From: "Stephane Richard" <stephane.richard@verizon.net>
Subject: Re: Current "Swen" worm attack
Date: Mon, 22 Sep 2003 10:27:47 GMT
Date: 2003-09-22T10:27:47+00:00 [thread overview]
Message-ID: <D8Abb.13208$Uv2.1249@nwrdny02.gnilink.net> (raw)
In-Reply-To: e2e5731a.0309211905.2a77a257@posting.google.com
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 4322 bytes --]
in my case (100 of them per hour)....all ranging from "undeliverable
message", to "Security updates", to whatever else there could be...."Report
from Admin", "Letter", you name it...all different Fromline to Subject
linesit put my regular email over quota quite fast ... which is why I posted
my change of email for my http://www.adaworld.com website.
To me a mind (hacker's mind that is) that seems to be limited to the fact
that they "think" they gain power by attempting to destroy other's systems
and server is nothing more than a "VERY primitive mind indeed". Dont know
what they are trying to prove, and to whom, but they only prove their
stupidity and ignorance to me, nothing else.
--
St�phane Richard
Http://www.adaworld.com webmaster
"Alexander Kopilovitch" <aek@vib.usr.pu.ru> wrote in message
news:e2e5731a.0309211905.2a77a257@posting.google.com...
> sk wrote (I got that by gateway digest, but strangely enough, couldn't
> find it
> in comp.land.ada via Google and another news-server, so I reply in
> separate
> message) :
>
> >The last 4 days have given me 13 attempted "swen" attacks ...
>
> You are very lucky - just 13! I got several hundred of them in last 3
> days,
> and they still continue to arrive. I never before experienced an
> attack of
> comparable volume, and I still can't guess why I became such a
> prominent
> target now (all my friends, both here and in USA did not see anything
> unusual
> n their traffic these days).
>
> >Most seem to have, somewhere in the headers, some relation
> >to the cla mailing list ("ada-bouncer" in the "Received: "
> >fields or "List-Id: comp.lang.ada" in the header).
>
> I did not look (quite naturally -;) into all those viruses I received
> these
> days, but several ones that I explored had relevance neither to c.l.a.
> nor
> to the people visible in c.l.a. Generally, the population of senders
> of
> those virures seems (by their real addresses) quite respectable - they
> have
> well-known mail providers (no hotmail, yahoo or other free public mail
> servers),
> they often have names looking as normal person's name... One virus
> even
> came from the domain cira.premier-ministre.gouv.fr -;)
>
> Among those (several hundred) viruses only one seems somehow
> interesting (all
> others that I explored look like quite common messages, alhthoug with
> forged
> "From:" fields). Here is its headers:
>
> --------------------------------------------------------------------------
-
> From hqlgu!microsoft.com!rmailroutine Sun Sep 21 05:26:10 2003
> Received: by vib.usr.pu.ru (UUPC/@ v7.00, 07Jan97) with UUCP
> id AA01553; Sun, 21 Sep 2003 05:26:10 +0400 (MSD)
> Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214])
> by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id TAA09858
> for <aek@vib.usr.pu.ru>; Sat, 20 Sep 2003 19:56:38 GMT
> Received: from asteroids.cybercomm.nl (arkanoid.scarlet-internet.nl
> [213.204.195.164])
> by becha.pu.ru (8.12.8p1/8.12.8) with SMTP id h8KKITbI047393
> for <aek@vib.usr.pu.ru>; Sun, 21 Sep 2003 00:18:29 +0400 (MSD)
> (envelope-from rmailroutine@microsoft.com)
> Date: Sun, 21 Sep 2003 00:18:29 +0400 (MSD)
> Message-Id: <200309202018.h8KKITbI047393@becha.pu.ru>
> Received: (qmail-ldap/ctrl 12094 invoked from network); 20 Sep 2003
> 19:56:22 -0000
> Received: from unknown (HELO ?192.168.0.2?) ([213.196.18.100])
> (envelope-sender
>
> <rmailroutine@microsoft.com>)
> by cybercomm.vsp.scarlet-internet.nl (qmail-ldap-1.03) with
> SMTP
> for <tojo@hotmail.com>; 20 Sep 2003 19:56:22 -0000
> Received: from FQCZQLUG by [192.168.0.2]
> with SMTP (QuickMail Pro Server for Mac 2.1); 20-Sep-2003
> 21:39:21 +0200
> FROM: "" <rmailroutine@microsoft.com>
> TO: "Email Receiver" <user@smtpserver.com>
> SUBJECT: Undeliverable Mail: User unknown
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="zdowicnvoammd"
> Lines: 1891
> Status: R
> --------------------------------------------------------------------------
-
>
> As you can see from the headers, the mail was initially sent to the
> address
> tojo@hotmail.com (I don't know what is it really), but then happened
> something
> strange - "qmail-ldap/ctrl", and the message was forwarded to me.
>
>
>
> Alexander Kopilovitch aek@vib.usr.pu.ru
> Saint-Petersburg
> Russia
next prev parent reply other threads:[~2003-09-22 10:27 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-22 3:05 Current "Swen" worm attack Alexander Kopilovitch
2003-09-22 10:27 ` Stephane Richard [this message]
2003-09-22 11:45 ` chris
2003-09-23 3:49 ` Wes Groleau
2003-09-22 11:49 ` Preben Randhol
2003-09-22 21:42 ` Randy Brukardt
2003-09-23 7:10 ` Preben Randhol
2003-09-23 7:35 ` Vinzent Hoefler
2003-09-23 0:39 ` Alexander Kopilovitch
2003-09-23 4:11 ` David Marceau
2003-09-23 11:08 ` Jeff C,
2003-09-23 15:41 ` Ludovic Brenta
2003-09-24 1:14 ` Jeff C,
2003-09-24 8:20 ` Martin Krischik
2003-09-25 10:10 ` Ludovic Brenta
2003-09-25 11:01 ` Martin Krischik
2003-09-25 11:32 ` Preben Randhol
2003-09-25 12:07 ` Ludovic Brenta
2003-09-25 13:47 ` Stephen Leake
2003-09-23 18:47 ` Randy Brukardt
2003-09-23 20:56 ` Berend de Boer
[not found] ` <3F6FA78D.3070708@myob.com>
2003-10-03 13:41 ` sk
2003-10-03 14:17 ` Preben Randhol
2003-09-23 3:44 ` Current "Swen" worm attack - a tip Wes Groleau
2003-09-23 7:33 ` Preben Randhol
2003-09-23 17:44 ` Jeffrey Carter
2003-09-23 18:00 ` Brian Catlin
2003-09-23 19:14 ` tmoran
2003-09-23 20:55 ` Berend de Boer
2003-09-24 10:08 ` Dmitry A. Kazakov
2003-09-24 21:50 ` Wes Groleau
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox