[time-nuts] parking lot location (was2 (Spoofing))

Bill Hawkins bill at iaxs.net
Fri Apr 20 22:50:01 UTC 2012 

[Parking lot location details deleted]

While clearly not spam, the only other time Mr. Darlington's name appears
in this group in the 12,459 low noise messages since 12/31/2010 was the
following:

-----Original Message-----
From: Robert Darlington
Sent: Tuesday, October 04, 2011 4:07 PM
To: jfor at quikus.com; Discussion of precise time and frequency measurement
Subject: Re: [time-nuts] 2 (Spoofing)

So that no more goes out to the list.  It does nothing to stop the problem.
I'd have to look at the headers but based on what I'm hearing it sounds like
his mail server is wide open, OR, somebody on the same network/isp is
spamming.

-Bob

On Tue, Oct 4, 2011 at 2:54 PM, J. Forster <jfor at quikus.com> wrote:

I agree with that picture.

The sad thing is that the spammer can do it to Jeff essentially forever.
There is little that can be done, other than change his email address,
because the spammer has both his email address and a list of sites where
that email address is trusted.

As a Moderator (not of this group) I immediately moderate any such
spamming email addresses, so at least no further spam goes out.

Best,
-John

 ====================

 From the looks of it:

 1. The bad guys imported/stole Jeff's address book (via social networking
 ABI hijack, or PC infection).

 2. The bad guys then spammed (from 84.27.224.19 in the Netherlands) to the
 contacts they stole from Jeff's address book (and spoofing as "Jeff").

 This is troubling because it could happen to any one of us (if we have an
 address book and it gets hijacked).

 Per John's previous message, I would be leery of social network ABI
 (Address Book Import) for one thing.

 -Greg


----- Original Message -----
From: "Chuck Harris" <cfharris at erols.com>
Sent: Tuesday, October 04, 2011 2:04 PM
Subject: Re: [time-nuts] 2 (Spoofing)

I'm not convinced.  Notice that the to: line contains a list of addresses
that look like they would belong in a time-nut's address book.  That 
wouldn't be beneficial, or necessary if the spammer was spoofing his way
into febo's servers.

I think this came from a spambot running on jeff's machine, and it emailed
the payload to as many places as it dared... one of them happened to be the
time-nuts address used for posting messages.

-Chuck Harris

gbusg wrote:
The spam message in question was apparently spoofed and did not originate
from Jeff's PC. In the message header, note the Originating-IP was
[84.27.224.19]. That IP address originates from a server at [Netherlands
Groningen Ziggo B.v]. Jeff's actual IP address (which I won't repeat
here) is significantly different and is located in the U.S.A.

Chuck, I think somehow the spoofers have overcome the obstacle you
mention, unfortunately. (Otherwise how did the user of the Netherlands
server manage to get spam through to our group?)

-Greg


This is the message that started it all:

-----Original Message-----
From: jeffhook at comcast.net
Sent: Tuesday, October 04, 2011 4:42 AM
To: lroden60 at yahoo.com; ronrudd2 at mindspring.com; smbietz at verizon.net;
stacielee at comcast.net; time-nuts at febo.com; trytob10 at gmail.com;
warrensjmail-one at yahoo.com
Subject: [time-nuts] 2

Have ever been to the best on-line shop? This is it! [link to a French
ceramic pottery shop deleted].

End of old messages happens here.

OB timenuts: Time hung heavy on my hands.

Bill Hawkins

More information about the time-nuts mailing list