[sf-lug] Suspicious email from LinuxMafia

jim jim at well.com
Wed Mar 9 20:56:14 PST 2016 

I found your reply helpful, primarily with respect to

* all headers in e-mail are able to be forged with the exception of the 
envelope 'From ' header and the last-prior-hop IP address in the 
Received header.

* do `whois 5.239.148.71'

* your explanation of the trail such spam takes
from its origin through Mailman to me.


As a note, I don't mind getting some spam, and I
like helping out.

     Networking is my greatest weakness. I'm like
someone from planet Zorn who came to this planet
in the late 1970s, learned how to administer a
Unix host, then went bowling with some odd people
who gave me a strange drink. I fell asleep behind
some bushes and woke up a few years after 2000.
Now I've learned that having some system administration
skills is like trying to run a race with one leg.

     I read Winnie the Pooh something like eight or
ten times when I was a kid (per your "droll" notice).




On 03/09/2016 09:55 PM, Rick Moen wrote:
> Quoting Jim Stockford (jim at well.com):
>
>>      I do minor administration for the sf-lug mailing list,
> Well, actually you're it.  There's no other listadmin.  (And thank you.)
>
>> working under the name of Saunders^H^H^H^H^H^H^H^H
>> sf-lug-owner at linuxmafia.com
> Very droll, sir.
>
>>      sf-lug-owner at linuxmafia.com got email today. I'd like
>> help figuring it out.
> It's scam mail.  Payload iin the Zip file is probably MS-Windows
> malware.  Harmless even on Windows as long as you don't do something
> stupid like run the exe file stored inside the zip.
>
>> * The sender appears as admin <adm79 at linuxmafia.com>
> Which is of course forged.
>
> As a generality, all headers in e-mail are able to be forged with the
> exception of the envelope 'From ' header and the last-prior-hop IP address in
> the Received header.  (Don't worry if you don't know exactly what all of
> that means, but you can look those up if curious.  I don't want to turn
> this into an all-day seminar on how to read SMTP headers.)
>
> Anyway, I say again, this mail did not originate at linuxmafia.com at
> all (albeit it indeed passed through here).  The claim that it did is
> provably a lie[1], as can be confirmed by header analysis.  For the
> record, it came from IP address 5.239.148.71, which is part of an IP
> netblock assigned to Telecommunication Company of Qom, Iran.  (You can
> find that IP in the Received headers, and see what I'm talking about.
> To find the netblock, do 'whois 5.239.148.71'.)
>
> So, to recap, mail originated at an ISP (or customer of that ISP)
> somewhere around the Holy City of Qom -- halfway around the planet.
> >From there, it was lobbed with a bunch of forged headers (about which,
> see footnote) to Mailman at linuxmafia.com.  linuxmafia.com's
> spam-detection didn't block this one, so it was handed to Mailman.
> Mailman parsed out the 'To' header, determined that was you, and sent
> you a copy at your Well address.  Et voila.
>
>
>> I've copied the complete header information below; I myself
>> have not sufficient experience to be confident in my interpretation
>> of the header and other info.
> Well done on that part, by the way, Jim!
>
> Your providing full headers made it possible to answer your question.
> Often, I face the frustrating situation of the reporter being unaware
> that his/her mail program shows only partial SMTP headers by default --
> and so accidentally omitting the crucial ones.
>
>
>> * It seems to have gotten to me via the well, which got it from
>>    a sender named mailmanbounces at linuxmafia.com
> And _that_ in turn is because you are listadmin for a mailing list on
> linuxmafia.com, namely this one:  Notice (which I'm sure you did, but
> I'm saying this for the group) that one of the other main headers was
> this one:
>
> To: sf-lug-owner at linuxmafia.com
>
> sf-lug-owner, as you say, means you.  That's a redirect to jim at well.com,
> kind of like an e-mail alias (except implemented by Mailman).
>
> Which leads me to my other point: Unfortunately, being a listadmin means
> you are highly likely to get a certain amount of such stuff.  As a
> public point of contact for (uh, I think several) Mailman administrative
> addresses, Mailman collects and reflects to you communication sent to
> those addresses.
>
> linuxmafia.com rejects a great deal of spam right at the MTA inbound
> phase, i.e., acceptance of SMTP mail from elsewhere.  I think even in
> its current rather antiquated state, its antispam is still exceptional.
> (linuxmafia.com doesn't take extraordinary measures to find and reject
> malware _as such_.  My view as system architect is that malware in
> e-mail is a nuisance because it's spam, not because it's malware.)
>
> So, we do our best to not accept this junk at all, but no antispam
> regime is perfect and (like everything else 24x7 on the Internet) we're
> barraged by this mercilessly.  A very small percent isn't rejected.
>
> The mailing list itself, i.e., the subscribers, never get this bullshit.
>
> The rare exception would be if an actual subscriber's Windows machine
> _itself_ got malware-infested and started spewing copies of malware to
> all the subscriber's known addressees, including this mailing list.
> Then, if it got past my MTA, Mailman would blithely blast it out to all
> members, because as far as it could tell it's from a subscribed address.
> Can't recall whether that's happened on sf-lug at linuxmafia.com or not:
> If so, standard procedure is listadmin sets 'moderated' flag on that
> subscriber, advises subscriber offlist to clean up his/her act, and
> briefs the membership on what just happened and that it's been dealt
> with.  (You could then ask me to please purge that mail from the
> archive.)
>
> As listadmin, you'd get this annoyance even more rarely if
> linuxmafia.com became even better at rejection of incoming spam.
> We certainly try, time and energy permitting.  Any improvement tends to
> be capped by the Law of Diminishing Returns, and collateral damage
> becomes more likely, the more severe one's filtering is.
>
> Spam is a Difficult Problem[tm].
>
> And of course also -- and I'm saying this not to pass the buck but
> rather for completeness -- you can get even less of this annoyance
> through good antispam on _your_ end.
>
> And last, you could get less of this annoyance by ceasing to serve as
> listadmin.  SF-LUG and I would appreciate it if you didn't stop, though.
> Your supervision of the list is appreciated.
>
> (There are also endless varieties of extreme measures usable for
> antispam, such as blocklisting all IP netblocks from entire countries.
> Some people actually do that.  Not me, but my point is that spam
> motivates extreme reactions, which should not automatically be
> considered wise by a long shot.  Some are like appointing Torquemada as
> your schoolteacher because it would be good for disciple.)
>
>
> [1] A good assumption about any spam is that any header the spammer or
> his/her script will be forged if it can be forged.  Because spammers are
> lying liars who lie.
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20160310/1c4d414a/attachment.html>

More information about the sf-lug mailing list