lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1080103735.24153.112.camel@Stargate>
From: nodialtone at comcast.net (Byron Copeland)
Subject: viruses being sent to this list

This message has not been *** Expunged ***

Reason: Because your a God!

But, non the less, truthfully, it isn't any fault of any list managers
here.

-b


On Tue, 2004-03-23 at 23:22, John Sage wrote:
> hmm..
> 
> On Mon, Mar 22, 2004 at 11:32:53PM -0600, Paul Schmehl wrote:
> > From: "Paul Schmehl" <pauls@...allas.edu>
> > To: <full-disclosure@...ts.netsys.com>
> > Subject: Re: [Full-Disclosure] viruses being sent to this list
> > Date: Mon, 22 Mar 2004 23:32:53 -0600
> 
> /* snippage */
> 
> > Not picking on you, your post is just a convenient point to jump in
> > to this "conversation", but I really wonder if anyone thinks before
> > they post any more.  I read Gadi's post, and I happen to know him,
> > so I didn't instantly think he was an idiot or uninformed or naive.
> > Instead, I downloaded the entire raw archives of the list and
> > started grepping for patterns.  What I've found so far is
> > suspicious.  I won't post any results yet, because they're
> > incomplete, but suffice it to say that it is at least *possible*
> > that this list is deliberately being used to spread viruses.  It's
> > equally possible that it's just the random seeding that viruses do
> > these days.  I just don't know for sure yet, one way or the other.
> 
> mutt is my MUA.
> 
> Currently I have 4,924 assorted messages in ~/Mail/in-Full-Disclosure.
> 
> Sorting by size, and picking a familiar size range, we see:
> 
> 3368     Mar 22 ge@...tistical. ( 421) [Full-Disclosure] Re: Thanks :)
> 3369     Mar 11 bugzilla@...hat ( 420) [Full-Disclosure] Hi! :-)
> 3370     Mar 16 nexus@...rol.i- ( 425) [Full-Disclosure] hi
> 3371     Mar 03 psirt@...co.com ( 426) [Full-Disclosure] stolen
> 3372     Mar 01 psirt@...co.com ( 428) [Full-Disclosure] unknown
> 3373     Mar 13 nexus@...rol.i- ( 427) [Full-Disclosure] stolen
> 3374     Jan 26 jyowell@...nedy ( 420) [Full-Disclosure] hello
> 3375     Feb 05 nakal@....de    ( 420) [Full-Disclosure] Test
> 3376     Jan 30 brian@...radio. ( 420) [Full-Disclosure] Server Report
> 3377     Jan 26 http-equiv@...i ( 420) [Full-Disclosure] Status
> 3378     Jan 27 jeff01@...il.un ( 420) [Full-Disclosure] Status
> 3379     Feb 04 jim@...gtrading ( 420) [Full-Disclosure] (no subject)
> 3380     Feb 12 franjime@...co. ( 422) [Full-Disclosure] HELLO
> 3381     Feb 11 psirt@...co.com ( 422) [Full-Disclosure] Hi
> 3382     Jan 27 lsawyer@....com ( 422) [Full-Disclosure] hello
> 3383     Jan 27 http-equiv@...w ( 422) [Full-Disclosure] (no subject)
> 3384     Jan 28 jkarp@...ionael ( 422) [Full-Disclosure] STATUS
> 3385     Feb 07 jim@...gtrading ( 422) [Full-Disclosure] TEST
> 3386     Mar 03 je@...ure.net   ( 424) [Full-Disclosure] TEST
> 3387     Feb 08 hobbit@...an.or ( 424) [Full-Disclosure] Server Report
> 3388     Jan 30 psirt@...co.com ( 424) [Full-Disclosure] (no subject)
> 3389     Feb 09 psirt@...co.com ( 441) [Full-Disclosure] hi
> 3390     Feb 08 joel@...geson.c ( 465) [Full-Disclosure] Error
> 3391     Jan 27 lsawyer@....com ( 466) [Full-Disclosure] Status
> 3392     Feb 26 psirt@...co.com ( 494) [Full-Disclosure] something for you
> 3393     Feb 26 psirt@...co.com ( 494) [Full-Disclosure] something for you
> 3394     Mar 16 phlox@...cast.n ( 496) [Full-Disclosure] greetings
> 
> 
> Without exception, these are all virii-laden. Whether they got here by
> malice or by chance, they all contain the following:
> 
> Received: from NETSYS.COM (localhost [127.0.0.1])
>  by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i2H1kI327175;
>  Tue, 16 Mar 2004 20:46:18 -0500 (EST)
> 
> in the "Received: " sequence immediately following the two examples
> below, varying only in the date and timestamp, and ESMPT id.
> 
> 
> Comparing one virus to one known list member (http-equiv -- sorry!) we
> can see an obvious forgery:
> 
> Received: from excite.com (dt083n7c.san.rr.com [204.210.26.124])
>  by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0QMicU18817
>  for <full-disclosure@...ts.netsys.com>; Mon, 26 Jan 2004 17:44:39 -0500
> 
> versus a presumable "real" post:
> 
> Received: from mailrelay.megawebservers.com
>  (mailrelay1-2.megawebservers.com [216.251.35.241])
>  by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0R01gU17220
>  for <full-disclosure@...ts.netsys.com>; Mon, 26 Jan 2004 19:01:43 -0500
> 
> 
> What does this tell us? Virii are getting out via the list; whether
> they are being transmitted inadvertently or deliberately is still open
> to question...
> 
> 
> 
> - John
-- 
"Save yourself from the 'Gates' of hell, use Linux." -- The_Kind @
LinuxNet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040323/5c51ad9e/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ