Subject: NANOG Spam?
Date: Wed, 5 Jul 2006 12:56:19 -0500
From: "Joe Johnson" <joe@sendjoeanemail.com>
To: <nanog@merit.edu>
Am I the only one to get this email? Headers say merit.edu sent it.
I
have NANOG whitelisted, though, so it came to my mailbox.
[...snip spam...]
No, I got it as well but Postini caught it for me. So I hadn't seen
it...
Just a "joe-job" though. The headers are forged. See the IP address
in thi FIRST "Received-by:" header. Came from Spain.
[...snip later headers...]
Received: from trapdoor.merit.edu (unknown [84.232.124.32])
by trapdoor.merit.edu (Postfix) with SMTP id AD0CF91265
for <nanog@trapdoor.merit.edu>; Wed, 5 Jul 2006 13:39:15 -0400
(EDT)
Content-type: text/html;
Charset=Windows-1251
<snip>
Just my .02, emails to abuse@schlund.de (HA! like i'll get a
response!) and abuse@servihosting.es (not expecting a response from
this one either) have been sent. Anybody else feel like telling these
folks that they've got spammers on their networks?
Allen Parker
Gregory Hicks wrote:
Just a "joe-job" though. The headers are forged. See the IP address
in thi FIRST "Received-by:" header. Came from Spain.
[...snip later headers...]
Received: from trapdoor.merit.edu (unknown [84.232.124.32])
by trapdoor.merit.edu (Postfix) with SMTP id AD0CF91265
for <nanog@trapdoor.merit.edu>; Wed, 5 Jul 2006 13:39:15 -0400 (EDT)
From: "nanog@enterzone.net" <nanog@enterzone.net>
To: nanog@trapdoor.merit.edu
Yes, we all got it, and Google spam filters let it through, as it
matches a valid mailing list.
No, the received headers are not forged. The From and To are forged.
The spammers have figured out how to bypass the NANOG members-only
posting, in this case by pretending to be John Fraizer and sending
directly to trapdoor.
They're using old lists. He hasn't sent anything to NANOG from that
address since 15 Feb 2005 14:30:47 -0500.
Anyway, it's probably a "good thing" to nip this in the bud. It
should hurt (a lot) to send spam to network operators themselves.
AS | IP | AS Name
29119 | 84.232.124.32 | SERVIHOSTING-AS ServiHosting N
PEER_AS | IP | AS Name
6739 | 84.232.124.32 | ONO-AS Cableuropa - ONO
William Allen Simpson wrote:
The spammers have figured out how to bypass the NANOG members-only
posting, in this case by pretending to be John Fraizer and sending
directly to trapdoor.
On our public list servers we now require admin approval of all new subscriptions as well as email verification. It takes time, but it is worth it. Additionally, the admins occassionally reply to new subscribers with "questionable" addresses and ask them for a bit more info (who/what/why/etc). Finally all new subscribers are automatically moderated until their first post proves them to in fact be legit and on topic. Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon. These are necessary steps simply because we see at least 30 requests each week for what amounts to invalid subscriptions, if those subscriptions went through unfettered then users would be upset. Even if one bogus subscription slips through, the auto-mod provides a second chance to stop them. Perhaps these are some ideas for the NANOG mailinglist admins to implement.
-Jim P.
Allen Parker wrote:
Just my .02, emails to abuse@schlund.de (HA! like i'll get a
response!) and abuse@servihosting.es (not expecting a response from
this one either) have been sent. Anybody else feel like telling these
folks that they've got spammers on their networks?
I sent to abuse@servihosting.es about the spam source.
And also to abuse@strato.de. Also tried abuse-server@strato.de.
The spam beneficiary was, of course, a US entity pretending to be from
Germany, with a throwaway obscured Yahoo address:
Domain Name:OARWIND.INFO
...
Tech Name:Audrey Pokela
Tech Organization:Audrey Pokela
Tech Street1:2940 115 Ave NW
Tech Street2:
Tech Street3:
Tech City:COON RAPIDS
Tech State/Province:MN
Tech Postal Code:55433
Tech Country:US
Tech Phone:+1.7634272392
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:kjho6emb@yahoo.com
Name Server:NS1.RENTSHELL.INFO
Name Server:NS2.FORTWALK.INFO
Name Server:NS1.BUSITEEN.INFO
Name Server:NS2.SPOLF.INFO
oarwind.info.
AS | IP | Registry | AS Name
6724 | 81.169.143.178 | ripencc | STRATO Strato AG
PEER_AS | IP | Registry | AS Name
1273 | 81.169.143.178 | ripencc | CW Cable _ Wireless
5430 | 81.169.143.178 | ripencc | FREENETDE freenet Cityline Gmb
inetnum: 81.169.128.0 - 81.169.143.255
netname: STRATO-RZG-DED
descr: Strato Rechenzentrum, Berlin
country: DE
admin-c: CM265-RIPE
tech-c: XX1-RIPE
tech-c: WB14-RIPE
remarks: ******************************************************
remarks: * please report spam/abuse/attaks mailto:abuse-server@strato.de *
remarks: * reports to other addresses will not be processed *
remarks: * please do not report simple portscans *
remarks: ******************************************************
status: ASSIGNED PA
mnt-by: STRATO-RZG-MNT
mnt-lower: STRATO-RZG-MNT
mnt-routes: STRATO-RZG-MNT
Hi,
Finally, we crawled the archives of the big lists and have come
up with a list of subscribers who haven't posted in over 9 months, we
plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so
they don't get moderated 
Hi!
Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so
they don't get moderated
I agree
I dont know whats worse, the spam or everybody mailing just once now 
Fortunately my mod bit should be safe again now.
Bye,
Raymond.
I am a lurker, but also a real person
And hopefully this is on-topic enough to not be banned.
Don
Sabri Berisha said the following on 6/7/2006 19:32:
So people who are 'real' but lurk a loti should reply to this message so
they don't get moderated
Not sure I am real, but I do lurk.
Sabri Berisha said the following on 6/7/2006 19:32:
So people who are 'real' but lurk a loti should reply to this message so
they don't get moderated
Not sure I am real, but I do lurk.
What about all of the unreal lurkers?
Jim Popovitch wrote:
William Allen Simpson wrote:
The spammers have figured out how to bypass the NANOG members-only posting, in this case by pretending to be John Fraizer and sending directly to trapdoor.
On our public list servers we now require admin approval of all new subscriptions as well as email verification....Perhaps these are some
ideas for the NANOG mailinglist admins to implement.
Or not. I expect that we've seen only the tip of the iceberg on people
who will now post one "I'm here, please don't moderate me" post. NANOG
has how many readers? For those who may have misread Jim's post, he was talking about *another* mailing list, not this one, on the moderation method mentioned. No sign that this is in effect on nanog.
The question would be - if you're hit by the moderation bit, and post a
message that makes it past whatever moderator's criteria.. Do you then
lose the moderation bit, since you how have posted within the last 9
months, and thusly have (unmoderated) access?
Or maybe this is just an exercise in let's-fly-by-the-seat-of-our-pants...
- d.
Not to mention the rational, irrational, transcendental, and imaginary lurkers.
Wait a minute, *I am not a number, I am a free man*.
I still comment here periodically when it is prudent to do so, I set this email account specifically for Nanog,
anticipating spam....
-Henry
sage ----
Henry Linneweh wrote:
I still comment here periodically when it is prudent to do so, I set this email account specifically for Nanog,
anticipating spam....
-Henry
sage ----
From: Dominic J. Eidson <sauron@the-infinite.org>
To: nanog@merit.edu
Sent: Thursday, July 6, 2006 8:14:58 AM
Subject: Re: NANOG Spam?
Hi,
Finally, we crawled the archives of the big lists and have come
up with a list of subscribers who haven't posted in over 9 months, we
plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so
they don't get moderated
unlurked:)
Having very good experiences with spam filters (I have them all switched off
I did not even see the spam. My "manual spamfilter" successfully removed them.
Yes, I remember spam with nanog in the sender field. I receive a lot of
spam from everybody, including myself. That is why it never occured it me
it might not have been faked.
The question would be - if you're hit by the moderation bit, and post a
message that makes it past whatever moderator's criteria.. Do you then
lose the moderation bit, since you how have posted within the last 9
months, and thusly have (unmoderated) access?
Or maybe this is just an exercise in let's-fly-by-the-seat-of-our-pants...
- d.
Mine is more a fly-by without pants
Having been hit by the lurking bit, you most likely have not spammed or
that bit would not be set in the first place.
Looks like a job for a trunk monkey.
Regards
Peter and Karin
I'm immoderate. But I believe that Popovitch was speaking of different
mailing lists than this one.
Joseph S D Yao wrote:
I'm immoderate. But I believe that Popovitch was speaking of different
mailing lists than this one.
Yes that is true, at least the part about the lists. I run a mailing list discussion system for a few non-profits, it is those lists (and their admins) that I was speaking of.
Apologies to all for possibly having incited this chatter.
-Jim P.
Sabri Berisha said the following on 6/7/2006 19:32:
> So people who are 'real' but lurk a loti should reply to this message so
> they don't get moderated
Not sure I am real, but I do lurk.
I sometimes feel the same way..
I sit here and read the messages daily and post occasionally. Dont moderate bit my ass. Thanks.
Greg