Re: Spamming of NANOG list members

[Richard <rgolodner () infratection com>]

On 5/23/19 4:16 PM, Matt Harris wrote:
> On Thu, May 23, 2019 at 4:13 PM Hansen, Christoffer
> <christoffer () netravnen de <mailto:christoffer () netravnen de>> wrote:
>
>     Appreciate the warning!
>
>     On 23/05/2019 19:46, Valerie Wittkop wrote:
>     > These messages are not flowing through NANOG servers, nor using
>     the NANOG domain. They are not messages coming from the NANOG
>     organization. Please be aware if you receive a message matching
>     this description and always make sure to scan attachments for a virus.
>
>     The one I received looked like this:
>
>     > From: "NANOG" <service () cegips pl <mailto:service () cegips pl>>
>
>     ...
>
>     Has it been considered switching to "-all", instead of only "~all" in
>     the spf record?
>
>     > $ dig +short +nocmd +nocomments TXT nanog.org <http://nanog.org>
>     > "v=spf1 include:_spf.google.com <http://spf.google.com>
>     ip4:104.20.199.50 ip4:104.20.198.50  ip4:50.31.151.75
>     ip4:50.31.151.76 ip6:2001:1838:2001:8::19 ip6:2001:1838:2001:8::20
>     ip6:2400:cb00:2048:1::6814:c632 ip6:2400:cb00:2048:1::6814:c732 ~all"
>
>             -Christoffer
>
>
> The SPF record wouldn't make a difference since that email was sent
> from @cegips.pl <http://cegips.pl>, not from @nanog.org
> <http://nanog.org>.  You'd have to change the SPF record for the
> cegips.pl <http://cegips.pl> domain to impact their ability to send
> from that address.  
The one I received was from _rainphil.com_ and came with an ugly Trojan
attached as a PDF.

Has anyone else received this type or am I just fortunate?

Richard Golodner