Steve Bellovin writes:
"Gregory Taylor" writes:
Can somebody explain to me why I keep getting e-mails with no content that are
setting off my virus scanners via NANOG list?Probably because there's a worm that's sending the messages -- messages
that purport to be from legitimate NANOG posters. Let me guess -- the
body of these messages starts <OB JECT STYLE='display:none"...> (I've
added a blank because the existence of the exact string does trigger
some filters.)
Yeah, exactly. The one last night appeared to come
from one of my old accounts (gherbert@crl.com).
CRL (the ISP, in San Francisco) no longer exists,
though the domain is apparently now an alias
for Charles River Labratories in Massachusetts.
Presumably, gherbert@crl.com was still in the
nanog-post list database from the Early days
because I didn't delete it when CRL became an
ex-company, so it got in through the filters
at Merit (I have sent them mail to rectify that).
But this was just random bad luck from virus.
A lot of the virus/worm infections now will
pick random pairs of addresses out of people's
mailboxes; one is used as the "from" in a new
virus message, the other as the recipient.
Someone I sent mail to at some point, who had
received nanog mail (or some combination thereof)
got a virus, and it lucked out in picking
a recipient (nanog) that was a closed list
but using a From: address that was a valid
sender for the list.
This could happen again any time if anyone
else on the list gets a virus, if the From/To
pairs that are randomly picked turn out to
line up with the list in a valid way.
The virus came to Merit from 151.202.157.67,
which is a Verizon parent block, and the
particular set of addresses are One FN
(NET-151-202-157-64-1). Who are someone at
1 Park ave, New York. I live in Oakland,
California.
Welcome to the new exciting world of Outlook.
This is why I use nmh as my mail user agent.
But it doesn't protect anyone else out there
from viruses impersonating me in this manner.
Or impersonating you, or anyone else...
-george william herbert
gherbert@retro.com