[unisog] Changes to the administration of the Unisog list.

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sun Jan 7 04:04:05 GMT 2007


On Sat, 06 Jan 2007 15:36:45 PST, Saqib Ali said:

> But there is still people who subscribes to the list and then send the
> spam message, unfortunately.

It might be enlightening to look at the Received: headers in more detail -
remember that very little spam is actually from the address listed in the
From: field (except on rare occasions, totally accidentally).

It's *quite* possible that what's happened is that some poor person out there
has managed to get infected with a worm or spamware that scrapes the local
disk for addresses to forge.  And as a result, it happens to find the list's
address and uses it for a spam victim, and somebody who posted to the list
and uses that as the source address.  And when you consider that the
address could be scraped from a CC: field or similar, it's possible that
the actual source isn't even a subscriber (the requirement is only that
the address have gotten on the disk *somehow*).

Of course, locality-of-reference constraints make it more *probable* that
the spam is sent from a subscriber - but the chances are good to excellent
that the source is somebody other than the claimed address.

(I'm painfully aware of this phenomenon - every time a new worm comes out,
half the world's A/V software sends me backscatter spam claiming I sent
them a Windows virus from my Linux laptop.  Blech. A pox on them... :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070106/2079269a/attachment.bin 


More information about the unisog mailing list