worms in maillist
[1/9] from: tomc::darkwing::uoregon::edu at: 26-Aug-2003 11:48
howdy,
just a heads up.
my spamassassin is catching virus (supposedly) from people on rebol lists
i.e:
+ 701 Aug 26 [feedback--rebol--net] (102K) Re: Your application
+ N 706 Aug 26 [ryancole--usa--com] (102K) Re: That movie
+ N 707 Aug 26 [jr--prolific--com] (102K) Re: That movie
so someone on the list is apt to be infected...
[2/9] from: gchiu:compkarori at: 27-Aug-2003 10:45
Tom,
This seems a little odd/inefficient that the virus is
sending multiple copies of itself to the same person using
different from addresses.
Perhaps there are multiple persons on the list who are
infected??
On Tue, 26 Aug 2003 11:48:30 -0700 (PDT)
Tom Conlin <[tomc--darkwing--uoregon--edu]> wrote:
>howdy,
>just a heads up.
<<quoted lines omitted: 8>>
>That movie
>so someone on the list is apt to be infected...
--
Graham Chiu
http://www.compkarori.com/vanilla
Rebol Encyclopaedia Project and Weblog
[3/9] from: tomc:darkwing:uoregon at: 26-Aug-2003 16:29
Hi Graham,
truth can be stranger than fiction ... that is exactly what is being done.
--------------------------------------------------------
Return-Path: <[feedback--rebol--net]>
Received: from GIGI (lns-p19-18-82-65-116-60.adsl.proxad.net
[82.65.116.60])
--------------------------------------------------------
Return-Path: <[ryancole--usa--com]>
Received: from GIGI (lns-p19-18-82-65-116-60.adsl.proxad.net
[82.65.116.60])
--------------------------------------------------------
Return-Path: <[jr--prolific--com]>
Received: from GIGI (lns-p19-18-82-65-116-60.adsl.proxad.net
[82.65.116.60])
--------------------------------------------------------
... 12 copies between
Tue, 26 Aug 2003 07:35:42 -0700 (PDT)
and
Tue, 26 Aug 2003 10:17:17 -0700 (PDT)
they only would need one adress book to achive this pinnacle of stupity
(... maybe they are hopeing to get in via a whitelist)
On Wed, 27 Aug 2003, Graham Chiu wrote:
[4/9] from: gchiu:compkarori at: 27-Aug-2003 15:03
Hi Tom,
At least you've narrowed it down to one of the list
members in France using ADSL :)
On Tue, 26 Aug 2003 16:29:43 -0700 (PDT)
Tom Conlin <[tomc--darkwing--uoregon--edu]> wrote:
>truth can be stranger than fiction ... that is exactly
>what is being done.
<<quoted lines omitted: 3>>
>(lns-p19-18-82-65-116-60.adsl.proxad.net
>[82.65.116.60])
--
Graham Chiu
[5/9] from: g:santilli:tiscalinet:it at: 27-Aug-2003 9:52
Hi Tom,
On Tuesday, August 26, 2003, 8:48:30 PM, you wrote:
TC> so someone on the list is apt to be infected...
I got some with ML people emails too, so it looks like it'd be
better for everyone here to check his/her antivirus. :-)
Regards,
Gabriele.
--
Gabriele Santilli <[g--santilli--tiscalinet--it]> -- REBOL Programmer
Amiga Group Italia sez. L'Aquila --- SOON: http://www.rebol.it/
[6/9] from: g:santilli:tiscalinet:it at: 27-Aug-2003 9:54
Hi Graham,
On Wednesday, August 27, 2003, 12:45:05 AM, you wrote:
GC> This seems a little odd/inefficient that the virus is
GC> sending multiple copies of itself to the same person using
GC> different from addresses.
Actually, this virus does exactly that. We've had customers
getting hundreds messages PER HOUR from the same infected
person...
Regards,
Gabriele.
--
Gabriele Santilli <[g--santilli--tiscalinet--it]> -- REBOL Programmer
Amiga Group Italia sez. L'Aquila --- SOON: http://www.rebol.it/
[7/9] from: tomc:darkwing:uoregon at: 27-Aug-2003 14:17
well got another 40+ today,
these are from the same Paris, France provider. proxad.net
Received: from GIGI (lns-th2-7-82-64-104-120.adsl.proxad.net
[82.64.104.120])
Graham does your rebol list search engine look into the headers as well?
Maybe we could narrow whodunit down further.
On Wed, 27 Aug 2003, Graham Chiu wrote:
[8/9] from: gchiu:compkarori at: 28-Aug-2003 12:02
Tom,
My search engine is not up to date unfortunately, but I
did scan my email archive and this did not bring up this
PC "GIGI" or the ip address assigned to this user of
82.64.102.120 so I can't help identify him/her further.
Perhaps a note to the ISP is in order?
On Wed, 27 Aug 2003 14:17:15 -0700 (PDT)
Tom Conlin <[tomc--darkwing--uoregon--edu]> wrote:
>well got another 40+ today,
>these are from the same Paris, France provider.
>proxad.net
>
--
Graham Chiu
[9/9] from: r3b0l:free at: 29-Aug-2003 9:53
Le 27-Août-03, vous avez écrit :
> At least you've narrowed it down to one of the list
> members in France using ADSL :)
<<quoted lines omitted: 8>>
>> (lns-p19-18-82-65-116-60.adsl.proxad.net
>> [82.65.116.60])
Yes i confirm, Proxad is a big french ISP (http://www.free.fr/) especially with ADSL.
I you use a poor OS like Win2k/XP too, you could too initiate a virus just by browsing.
So check your patches and antivirus please, especially frenchies, to avoid those lamely
virus like Sobig.F and Lovesan...
Note aux français : windowsien(ne)s c'est bien beau de faire la REBOLution mais pensez
aussi à utiliser un vrai mailer (pas cette daube d'Outlook, une vraie passoire à "virus
pour neuneus') genre Eudora ou Pegasusmail et a utiliser un antivirus à jour (sophos
ou aep par ex) + appliquer les patches qui vont bien pour boucher la plupart des nombreuses
failles de sécurité de windows. Le reste du monde vous remercie par avance ;-)
No problem here, i use an Amiga 4000T and a Pegasos (Amiga PowerPC G3/G4 clone under
MorphOS) for mail and browse.
Arnaud aka bIgdAn
East of France
PS : i'll send an email to free support and rebolfrance website to identify the infected
user (probably an email with domain free.fr or online.fr ;-)
--
email : [rebol--migazone--com] or [r3b0l--free--fr]
Site of the day : http://cristal.inria.fr/~harley/pint.html
Notes
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted