[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040324042255.GG16873@sparky.finchhaven.net>
From: jsage at finchhaven.com (John Sage)
Subject: viruses being sent to this list
hmm..
On Mon, Mar 22, 2004 at 11:32:53PM -0600, Paul Schmehl wrote:
> From: "Paul Schmehl" <pauls@...allas.edu>
> To: <full-disclosure@...ts.netsys.com>
> Subject: Re: [Full-Disclosure] viruses being sent to this list
> Date: Mon, 22 Mar 2004 23:32:53 -0600
/* snippage */
> Not picking on you, your post is just a convenient point to jump in
> to this "conversation", but I really wonder if anyone thinks before
> they post any more. I read Gadi's post, and I happen to know him,
> so I didn't instantly think he was an idiot or uninformed or naive.
> Instead, I downloaded the entire raw archives of the list and
> started grepping for patterns. What I've found so far is
> suspicious. I won't post any results yet, because they're
> incomplete, but suffice it to say that it is at least *possible*
> that this list is deliberately being used to spread viruses. It's
> equally possible that it's just the random seeding that viruses do
> these days. I just don't know for sure yet, one way or the other.
mutt is my MUA.
Currently I have 4,924 assorted messages in ~/Mail/in-Full-Disclosure.
Sorting by size, and picking a familiar size range, we see:
3368 Mar 22 ge@...tistical. ( 421) [Full-Disclosure] Re: Thanks :)
3369 Mar 11 bugzilla@...hat ( 420) [Full-Disclosure] Hi! :-)
3370 Mar 16 nexus@...rol.i- ( 425) [Full-Disclosure] hi
3371 Mar 03 psirt@...co.com ( 426) [Full-Disclosure] stolen
3372 Mar 01 psirt@...co.com ( 428) [Full-Disclosure] unknown
3373 Mar 13 nexus@...rol.i- ( 427) [Full-Disclosure] stolen
3374 Jan 26 jyowell@...nedy ( 420) [Full-Disclosure] hello
3375 Feb 05 nakal@....de ( 420) [Full-Disclosure] Test
3376 Jan 30 brian@...radio. ( 420) [Full-Disclosure] Server Report
3377 Jan 26 http-equiv@...i ( 420) [Full-Disclosure] Status
3378 Jan 27 jeff01@...il.un ( 420) [Full-Disclosure] Status
3379 Feb 04 jim@...gtrading ( 420) [Full-Disclosure] (no subject)
3380 Feb 12 franjime@...co. ( 422) [Full-Disclosure] HELLO
3381 Feb 11 psirt@...co.com ( 422) [Full-Disclosure] Hi
3382 Jan 27 lsawyer@....com ( 422) [Full-Disclosure] hello
3383 Jan 27 http-equiv@...w ( 422) [Full-Disclosure] (no subject)
3384 Jan 28 jkarp@...ionael ( 422) [Full-Disclosure] STATUS
3385 Feb 07 jim@...gtrading ( 422) [Full-Disclosure] TEST
3386 Mar 03 je@...ure.net ( 424) [Full-Disclosure] TEST
3387 Feb 08 hobbit@...an.or ( 424) [Full-Disclosure] Server Report
3388 Jan 30 psirt@...co.com ( 424) [Full-Disclosure] (no subject)
3389 Feb 09 psirt@...co.com ( 441) [Full-Disclosure] hi
3390 Feb 08 joel@...geson.c ( 465) [Full-Disclosure] Error
3391 Jan 27 lsawyer@....com ( 466) [Full-Disclosure] Status
3392 Feb 26 psirt@...co.com ( 494) [Full-Disclosure] something for you
3393 Feb 26 psirt@...co.com ( 494) [Full-Disclosure] something for you
3394 Mar 16 phlox@...cast.n ( 496) [Full-Disclosure] greetings
Without exception, these are all virii-laden. Whether they got here by
malice or by chance, they all contain the following:
Received: from NETSYS.COM (localhost [127.0.0.1])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i2H1kI327175;
Tue, 16 Mar 2004 20:46:18 -0500 (EST)
in the "Received: " sequence immediately following the two examples
below, varying only in the date and timestamp, and ESMPT id.
Comparing one virus to one known list member (http-equiv -- sorry!) we
can see an obvious forgery:
Received: from excite.com (dt083n7c.san.rr.com [204.210.26.124])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0QMicU18817
for <full-disclosure@...ts.netsys.com>; Mon, 26 Jan 2004 17:44:39 -0500
versus a presumable "real" post:
Received: from mailrelay.megawebservers.com
(mailrelay1-2.megawebservers.com [216.251.35.241])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0R01gU17220
for <full-disclosure@...ts.netsys.com>; Mon, 26 Jan 2004 19:01:43 -0500
What does this tell us? Virii are getting out via the list; whether
they are being transmitted inadvertently or deliberately is still open
to question...
- John
--
"Mad cow? You'd be mad too, if someone was trying to eat you."
Powered by blists - more mailing lists