Ok: this is a targetted attack
Clearly, someone has decided to shoot at me specifically, since this latest spam supposedly from me: = Received: from lpb01.clearspring.com ([206.165.250.240] helo=lpb01-a.clearspring.local) by sc1.nanog.org with esmtp (Exim 4.80 (FreeBSD)) (envelope-from em...@addthis.com) id 1U4vc3-000Cq4-9q for nanog@nanog.org; Mon, 11 Feb 2013 15:48:11 + Received: from lpb01.clearspring.local (localhost [127.0.0.1]) by lpb01-a.clearspring.local (8.14.4/8.14.4) with ESMTP id r1BFm5bG022255 for nanog@nanog.org; Mon, 11 Feb 2013 10:48:05 -0500 Date: Mon, 11 Feb 2013 10:48:05 -0500 From: j...@baylink.com To: nanog@nanog.org Message-ID: 57414784.191289.1360597685530.JavaMail.brainiac@lpb01.clearspring.local = is also about FTTH. FOR THE RECORD: I don't ever use send this link to someone, and especially not to a mailing list; this isn't even my tenth rodeo. Cheers, -- jr 'DoS attack? What's that?' a -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Ok: this is a targetted attack
Jay, you need to have SPF records for your domain. This will prevent the spoofing you are seeing. http://en.wikipedia.org/wiki/Sender_Policy_Framework $ dig @8.8.8.8 baylink.com TXT ; DiG 9.8.3-P1 @8.8.8.8 baylink.com TXT ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11443 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;baylink.com.INTXT ;; AUTHORITY SECTION: baylink.com.194INSOAlocalhost. jra.baylink.com. 2011032901 28800 14400 86400 600 ;; Query time: 39 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Feb 11 13:36:33 2013 ;; MSG SIZE rcvd: 78 Sean On 2/11/13 8:19 AM, Jay Ashworth wrote: Clearly, someone has decided to shoot at me specifically, since this latest spam supposedly from me: = Received: from lpb01.clearspring.com ([206.165.250.240] helo=lpb01-a.clearspring.local) by sc1.nanog.org with esmtp (Exim 4.80 (FreeBSD)) (envelope-from em...@addthis.com) id 1U4vc3-000Cq4-9q for nanog@nanog.org; Mon, 11 Feb 2013 15:48:11 + Received: from lpb01.clearspring.local (localhost [127.0.0.1]) by lpb01-a.clearspring.local (8.14.4/8.14.4) with ESMTP id r1BFm5bG022255 for nanog@nanog.org; Mon, 11 Feb 2013 10:48:05 -0500 Date: Mon, 11 Feb 2013 10:48:05 -0500 From: j...@baylink.com To: nanog@nanog.org Message-ID: 57414784.191289.1360597685530.JavaMail.brainiac@lpb01.clearspring.local = is also about FTTH. FOR THE RECORD: I don't ever use send this link to someone, and especially not to a mailing list; this isn't even my tenth rodeo. Cheers, -- jr 'DoS attack? What's that?' a
Re: Ok: this is a targetted attack
- Original Message - From: Sean Lazar kn...@toaster.net Jay, you need to have SPF records for your domain. This will prevent the spoofing you are seeing. I should in fact. But am I incorrect in thinking that since the envelope address *was not actually forged*, they wouldn't help here unless *Mailman* also processed them? (And alas, that article is itself complicated enough to tell me that I need to do actual research on the issue, so it won't happen tonight. :-) Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Ok: this is a targetted attack
On 2/11/2013 4:39 PM, Sean Lazar wrote: Jay, you need to have SPF records for your domain. This will prevent the spoofing you are seeing. yep, while the purpose and effectiveness of SPF records are generally VERY overrated... yet for a situation like this, an SPF record is VERY valuable and it would be advised that you set this to a rather strict record for a period of time. (just try to account for all the various 3rd party sending scenarios your users do, like sending from a blackberry server, or e-mail forwarding, for any other situation where a legit 3rd party IP would be legitimately sending mail with a from address using your domain, etc.) Then again, if this is spear phishing or very personalized harassment, then the value of an SPF record would be somewhat uncharted territory (at least for me)... it would be interesting to see if that improves things. But, at the least, it would likely help some. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: Ok: this is a targetted attack
An SPF record will probably only add value if the receiving mail server for the nanog list uses them to restrict allowed senders for the domain. On Mon, Feb 11, 2013 at 2:51 PM, Rob McEwen r...@invaluement.com wrote: On 2/11/2013 4:39 PM, Sean Lazar wrote: Jay, you need to have SPF records for your domain. This will prevent the spoofing you are seeing. yep, while the purpose and effectiveness of SPF records are generally VERY overrated... yet for a situation like this, an SPF record is VERY valuable and it would be advised that you set this to a rather strict record for a period of time. (just try to account for all the various 3rd party sending scenarios your users do, like sending from a blackberry server, or e-mail forwarding, for any other situation where a legit 3rd party IP would be legitimately sending mail with a from address using your domain, etc.) Then again, if this is spear phishing or very personalized harassment, then the value of an SPF record would be somewhat uncharted territory (at least for me)... it would be interesting to see if that improves things. But, at the least, it would likely help some. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: Ok: this is a targetted attack
On Mon, Feb 11, 2013 at 01:39:18PM -0800, Sean Lazar wrote: Jay, you need to have SPF records for your domain. This will prevent the spoofing you are seeing. (a) SPF is just about entirely worthless and (b) if someone really has it in for Jay and has at least minimal competence, it won't stop them -- minor variations in their tactics would suffice. ---rsk
