David Abrahams wrote:
Here's what the IU sysadmin says:
We looked into this, and here's a few results:
1. The mail was definitely sent through lists.boost.org (HOG); Larry looked in the logs and found the relevant entries.
2. As a best guess, this is simple forgery. This is fairly common activity for viruses these days; viruses send out to addresses that they find in your inbox and in your addressbook. They also masquerade who they came from, so we don't really know where it came from, other that the IP address (202.103.247.70, which doesn't resolve to a name).
It looks as if my normal boost digest emails come through indiana university, in fact.
Correct.
So, my first guess was probably right as well, that the SMTP server for the boost mailing list doesn't scan outgoing emails for viruses
Correct.
--if it isn't altogether hacked...
Not as far as we know.
And now that I remember, I'd had this email address for a whole year and hadn't received any spam until I joined the mailing list. About an hour later I got my first 3 spams, and it's been downhill since.
Sorry. Not the fault of hosting it at IU, though.
Well, IU's admins could have set up the server to... A) Record the sender's IP (I appreciate the 202.103.247.70 revelation, now, but I'd appreciate it even more as part of the email header..), and not to do so is to invite spammers and hackers to route through it. B) Scan for viruses, at least a real-quick and dirty scan for the top hall of infamy top 10: Blaster, MyDoom, and 8 more picks.. ;-) Anyways, I wasn't intending to file a complaint, rather to help try and catch/punish the perpetrators. The sys admin there should download Spade. It's free, and very useful. (search for Sam Spade.) 202.103.247.70 is served from where bird flu viruses originate: ----------------------------------------------------------- 02/13/04 23:11:39 whois 202.103.247.70@whois.apnic.net whois -h whois.apnic.net 202.103.247.70 ... % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 202.103.192.0 - 202.103.255.255 netname: CHINANET-GX descr: CHINANET Guangxi province network descr: Data Communication Division descr: China Telecom country: CN admin-c: CH93-AP tech-c: CR766-AP mnt-by: MAINT-CHINANET mnt-lower: MAINT-CHINANET-GX changed: hostmaster@ns.chinanet.cn.net 20000101 status: ALLOCATED NON-PORTABLE source: APNIC role: CHINANET GUANGXI address: No.35,Minzhu Road,Nanning 530015 country: CN phone: +86-771-2815987 fax-no: +86-771-2839278 e-mail: hostmaster@gx163.net trouble: send spam reports to hostmaster@gx163.net trouble: send abuse reports to hostmaster@gx163.net trouble: times in GMT+8 admin-c: CR76-AP tech-c: BD37-AP nic-hdl: CR766-AP remarks: http://www.gx.cninfo.net notify: hostmaster@gx163.net mnt-by: MAINT-CHINANET-GX changed: hostmaster@gx163.net 20021024 source: APNIC person: Chinanet Hostmaster address: No.31 ,jingrong street,beijing address: 100032 country: CN phone: +86-10-66027112 fax-no: +86-10-58501144 e-mail: hostmaster@ns.chinanet.cn.net e-mail: anti-spam@ns.chinanet.cn.net nic-hdl: CH93-AP mnt-by: MAINT-CHINANET changed: hostmaster@ns.chinanet.cn.net 20021016 remarks: hostmaster is not for spam complaint,please send spam complaint to anti-spam@ns.chinanet.cn.net source: APNIC ----------------------------------------------------------- Not to be deceived by their anti-spam stance; --China is probably the biggest spam gateway, with India and Pakistan some way behind. The machine doesn't return ping, browsing to it times-out, and a traceroute looks like this: ----------------------------------------------------------- 02/13/04 22:03:53 Fast traceroute 202.103.247.70 Trace 202.103.247.70 ... 1 67.68.200.5 13ms 13ms 12ms TTL: 0 (Toronto-HSE-ppp3774662.sympatico.ca ok) 2 64.230.254.253 16ms 20ms 19ms TTL: 0 (No rDNS) 3 64.230.227.213 14ms 14ms 15ms TTL: 0 (dis3-montrealak-Vlan101.in.bellnexxia.net ok) 4 64.230.240.69 15ms 14ms 14ms TTL: 0 (No rDNS) 5 64.230.240.9 14ms 13ms 14ms TTL: 0 (No rDNS) 6 64.230.240.18 24ms 23ms 24ms TTL: 0 (No rDNS) 7 64.230.242.206 25ms 24ms 23ms TTL: 0 (No rDNS) 8 64.230.242.201 24ms 22ms 23ms TTL: 0 (No rDNS) 9 206.108.101.182 80ms 79ms 80ms TTL: 0 (core2-vancouver-pos10-2.in.bellnexxia.net ok) 10 206.108.102.209 84ms 85ms 83ms TTL: 0 (core2-seattle-pos12-0.in.bellnexxia.net ok) 11 206.108.108.150 122ms 120ms 121ms TTL: 0 (core1-paloalto01-pos1-0.in.bellnexxia.net ok) 12 206.108.102.250 122ms 121ms 120ms TTL: 0 (bx1-paloalto01-srp2-0.in.bellnexxia.net ok) 13 206.108.108.174 616ms 597ms 581ms TTL: 0 (No rDNS) 14 202.97.51.193 977ms 907ms 872ms TTL: 0 (No rDNS) 15 202.97.33.149 973ms 908ms 892ms TTL: 0 (p-15-0-r2-c-gdgz-1.cn.net bogus rDNS: host not found [authoritative]) 16 202.97.40.198 1095ms 1021ms 1028ms TTL: 0 (No rDNS) 17 202.97.21.158 1112ms 1056ms 1065ms TTL: 0 (No rDNS) 18 218.65.132.59 1110ms 1044ms 1063ms TTL: 0 (No rDNS) 19 No Response * * * 20 No Response * * * 21 No Response * * * 22 No Response * * * 23 No Response * * * 24 No Response * * * 25 No Response * * * 26 No Response * * * 27 No Response * * * 28 No Response * * * 29 No Response * * * ----------------------------------------------------------- The last IP, before the gas nebula begins, belongs to the same people: ----------------------------------------------------------- whois -h whois.apnic.net 218.65.132.59 ... % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 218.65.128.0 - 218.65.255.255 netname: CHINANET-GX descr: CHINANET Guangxi province network descr: China Telecom ................................ mnt-by: MAINT-CHINANET mnt-lower: MAINT-CHINANET-GX changed: hostmaster@ns.chinanet.cn.net 20010731 ................................ role: CHINANET GUANGXI address: No.35,Minzhu Road,Nanning 530015 country: CN phone: +86-771-2815987 fax-no: +86-771-2839278 e-mail: hostmaster@gx163.net ................................ ----------------------------------------------------------- And so are all four IP's before it, 202.97.xxx.xxx Which means that they make their dubious packets run in circles for a while, within the building, to try and look innocent... If I had a full url, I'd probably be able to verify that the machine at our IP address is used for hosting the types of shady biz that advertise via spam in the first place. 206.108.108.174 is in North America, BTW, part of the Bell system. Cheers!