17.846 last (we hope) on the spamming

From: Humanist Discussion Group (by way of Willard McCarty willard.mccarty@kcl.ac.uk)
Date: Fri May 07 2004 - 16:52:42 EDT

  • Next message: Humanist Discussion Group (by way of Willard McCarty

                   Humanist Discussion Group, Vol. 17, No. 846.
           Centre for Computing in the Humanities, King's College London
                       www.kcl.ac.uk/humanities/cch/humanist/
                            www.princeton.edu/humanist/
                         Submit to: humanist@princeton.edu

       [1] From: Mícheál Mac an Airchinnigh (28)
                     <mmaa@eircom.net> (by
             Subject: Re: more on the spamming

       [2] From: Norman Gray <norman@astro.gla.ac.uk> (42)
             Subject: Re: Urgent reassurance about viral spam on Humanist

       [3] From: Patrick T Rourke <ptrourke@methymna.com> (49)
             Subject: Re: more on the spamming

       [4] From: robert delius royar <r.royar@morehead-st.edu> (14)
             Subject: Re: Urgent reassurance about viral spam on Humanist

       [5] From: Robin Smith <rasmith@aristotle.tamu.edu> (38)
             Subject: Re: more on the spamming

    [This is a selection from the several notes I received. Many thanks for the
    help & reassurances. --WM]

    --[1]------------------------------------------------------------------
             Date: Wed, 05 May 2004 07:07:05 +0100
             From: Mícheál Mac an Airchinnigh <mmaa@eircom.net> (by
             Subject: Re: more on the spamming

    On 3 May 2004, at 23:26, Willard McCarty wrote:

    >Date: Mon, 3 May 2004 18:20:20 -0400 (EDT)
    >From: Alan Sondheim <sondheim@panix.com>
    >To: Willard McCarty <willard.mccarty@KCL.AC.UK>
    >Cc: humanist@Princeton.EDU
    >>
    >
    >It's actually not coming from the listserv - it's an automated spoofed
    >address which means you have nothing to do with it, and can't do anything
    >about it except put out a warning. It's not going through the listserv as
    >far as I know.
    >
    >
    >- Alan

    Hence, in some "real" sense Willard is subject to deliberate or accidental
    "identity theft" in the e-world.

    The purpose of the real person behind such attacks is precisely
    to rely on the trustworthiness of someone such as Willard etc
    to betray that very trust vis-a-vis another.

    Mícheál

    ... o O o O o ...
    Dr. Mícheál Mac an Airchinnigh
    Senior Lecturer
    Department of Computer Science
    University of Dublin, Trinity College
    Dublin 2,
    IRELAND
    ... o O o O o ...

    --[2]------------------------------------------------------------------
             Date: Wed, 05 May 2004 07:08:05 +0100
             From: Norman Gray <norman@astro.gla.ac.uk>
             Subject: Re: Urgent reassurance about viral spam on Humanist

    Willard,

    On Mon, 3 May 2004, Willard McCarty wrote:

    > Reports from several members of Humanist attest to the fact that for the
    > last few days viral spam has been sent out under my address,

    A common technique that spammers use is to work through a list of email
    addresses, sending spam to each address on the list, with the from address
    forged to be the previous (or next, or some other) address on the list.
    That means that the fake sender is the one who gets the bounce message,
    or the blame. The annoyance caused to the putative senders by the
    subsequent bounces, or indeed the subsequent annoyed emails, is now termed
    `collateral spam' (which is grimly comic, I suppose).

    This also explains why we sometimes seem to get such spam from vaguely
    familar folk, more often than we might expect. Spammers apparently
    work through lists of related emails, such as subscriber lists, I think
    in order to slightly increase the chance that folk will open a message
    (uncertain), or that it will get through spam blocks.

    Thus it is because it is probably quite likely that your address
    and Humanist's are adjacent on such a list, that spam was sent to the
    Humanist list with you as its putative sender. I'd think it would be
    _very_ unlikely to be any sort of virus.

    Sender addresses are absolutely trivial to fake in email, and it's only
    because people never did this, in gentler times, that listservs were
    ever written to take the sender address as a reasonable authority.

    > I have altered
    > the Listserv header to disallow all attachments but do not know what else I
    > can do to protect us all. I would greatly appreciate advice from anyone who
    > knows Listserv well enough to see a way of blocking such trickery.

    I don't know of the technicalities of listservs, but the only ways of
    avoiding this in principle (using an extra non-publicised address,
    authentication based on your particular machine, cryptographic signing)
    are probably more trouble than they're really worth.

    If Humanist gets the occasional spam, well, it prompts us to give thanks
    for the small amount it gets in comparison to other lists.

    But then there's the big archival question: do you expunge them from the
    list archive or not...?

    ....

    All the best,

    Norman

    --
    ---------------------------------------------------------------------------
    Norman Gray                        http://www.astro.gla.ac.uk/users/norman/
    Physics and Astronomy, University of Glasgow, UK     norman@astro.gla.ac.uk
    

    --[3]------------------------------------------------------------------ Date: Wed, 05 May 2004 07:08:48 +0100 From: Patrick T Rourke <ptrourke@methymna.com> Subject: Re: more on the spamming

    Sorry to contradict, but in this specific case, it IS going out through the listserv, at least in some cases, as one can see from the headers from one of the messages reproduced below. Of course, the listserv is merely acting as a vehicle, and is conveniently deleting the offensive content in the process of forwarding it.

    What seems to be happening on this occasion is that the infected computer, which has both the submission email address on it and Dr. McCarty's email address, has spoofed the latter as the sender and the former as the recipient.

    I'm tempted to think that the btcentralplus computer listed last in the headers is the immediate source of the e-mails, but I've only been successful at this kind of tracking within a local area network.

    Patrick Rourke

    From willard.mccarty@kcl.ac.uk Sun May 2 21:36:32 2004 Received: from Princeton.EDU ([128.112.129.75]) by ams.ftl.affinity.com with ESMTP id <313136-3659>; Sun, 2 May 2004 20:13:14 -0400 Received: from smtpserver2.Princeton.EDU (smtpserver2.Princeton.EDU [128.112.129.148]) by Princeton.EDU (8.12.9/8.12.9) with ESMTP id i430Binb018004; Sun, 2 May 2004 20:11:44 -0400 (EDT) Received: from lists.Princeton.EDU (lists01.Princeton.EDU [128.112.129.193]) by smtpserver2.Princeton.EDU (8.12.9/8.12.9) with ESMTP id i42NbkbF022652; Sun, 2 May 2004 20:11:09 -0400 (EDT) Received: from LISTS.PRINCETON.EDU by LISTS.PRINCETON.EDU (LISTSERV-TCP/IP release 1.8e) with spool id 3920790 for humanist@LISTS.PRINCETON.EDU; Sun, 2 May 2004 20:10:43 -0400 Received: from lists01.Princeton.EDU (localhost [127.0.0.1]) by lists.Princeton.EDU (8.12.9/8.12.9) with SMTP id i430AgPB015272 for <humanist@lists.Princeton.EDU>; Sun, 2 May 2004 20:10:42 -0400 (EDT) Received: from lists.Princeton.EDU ([127.0.0.1]) by lists01.Princeton.EDU (SAVSMTP 3.1.3.37) with SMTP id M2004050220104103084 for <humanist@lists.Princeton.EDU>; Sun, 02 May 2004 20:10:41 -0400 Received: from Princeton.EDU (postoffice01.Princeton.EDU [128.112.129.75]) by lists.Princeton.EDU (8.12.9/8.12.9) with ESMTP id i430Af8F015269 for <humanist@lists01.Princeton.EDU>; Sun, 2 May 2004 20:10:41 -0400 (EDT) Received: from postoffice01.Princeton.EDU (localhost [127.0.0.1]) by Princeton.EDU (8.12.9/8.12.9) with SMTP id i430AMdY017336 for <humanist@lists01.Princeton.EDU>; Sun, 2 May 2004 20:10:41 -0400 (EDT) Received: from Princeton.EDU ([128.112.129.75]) by postoffice01.Princeton.EDU (SAVSMTP 3.1.3.37) with SMTP id M2004050220104116239 for <humanist@lists01.Princeton.EDU>; Sun, 02 May 2004 20:10:41 -0400 Received: from saravanan.org (host217-44-128-32.range217-44.btcentralplus.com [217.44.128.32]) by Princeton.EDU (8.12.9/8.12.9) with SMTP id i430Acnc017443 for <humanist@Princeton.EDU>; Sun, 2 May 2004 20:10:38 -0400 (EDT)

    --[4]------------------------------------------------------------------ Date: Wed, 05 May 2004 07:09:53 +0100 From: robert delius royar <r.royar@morehead-st.edu> Subject: Re: Urgent reassurance about viral spam on Humanist

    Perhaps Listserv, similar to majordomo, supports password protected moderation. That is how I prevent spam on a majordomo list I moderate. Any outgoing postings from the list must first clear through me. I get a number of dummied up messages intended for the list for approval. I am on a list (WPA-L) out of Arizona State University which uses LISTSERV. One of the administrators of that list might be able to help you. Try Barry Maid <Barry.Maid@ASU.EDU>. WPA-L was swamped by viruses and spam a year or so ago until he and David Schwalm (the other administrator) made some changes in that list's configuration.

    r. royar

    -- Dr. Robert Delius Royar <r.royar@morehead-st.edu> Associate Professor of English, Morehead State University Kill UGLY Corporate Radio

    --[5]------------------------------------------------------------------ Date: Wed, 05 May 2004 07:10:16 +0100 From: Robin Smith <rasmith@aristotle.tamu.edu> Subject: Re: more on the spamming

    I assume that you're aware of this, but just in case: virtually nothing about an email message can be trusted, since virtually all the details indicating its source are easily forged. The 'from:' and 'reply-to:' lines are trivial. At one time, the information in the envelope portion of the header (the 'received trace') was a little more trustworthy, since it is supplied by the various relays that hand on a message: each relay reproduces the 'received' trace on the message as it gets it, adds its own line indicating where it got it from and when, and sends it on to the next relay. However, relays are designed to trust the information they get, so a reliable relay that gets a message with forged information will simply transmit that forged information reliably. So, you can only trust the 'received' trace back as far as the last relay in the line that was actually reliable. The reason this is now a particular problem with spam is that spammers often set up their own mail relays (this is also true of worms: they often include an SMTP relay in their code, and of course they lie about who they are and about where they're relaying a message from). If a lying relay connects to a reliable one, the reliable one can tell what the liar's real IP address is, but it can't verify anything else in the message). So, there's just nothing about a message that you can trust. Even if your computer, and indeed every computer at your institution, were instantly transported to the next galaxy or ground to a fine powder, there will still probably be messages roaming about the Internet for years pretending to be from you, or from Humanist.

    In addition (as you must know very well by now), worms and spammers plug in all sorts of things as forged addresses, including both things they just make up and things they find lying around (worms typically ransack the computers they infest for email addresses and plug these in to the various fields of messages they send).

    It's for reasons like these that those of us who manage mail servers have generally stopped sending messages back in response to worm-infested messages: it's a total waste of time, since the apparent sender of the message is usually some unaffected third party (I use FreeBSD as my operating system, and I still get annoying messages from email scanners configured to send back these well-intentioned but pointless warnings that "a virus has infected my system").

    Robin Smith



    This archive was generated by hypermail 2b30 : Fri May 07 2004 - 16:53:26 EDT