[sf-lug] Suspicious email from LinuxMafia

Rick Moen rick at linuxmafia.com
Wed Mar 9 13:55:58 PST 2016


Quoting Jim Stockford (jim at well.com):

>     I do minor administration for the sf-lug mailing list,

Well, actually you're it.  There's no other listadmin.  (And thank you.)

> working under the name of Saunders^H^H^H^H^H^H^H^H
> sf-lug-owner at linuxmafia.com

Very droll, sir.

>     sf-lug-owner at linuxmafia.com got email today. I'd like
> help figuring it out.

It's scam mail.  Payload iin the Zip file is probably MS-Windows
malware.  Harmless even on Windows as long as you don't do something
stupid like run the exe file stored inside the zip.

> * The sender appears as admin <adm79 at linuxmafia.com>

Which is of course forged.

As a generality, all headers in e-mail are able to be forged with the
exception of the envelope 'From ' header and the last-prior-hop IP address in
the Received header.  (Don't worry if you don't know exactly what all of
that means, but you can look those up if curious.  I don't want to turn
this into an all-day seminar on how to read SMTP headers.)

Anyway, I say again, this mail did not originate at linuxmafia.com at
all (albeit it indeed passed through here).  The claim that it did is
provably a lie[1], as can be confirmed by header analysis.  For the
record, it came from IP address 5.239.148.71, which is part of an IP
netblock assigned to Telecommunication Company of Qom, Iran.  (You can
find that IP in the Received headers, and see what I'm talking about.
To find the netblock, do 'whois 5.239.148.71'.)

So, to recap, mail originated at an ISP (or customer of that ISP)
somewhere around the Holy City of Qom -- halfway around the planet.
>From there, it was lobbed with a bunch of forged headers (about which,
see footnote) to Mailman at linuxmafia.com.  linuxmafia.com's
spam-detection didn't block this one, so it was handed to Mailman.
Mailman parsed out the 'To' header, determined that was you, and sent
you a copy at your Well address.  Et voila.


> I've copied the complete header information below; I myself
> have not sufficient experience to be confident in my interpretation
> of the header and other info.

Well done on that part, by the way, Jim!

Your providing full headers made it possible to answer your question.
Often, I face the frustrating situation of the reporter being unaware
that his/her mail program shows only partial SMTP headers by default --
and so accidentally omitting the crucial ones.


> * It seems to have gotten to me via the well, which got it from
>   a sender named mailmanbounces at linuxmafia.com

And _that_ in turn is because you are listadmin for a mailing list on
linuxmafia.com, namely this one:  Notice (which I'm sure you did, but 
I'm saying this for the group) that one of the other main headers was
this one:

To: sf-lug-owner at linuxmafia.com

sf-lug-owner, as you say, means you.  That's a redirect to jim at well.com,
kind of like an e-mail alias (except implemented by Mailman).

Which leads me to my other point: Unfortunately, being a listadmin means
you are highly likely to get a certain amount of such stuff.  As a
public point of contact for (uh, I think several) Mailman administrative
addresses, Mailman collects and reflects to you communication sent to
those addresses.

linuxmafia.com rejects a great deal of spam right at the MTA inbound
phase, i.e., acceptance of SMTP mail from elsewhere.  I think even in
its current rather antiquated state, its antispam is still exceptional.
(linuxmafia.com doesn't take extraordinary measures to find and reject
malware _as such_.  My view as system architect is that malware in
e-mail is a nuisance because it's spam, not because it's malware.)

So, we do our best to not accept this junk at all, but no antispam
regime is perfect and (like everything else 24x7 on the Internet) we're
barraged by this mercilessly.  A very small percent isn't rejected.

The mailing list itself, i.e., the subscribers, never get this bullshit.

The rare exception would be if an actual subscriber's Windows machine
_itself_ got malware-infested and started spewing copies of malware to
all the subscriber's known addressees, including this mailing list.
Then, if it got past my MTA, Mailman would blithely blast it out to all
members, because as far as it could tell it's from a subscribed address.
Can't recall whether that's happened on sf-lug at linuxmafia.com or not:
If so, standard procedure is listadmin sets 'moderated' flag on that
subscriber, advises subscriber offlist to clean up his/her act, and 
briefs the membership on what just happened and that it's been dealt
with.  (You could then ask me to please purge that mail from the
archive.)

As listadmin, you'd get this annoyance even more rarely if
linuxmafia.com became even better at rejection of incoming spam.
We certainly try, time and energy permitting.  Any improvement tends to
be capped by the Law of Diminishing Returns, and collateral damage
becomes more likely, the more severe one's filtering is.

Spam is a Difficult Problem[tm].

And of course also -- and I'm saying this not to pass the buck but
rather for completeness -- you can get even less of this annoyance
through good antispam on _your_ end.

And last, you could get less of this annoyance by ceasing to serve as
listadmin.  SF-LUG and I would appreciate it if you didn't stop, though.
Your supervision of the list is appreciated.

(There are also endless varieties of extreme measures usable for
antispam, such as blocklisting all IP netblocks from entire countries.
Some people actually do that.  Not me, but my point is that spam
motivates extreme reactions, which should not automatically be
considered wise by a long shot.  Some are like appointing Torquemada as
your schoolteacher because it would be good for disciple.)


[1] A good assumption about any spam is that any header the spammer or
his/her script will be forged if it can be forged.  Because spammers are
lying liars who lie.





More information about the sf-lug mailing list