
Quoting Craig Sanders (cas@taz.net.au):
are they spamming to the list or directly to list subscribers?
Both to the mailing list and to individual addresses who are established correspondents with the forged sender. (This is obvious to me because I run in very much the same circles.) I retained only one of the ~6 forged mails sent out purporting to be from Michael Siladi today (the BASFA one), but many of the mailing lists (unlike BASFA's) have no public archives, and some of the Cc/To co-recipients were probably not subscribers, either.
spamming a list and forging a sender-address trawled from the list archives (or via a spammer subscribing and archiving the list) has long been a spammer practice.
ditto with sending to addresses known to be subscribed to a list, with forged from address also known to be subscribed.
All of these things are individually old, though forging the envelope header too hasn't been the general rule. What's new, it appears to me, is the intelligent use of traffic analysis in composition of the payload and set of recipients. I'm seeing a greatly more focussed targeting of credible correspondents only and inclusion of body-text snippets actually characteristic of the forged sender. (I'm really _not_ new to this. ;-> ) Let me elaborate on my surmise: Both the Never Say Anything people in Fort Meade, their various Five Eyes co-conspirators in Australia, Canada, Enn-Zed, and the UK, and an increasing tribe of corporate bandits such as Palantir Technologies, have lately made fashionable setting loose Bayesian classifier software on large traffic data sets, looking for exploitable patterns. Operators of botnets vacuum up huge datasets all the time, about malware-infected MS-Windows users' associates and the mutual communication back and forth. It was only a matter of time before botnet-using criminal enterprises started doing the NSA thing on their dataset and using traffic analysis to programmatically craft much-smarter spam. I think that day has recently come. And I think that MTAs that service mailing lists are going to soon need to be _really_ diligent about validating posters' domains MX IPs. Which, in turn, is going to require domain owners to get serious about consistently providing authentication data. My domain does. Michael Siladi's large, established ISP, Netcom, still doesn't. Just a data point. Make of it what you will.