Snowhite and the Seven Dwarfs - The REAL story!
[1/9] from: belymt:saunalahti:fi at: 20-Jun-2001 22:46
Apparently Someone on this list HAS got his PC infected with Virus.. Lucky to rest of us that mailing list applition removes all attachments.. Please scan your machines.. List-maintener, can you check out from where that E-mail is coming? It would help a lot of people if you could post IP adress etc.. Joanna At 12:02 20.6.2001 -0700, you wrote:
[2/9] from: depotcity:telus at: 20-Jun-2001 13:13
Hmm, me thinks I could write a script that would compare one e-mail to many, check for similar spelling mistakes and grammar, and thus deduce who is the true author of erroneous e-mails. TBrownell
[3/9] from: depotcity:telus at: 21-Jun-2001 0:38
Great, now I know its [hahaha--hotmail--com] TB
[4/9] from: sqlab:gmx at: 21-Jun-2001 9:54
> Great, now I know its [hahaha--hotmail--com] > TB
<<quoted lines omitted: 8>>> > AR > >
When I said source I meant not only the content, but this;
>From - Thu Jun 21 08:28:01 2001
X-UIDL: beff789273f9c8cc580fa1e0212d9491 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: <[rebol-bounce--rebol--com]> X-Flags: 0000 Delivered-To: GMX delivery to [sqlab--gmx--net] Received: (qmail 2713 invoked by uid 0); 20 Jun 2001 19:24:12 -0000 Received: from brando.rebol.net (126.96.36.199) by mx0.gmx.net (mx005-rz3) with SMTP; 20 Jun 2001 19:24:12 -0000 Received: from office.rebol.net (office.rebol.net [188.8.131.52]) by brando.rebol.net (8.10.1/8.10.1) with ESMTP id f5KJNCL13485; Wed, 20 Jun 2001 12:23:12 -0700 Received: from office.rebol.net (localhost [127.0.0.1]) by office.rebol.net (8.10.1/8.10.1) with ESMTP id f5KJ5RQ24789; Wed, 20 Jun 2001 12:05:27 -0700 Received: with LISTAR (v0.129a; list rebol); Wed, 20 Jun 2001 12:05:27 -0700 (PDT) Received: from brando.rebol.net (IDENT:[root--brando--rebol--net] [184.108.40.206]) by office.rebol.net (8.10.1/8.10.1) with ESMTP id f5KJ2nQ24763 for <[rebol-list--lists--rebol--net]>; Wed, 20 Jun 2001 12:02:49 -0700 Received: from pc1 ([220.127.116.11]) by brando.rebol.net (8.10.1/8.10.1) with SMTP id f5KJ2YL13322 for <[rebol-list--rebol--net]>; Wed, 20 Jun 2001 12:02:35 -0700 Date: Wed, 20 Jun 2001 12:02:35 -0700 Message-Id: <[200106201902--f5KJ2YL13322--brando--rebol--net]> From: Hahaha <[hahaha--sexyfun--net]> Subject: [REBOL] Snowhite and the Seven Dwarfs - The REAL story! MIME-Version: 1.0 Content-type: text/plain X-archive-position: 7914 X-Approved-By: [holger--rebol--com] X-listar-version: Listar v0.129a X-original-sender: [holger--rebol--com] Precedence: bulk Reply-to: [rebol-list--rebol--com] X-list: rebol To: [sqlab--gmx--net] Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter... -- Binary/unsupported file stripped by Listar -- -- Type: application/octet-stream -- File: dwarf4you.exe
[5/9] from: gjones05:mail:orion at: 21-Jun-2001 6:10
> Or you could look at the source of the > mail and see where it comes from.) > > > > > > hint > > > X-original-sender: h.......... > > >
The header section also shows the originating IP. This IP maps to a dynamic range in the UK (meaning likely dial-up in Sheffield area??). The first three components of the IP tuple do not show up in email headers for the last 4+ months. If anyone with a Windows PC wishes to get a freebie scan for viruses, check out PC Pitstop: http://www.pcpitstop.com/default.asp --Scott Jones
[6/9] from: javierd:closeup:mx at: 21-Jun-2001 14:57
> List-maintener, can you check out from where that E-mail is coming? It > would help a lot of people if you could post IP adress etc..
Unfortunatelly, the Hibris virus fakes the address, so it seems to arrive from the same address [hahaha--sexyfun--net]. Although is posible to scan the server form it comes. The funy part is that a company register the domain, and put info about the virus Javier Delgado
[7/9] from: gschwarz:netconnect:au at: 22-Jun-2001 11:15
At NetConnect we have looked up the IP address against our logs to find the customer with the virus infected computer. Not hard to do (20 sec job), now we send the customer an e-mail (automatic) when they try to send a virus from their computer. Regards, Greg
[8/9] from: allen:aussieweb:au at: 22-Jun-2001 12:32
Looking at the X-Original-Sender field it implies it came from Holger. MIME-Version: 1.0 Content-type: text/plain X-archive-position: 7914 X-Approved-By: [holger--rebol--com] X-listar-version: Listar v0.129a X-original-sender: [holger--rebol--com] Precedence: bulk Reply-to: [rebol-list--rebol--com] X-list: rebol Cheers, Allen K
[9/9] from: ralph:abooks at: 22-Jun-2001 9:07
*tsk*, *tsk* Holger<g>. Seriously, I get the Snowhite virus here several times a week and have for at least two years. Whoever's sending it out is certainly persistent. Our proxy server is set up to filter out viruses but report them to me and Snowhite is by far the most prevalent. --Ralph Ralph Roberts, CEO ALEXANDER BOOKS/ Creativity, Inc. 65 Macedonia Road Alexander, NC 28701 USA 800-472-0438 tollfree voice & fax U.S./Canada 828-255-8719 voice & fax worldwide http://abooks.com $5 Blowout special on Stan Veit's HISTORY OF THE PC http://1-b.net/historypc.html while quantities last!
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted