Re: [Groff] Spam from list member addresses

Thu, 31 Mar 2005 19:10:47 -0800 


Peter Schaffter wrote:

I got two pornographic-sounding spams today, one apparently from
Werner, the other apparently from Ted Harding.  Rather than wait to
see if these are isolated incidents, I'm cut 'n' pasting both
emails with full headers into this post.


Yup, I noticed they came back in the last few days. Some server along
the line has gotten smarter about removing the (presumably viral)
payload, though.

I'm not an expert in mail header forensics, but someone else may
spot something useful.


I can read headers most of the time, it comes in handy to track spam
back to its injection point. It's the one at the bottom that seems to be
the important one:

Received: from [194.2.232.250] (helo=199.232.76.166)
by monty-python.gnu.org with smtp (Exim 4.34) id 1DH2ik-0007k9-Uq
for groff@gnu.org; Thu, 31 Mar 2005 11:40:39 -0500 

The one I got had a similar header. The IP address in brackets is
the one that's important here. Quoth the "dig" utility:

% dig -x 194.2.232.250

; <<>> DiG 8.3 <<>> -x
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      250.232.2.194.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
250.232.2.194.in-addr.arpa.  1H IN PTR  nat.isep.fr.

;; Total query time: 2510 msec
;; FROM: Lapdancer.local. to SERVER: default -- 10.0.1.1
;; WHEN: Thu Mar 31 21:32:56 2005
;; MSG SIZE  sent: 44  rcvd: 69

%

The part we want is the line below the "ANSWER SECTION" -- nat.isep.fr.
Querying RIPE's whois (whois -h whois.ripe.net 194.2.232.250) suggests
that Kumar Reddy and Gilles Carpentier (first.last at isep.fr) would be the
people to contact about what is likely an infested PC on their network.

A lot of these parasitic programs work by scanning address books for
more potential victims, and often use names from the same address book
as the "source" and destination... which suggests to me that someone
subscribed to the groff list -- or someone who knows someone (I doubt
it's more than one degree of separation) has been infested.
--
Larry Kollar     k  o  l  l  a  r  @  a  l  l  t  e  l  .  n  e  t
Unix Text Processing: "UTP Revival"
http://home.alltel.net/kollar/utp/



_______________________________________________
Groff mailing list
Groff@gnu.org
http://lists.gnu.org/mailman/listinfo/groff

Reply via email to