SPAM and Virus emails to NANOG

George_William_Herbe · March 19, 2004, 10:03pm

Steve Bellovin writes:

"Gregory Taylor" writes:

Can somebody explain to me why I keep getting e-mails with no content that are
setting off my virus scanners via NANOG list?

Probably because there's a worm that's sending the messages -- messages
that purport to be from legitimate NANOG posters. Let me guess -- the
body of these messages starts <OB JECT STYLE='display:none"...> (I've
added a blank because the existence of the exact string does trigger
some filters.)

Yeah, exactly. The one last night appeared to come
from one of my old accounts (gherbert@crl.com).
CRL (the ISP, in San Francisco) no longer exists,
though the domain is apparently now an alias
for Charles River Labratories in Massachusetts.
Presumably, gherbert@crl.com was still in the
nanog-post list database from the Early days
because I didn't delete it when CRL became an
ex-company, so it got in through the filters
at Merit (I have sent them mail to rectify that).

But this was just random bad luck from virus.
A lot of the virus/worm infections now will
pick random pairs of addresses out of people's
mailboxes; one is used as the "from" in a new
virus message, the other as the recipient.
Someone I sent mail to at some point, who had
received nanog mail (or some combination thereof)
got a virus, and it lucked out in picking
a recipient (nanog) that was a closed list
but using a From: address that was a valid
sender for the list.

This could happen again any time if anyone
else on the list gets a virus, if the From/To
pairs that are randomly picked turn out to
line up with the list in a valid way.

The virus came to Merit from 151.202.157.67,
which is a Verizon parent block, and the
particular set of addresses are One FN
(NET-151-202-157-64-1). Who are someone at
1 Park ave, New York. I live in Oakland,
California.

Welcome to the new exciting world of Outlook.

This is why I use nmh as my mail user agent.
But it doesn't protect anyone else out there
from viruses impersonating me in this manner.
Or impersonating you, or anyone else...

-george william herbert
gherbert@retro.com

Jared_Mauch · March 19, 2004, 10:10pm

These spoofed virii/worm/whatnot emails can be
somewhat prevented in a few cases by the utilization of SPF

http://spf.pobox.com/

I encourage people to look at this, review it for its merits and
look at using it. Then if the nanog list were to be use spf, it could
help prevent these booogus emails from reaching the list.

- Jared

Valdis_Kletnieks · March 19, 2004, 10:22pm

These spoofed virii/worm/whatnot emails can be
somewhat prevented in a few cases by the utilization of SPF

Note that this isn't a totally foolproof method. We have a large (50K+)
subscriber list that's flagged as "post by list manager only" - and one of the
address-scraping worms managed to get the list name into the To: and the
manager's name into the From:. Multiple times. Like 50+. (Overlooking the
multiple hundreds that got trapped because they managed to get the list in the

Of course, locality-of-reference being what it is, the (un)lucky machine
happened to be actually at our site, so SPF wouldn't have done anything to stop
it. Remember that if foo.com is a large corporation (as opposed to an open
ISP), most address scrapers will get luckiest at getting 'foo.com' into both
the From: and To: headers if they manage to whack a machine that's actually a
legitimate foo.com box.