exists, though the domain is apparently now an alias for Charles River Labratories in Massachusetts. Presumably, gherbert@crl.com was still in the nanog-post list database from the Early days because I didn't delete it when CRL became an ex-company, so it got in through the filters at Merit (I have sent them mail to rectify that). But this was just random bad luck from virus. A lot of the virus/worm infections now will pick random pairs of addresses out of people's mailboxes; one is used as the "from" in a new virus message, the other as the recipient. Someone I sent mail to at some point, who had received nanog mail (or some combination thereof) got a virus, and it lucked out in picking a recipient (nanog) that was a closed list but using a From: address that was a valid sender for the list. This could happen again any time if anyone else on the list gets a virus, if the From/To pairs that are randomly picked turn out to line up with the list in a valid way. The virus came to Merit from 151.202.157.67, which is a Verizon parent block, and the particular set of addresses are One FN (NET-151-202-157-64-1). Who are someone at 1 Park ave, New York. I live in Oakland, California. Welcome to the new exciting world of Outlook. This is why I use nmh as my mail user agent. But it doesn't protect anyone else out there from viruses impersonating me in this manner. Or impersonating you, or anyone else... -george william herbert gherbert@retro.com
On Fri, Mar 19, 2004 at 02:03:06PM -0800, George William Herbert wrote:
This is why I use nmh as my mail user agent. But it doesn't protect anyone else out there from viruses impersonating me in this manner. Or impersonating you, or anyone else...
These spoofed virii/worm/whatnot emails can be somewhat prevented in a few cases by the utilization of SPF http://spf.pobox.com/ I encourage people to look at this, review it for its merits and look at using it. Then if the nanog list were to be use spf, it could help prevent these booogus emails from reaching the list. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Fri, 19 Mar 2004 17:10:21 EST, Jared Mauch said:
These spoofed virii/worm/whatnot emails can be somewhat prevented in a few cases by the utilization of SPF
Note that this isn't a totally foolproof method. We have a large (50K+) subscriber list that's flagged as "post by list manager only" - and one of the address-scraping worms managed to get the list name into the To: and the manager's name into the From:. Multiple times. Like 50+. (Overlooking the multiple hundreds that got trapped because they managed to get the list in the To: but address scraped a From: that wasn't allowed through). Of course, locality-of-reference being what it is, the (un)lucky machine happened to be actually at our site, so SPF wouldn't have done anything to stop it. Remember that if foo.com is a large corporation (as opposed to an open ISP), most address scrapers will get luckiest at getting 'foo.com' into both the From: and To: headers if they manage to whack a machine that's actually a legitimate foo.com box.
participants (3)
-
George William Herbert -
Jared Mauch -
Valdis.Kletnieks@vt.edu