[TAG] My apologies

Rick Moen rick at linuxmafia.com
Wed Jun 8 21:02:42 MSD 2005 

Quoting Jack Carlson (jeberjabber at gmail.com):

> I apologize for resending that to everyone. I responded to the email address 
> that indicated it was it was for reporting problems with the mailing list. I 
> never meant it to be sent to all.

Looking at the standard mailing list headers:

  List-Help: <mailto:tag-request at lists.linuxgazette.net?subject=help>

That (above) is apparently where you meant to send mail.  But...

  List-Post: <mailto:tag at lists.linuxgazette.net>

...that's where you sent it.  Don't take my word for it, though:  Check
your outbound mail.  You'll find that you sent your missing back out to
everyone, not just to the listadmins.  That is why, for example, you
also got a reply from Thomas.  (No harm done, though, and thank you for
the explanation.)


> I'm not a complete newbie. My point was that, despite the headers (which I 
> did read , thank you for the flaming replies on that point), the spam was 
> sent so as to appear to be from TAG.

OK, SMTP Header Analysis 101 is now in session.

Rule number zero:  Almost any SMTP header can be forged.  The only
information that cannot be forged is the last-hop Received header (which
you have to carefully distinguish from the other Received headers) and
the Return-Path line's IP address (the one starting with "From ", which
will be present if your MUA hasn't stripped it, but often gets removed).

As an aside to the Gang generally, the latter header is why SPF (if
properly implemented) works:  Because the Return-Path header reliably
provides the prior-hop SMTP host's IP address, it's possible to vet that
IP extended-DNS records to see if it's an authorised mail exchanger for
the alleged sending domain.

Checking the Received headers of the spam in question, the SMTP process
at IP 70.85.116.132 handed off the mail to my host, linuxmafia.com aka
lists.linuxgazette.net.  (In case it wasn't clear, I'm the sysadmin and 
owner of linuxmafia.com.)  And that delivering IP appears to belong to
some ISP in Dallas:

   ~ $ whois 70.85.116.132 | more

   OrgName:    ThePlanet.com Internet Services, Inc. 
   OrgID:      TPCM
   Address:    1333 North Stemmons Freeway
   Address:    Suite 110
   City:       Dallas
   StateProv:  TX
   PostalCode: 75207
   Country:    US

It's probably yet another virus-infected Windows desktop box, that's
been zombified and is cranking out phishing attempts.


> Obviously TAG would not forward mail from PayPal to members. Obviously this 
> spoof has been around the Web for years.

Yes, and?  I keep getting the impression that you might be a little
unclear on how SMTP works.  So, please don't take offence at this
explanation, which I'm sending just to clarify:  Basically any IP
address on Earth could have generated that phishing fraud mail.  Armies
of zombie machines at just such random IPs are busy 24x7 cranking out
such mail to basically every e-mail address that's ever been either
displayed in public (e.g., on a Web page) _or_ been in an infected
machine's Outlook / Outlook Express address book, _or_ been found in a
disk cache or similar file on an infected Windows machine.

The posting address (tag at lists.linuxgazette.net) of this mailing list is
(intentionally) published in public on Web pages -- not to mention being
embedded in lots of address books and cached Web pages.  Ergo, it's
eminently available to spammers' harvesting scripts.

Once one grasps that, it's not difficult to understand that it will
receive phishing fraud e-mails, Windows virus e-mails, and all manner of
other forged mail.  Such as the one in question.


> I was simply wishing to make a point that it appears that the spam
> harvesters have used the TAG mailing list for leads.

Do you have some reason to believe that anything has happened beyond our
very public posting address, harvested from our public Web pages, having
been -- like every other known e-mail address -- the recipient of a
garden variety phishing attempt mail?  If so, please do elaborate.  But
I think you're misinterpreting.  Which was my original point.


> If that's of no concern to anyone else, great.

Here's what's of concern to me:

1.  I'm not sure you're really reading my explanations.  Honest, I'm not
trying to back you into a corner, just (rather), I'm attempting to
explain what's going on for your and eveyone else's benefit.  Will you
please just take a deep breath and carefully read my two replies
(including this one)?  Thanks.

2.  My system's spam-rejection isn't yet as good as it could be.  Mind
you, it's much, much better than most -- but I can and should supplment
the SpamAssassin rulesets to make them more reliably catch _all_ of the
phishing scams, instead of almost all, as has been the case.

For what it's worth, no mail of any kind will be accepted, starting half
an hour ago, that purports to come from "security at paypal.com".

> I will still read and recommend The Linux Gazette, but if this is the sort 
> of "helpful" response I can expect from TAG, then I will indeed go avail 
> myself of the "remove me from this mailing list" option.
> Thanks Thomas and Rick.

You're welcome.  I hope this has been enlightening.  But please see
.signature block.  ;->

-- 
Cheers,              "It ain't so much the things we don't know that get us
Rick Moen            in trouble.  It's the things we know that ain't so."
rick at linuxmafia.com             -- Artemus Ward (1834-67), U.S. journalist

More information about the TAG mailing list