* Current "Swen" worm attack - the best address @ 2003-09-24 22:31 Alexander Kopilovitch 2003-09-25 8:19 ` Preben Randhol 0 siblings, 1 reply; 16+ messages in thread From: Alexander Kopilovitch @ 2003-09-24 22:31 UTC (permalink / raw) Today I received that infamous virus from this beautiful address: informatique@cesa.air.defense.gouv.fr As that stream of viruses is certainly fading, that address probably will remain the best in this session. Alexander Kopilovitch aek@vib.usr.pu.ru Saint-Petersburg Russia ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-24 22:31 Current "Swen" worm attack - the best address Alexander Kopilovitch @ 2003-09-25 8:19 ` Preben Randhol 2003-09-25 15:48 ` Wes Groleau 2003-09-25 16:43 ` Current "Swen" worm attack - the best address Alexander Kopilovitch 0 siblings, 2 replies; 16+ messages in thread From: Preben Randhol @ 2003-09-25 8:19 UTC (permalink / raw) On 2003-09-24, Alexander Kopilovitch <aek@vib.usr.pu.ru> wrote: > Today I received that infamous virus from this beautiful address: > > informatique@cesa.air.defense.gouv.fr > > As that stream of viruses is certainly fading, that address probably will > remain the best in this session. It doesn't have to be from that machine it could just as well be a man in another country that had this address in the address book or that the worm found it on the news groups/web and fakes the sender. I have gotten tons of automatic replys saying I'm trying to send some virus mail although I don't even use Windows for anything to and from the net :-) Preben ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-25 8:19 ` Preben Randhol @ 2003-09-25 15:48 ` Wes Groleau 2003-09-25 20:52 ` [OT] Bad addresses (was: Current "Swen" worm attack - the best address) Henrik Motakef 2003-09-25 16:43 ` Current "Swen" worm attack - the best address Alexander Kopilovitch 1 sibling, 1 reply; 16+ messages in thread From: Wes Groleau @ 2003-09-25 15:48 UTC (permalink / raw) I find it ironic that just when I perfect the filters to drop 100% of the hundreds of messages per day from this virus, numerous ISPs finally get smart [1] and now I have to tweak the filters to discard hundreds per day of "We just protected you from receiving a virus! Aren't we cool? By the way, the meaningless forged From address was not.real@no.such.net in case you want to warn that person." [1] I use the word "smart" VERY facetiously. :-) -- Wes Groleau ----------- Daily Hoax: http://www.snopes2.com/cgi-bin/random/random.asp ^ permalink raw reply [flat|nested] 16+ messages in thread
* [OT] Bad addresses (was: Current "Swen" worm attack - the best address) 2003-09-25 15:48 ` Wes Groleau @ 2003-09-25 20:52 ` Henrik Motakef 2003-09-26 0:49 ` [OT] Bad addresses Wes Groleau 0 siblings, 1 reply; 16+ messages in thread From: Henrik Motakef @ 2003-09-25 20:52 UTC (permalink / raw) On Thu, 25 Sep 2003 11:48:51 -0500, Wes Groleau wrote: > Aren't we cool? By the way, the meaningless forged From address was [...] While we are talking about being smart: I guess that Robust Design, LLC (Seattle) will be really thrilled by you burning their addresses at no.such.net (which happens to resolve to 216.57.210.200) by posting them to arbitrary newsgroups, especially since Swen, a worm known for harvesting newsgroups for victim email addresses, is still active. Please, people, if you want to use a domain or email address as an example, don't just guess one - chances are high that it is a real, existing domain, even if it sounds stupid. At least use "whois" before. There is even a formal RFC listing addresses that can be used instead without harming anyone (RFC 2606, http://www.rfc-editor.org/rfc/rfc2606.txt), these are "example.org", "example.net", "example.com" and all of their subdomains as well as any domain with a top-level domain of "example", "test", "invalid" or "localhost", like for example "no.such.net.example" or "this.is.a.test". And yes, I write this because I have been burnt by this before. It is a hostile world. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [OT] Bad addresses 2003-09-25 20:52 ` [OT] Bad addresses (was: Current "Swen" worm attack - the best address) Henrik Motakef @ 2003-09-26 0:49 ` Wes Groleau 0 siblings, 0 replies; 16+ messages in thread From: Wes Groleau @ 2003-09-26 0:49 UTC (permalink / raw) Henrik Motakef wrote: > While we are talking about being smart: I guess that Robust Design, LLC > (Seattle) will be really thrilled by you burning their addresses at > no.such.net (which happens to resolve to 216.57.210.200) by posting them Bummer. Mea culpa. And I should have known better, too, since three years ago I was getting spam forged as nowhere.com and I looked it up to find that it did exist. On the other hand, if they actually have a userID of "not.real" on that host, they must WANT to get stuff. -- Wes Groleau Is it an on-line compliment to call someone a Net Wit ? ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-25 8:19 ` Preben Randhol 2003-09-25 15:48 ` Wes Groleau @ 2003-09-25 16:43 ` Alexander Kopilovitch 2003-09-25 19:38 ` Preben Randhol 1 sibling, 1 reply; 16+ messages in thread From: Alexander Kopilovitch @ 2003-09-25 16:43 UTC (permalink / raw) Preben Randhol wrote: > > Today I received that infamous virus from this beautiful address: > > > > informatique@cesa.air.defense.gouv.fr > >... > > It doesn't have to be from that machine it could just as well be a man > in another country that had this address in the address book or that the > worm found it on the news groups/web and fakes the sender. No, this is highly unlikely in the case - here is the whole headers part of that message: ---------------------------------------------------------------------------- From cesa.air.defense.gouv.fr!informatique Wed Sep 24 13:08:00 2003 Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214]) by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id NAA01077 for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 13:08:00 GMT Received: from smtp6.clb.oleane.net (smtp6.clb.oleane.net [213.56.31.26]) by becha.pu.ru (8.12.8p1/8.12.8) with ESMTP id h8ODV3bI019490 for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 17:31:03 +0400 (MSD) (envelope-from informatique@cesa.air.defense.gouv.fr) Received: from gbyzf ([81.80.25.150]) by smtp6.clb.oleane.net with SMTP id h8OCuhoC011468; Wed, 24 Sep 2003 14:56:43 +0200 Date: Wed, 24 Sep 2003 14:56:43 +0200 Message-Id: <200309241256.h8OCuhoC011468@smtp6.clb.oleane.net> FROM: "Network Mail Delivery Service" <postautomat@microsoft.net> TO: "Email Recipient" <user@yourserver.com> SUBJECT: Failure Letter Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="aywwgbok" ---------------------------------------------------------------------------- Alexander Kopilovitch aek@vib.usr.pu.ru Saint-Petersburg Russia ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-25 16:43 ` Current "Swen" worm attack - the best address Alexander Kopilovitch @ 2003-09-25 19:38 ` Preben Randhol 2003-09-26 3:16 ` Alexander Kopilovitch 0 siblings, 1 reply; 16+ messages in thread From: Preben Randhol @ 2003-09-25 19:38 UTC (permalink / raw) On 2003-09-25, Alexander Kopilovitch <aek@vib.usr.pu.ru> wrote: > No, this is highly unlikely in the case - here is the whole headers part of > that message: Why is that highly unlikely? > > ---------------------------------------------------------------------------- > From cesa.air.defense.gouv.fr!informatique Wed Sep 24 13:08:00 2003 > Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214]) > by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id NAA01077 > for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 13:08:00 GMT > Received: from smtp6.clb.oleane.net (smtp6.clb.oleane.net [213.56.31.26]) > by becha.pu.ru (8.12.8p1/8.12.8) with ESMTP id h8ODV3bI019490 > for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 17:31:03 +0400 (MSD) > (envelope-from informatique@cesa.air.defense.gouv.fr) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Received: from gbyzf ([81.80.25.150]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > by smtp6.clb.oleane.net with SMTP id h8OCuhoC011468; > Wed, 24 Sep 2003 14:56:43 +0200 > Date: Wed, 24 Sep 2003 14:56:43 +0200 > Message-Id: <200309241256.h8OCuhoC011468@smtp6.clb.oleane.net> > FROM: "Network Mail Delivery Service" <postautomat@microsoft.net> > TO: "Email Recipient" <user@yourserver.com> > SUBJECT: Failure Letter > Mime-Version: 1.0 > Content-Type: multipart/alternative; > boundary="aywwgbok" > ---------------------------------------------------------------------------- ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-25 19:38 ` Preben Randhol @ 2003-09-26 3:16 ` Alexander Kopilovitch 2003-09-26 9:00 ` Preben Randhol 0 siblings, 1 reply; 16+ messages in thread From: Alexander Kopilovitch @ 2003-09-26 3:16 UTC (permalink / raw) Preben Randhol wrote: > > No, this is highly unlikely in the case - here is the whole headers part of > > that message: > > Why is that highly unlikely? Well, perhaps "highly" was overstatement -;) . But I still think that it is unlikely. My reason is that, although such a forgery is possible it requires extra effort (for which I don't see valid purpose), and adds unnecessary danger for the worm's creator(s). And even stronger reason (for me) is that it seems that in all messages I received within that stream (except 1), addresses at that place were quite good-looking, and single exception was simply rmailroutine@microsoft.com . > > ---------------------------------------------------------------------------- > > From cesa.air.defense.gouv.fr!informatique Wed Sep 24 13:08:00 2003 > > Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214]) > > by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id NAA01077 > > for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 13:08:00 GMT > > Received: from smtp6.clb.oleane.net (smtp6.clb.oleane.net [213.56.31.26]) > > by becha.pu.ru (8.12.8p1/8.12.8) with ESMTP id h8ODV3bI019490 > > for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 17:31:03 +0400 (MSD) > > (envelope-from informatique@cesa.air.defense.gouv.fr) > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > Received: from gbyzf ([81.80.25.150]) > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ So what? I saw similar names at this place in perfectly valid messages. > > > by smtp6.clb.oleane.net with SMTP id h8OCuhoC011468; > > Wed, 24 Sep 2003 14:56:43 +0200 > > Date: Wed, 24 Sep 2003 14:56:43 +0200 > > Message-Id: <200309241256.h8OCuhoC011468@smtp6.clb.oleane.net> > > FROM: "Network Mail Delivery Service" <postautomat@microsoft.net> > > TO: "Email Recipient" <user@yourserver.com> > > SUBJECT: Failure Letter > > Mime-Version: 1.0 > > Content-Type: multipart/alternative; > > boundary="aywwgbok" > > ---------------------------------------------------------------------------- Anyway, this is not private person's address, and even not a company's address, so there will not be much damage (I hope that French Air Defense will be able to fight viruses more successfully than me -;) . By the way, that stream of viruses still did not stop, although it substantially weakened beginning from yesterday. Alexander Kopilovitch aek@vib.usr.pu.ru Saint-Petersburg Russia ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-26 3:16 ` Alexander Kopilovitch @ 2003-09-26 9:00 ` Preben Randhol 2003-09-26 17:20 ` Alexander Kopilovitch 0 siblings, 1 reply; 16+ messages in thread From: Preben Randhol @ 2003-09-26 9:00 UTC (permalink / raw) On 2003-09-26, Alexander Kopilovitch <aek@vib.usr.pu.ru> wrote: > > Well, perhaps "highly" was overstatement -;) . But I still think that > it is unlikely. My reason is that, although such a forgery is possible > it requires extra effort (for which I don't see valid purpose), and > adds unnecessary danger for the worm's creator(s). And even stronger > reason (for me) is that it seems that in all messages I received > within that stream (except 1), addresses at that place were quite > good-looking, and single exception was simply > rmailroutine@microsoft.com . Huh? It is common that viruses take the e-mail addresses and forge mails in these names as they get sent. The source is the machine the virus was installed on so there isn't much danger for the worm creators from that. > So what? I saw similar names at this place in perfectly valid > messages. Valid as in from cesa.air.defense.gouv.fr ? There is no site with that name. The point is that 81.80.25.150 is probably the source, but I'm not an expert on how the mails routes. nslookup cesa.air.defense.gouv.fr Non-authoritative answer: *** Can't find cesa.air.defense.gouv.fr: No answer > Anyway, this is not private person's address, and even not a company's > address, so there will not be much damage (I hope that French Air > Defense will be able to fight viruses more successfully than me -;) . See above Preben ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-26 9:00 ` Preben Randhol @ 2003-09-26 17:20 ` Alexander Kopilovitch 2003-09-26 23:21 ` Wes Groleau 0 siblings, 1 reply; 16+ messages in thread From: Alexander Kopilovitch @ 2003-09-26 17:20 UTC (permalink / raw) Preben Randhol wrote: > > I still think that > > it is unlikely. My reason is that, although such a forgery is possible > > it requires extra effort (for which I don't see valid purpose), and > > adds unnecessary danger for the worm's creator(s). And even stronger > > reason (for me) is that it seems that in all messages I received > > within that stream (except 1), addresses at that place were quite > > good-looking, and single exception was simply > > rmailroutine@microsoft.com . > > Huh? It is common that viruses take the e-mail addresses and forge mails > in these names as they get sent. Forging "From:" field is certainly common, but forging headers require more effort. Also, it is not a simple thing to get over 1000 different good-looking addresses this way. > The source is the machine the virus was > installed on so there isn't much danger for the worm creators from that. I meant the danger that comes when one annoys expert postmasters community too strongly. -;) . > cesa.air.defense.gouv.fr ? There is no site with that name. I know that, I tried ping and tracert yesterday. Nevertheless, the headers contained that address, and I doubt that virus invented it from scratch. I also tried tracert for addresses in that place in several other messages from that virus stream, and they responded. Alexander Kopilovitch aek@vib.usr.pu.ru Saint-Petersburg Russia ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-26 17:20 ` Alexander Kopilovitch @ 2003-09-26 23:21 ` Wes Groleau 2003-09-27 13:45 ` Alexander Kopilovitch 0 siblings, 1 reply; 16+ messages in thread From: Wes Groleau @ 2003-09-26 23:21 UTC (permalink / raw) Alexander Kopilovitch wrote: > Forging "From:" field is certainly common, but forging headers require more > effort. Also, it is not a simple thing to get over 1000 different good-looking > addresses this way. Forging downstream Received headers is impossible, but most spammer support programs routinely add one or more fake headers to make it appear that the origin is one or more hops further than it is. The headers posted appear to contain that sort of forgery. -- Wes Groleau Heroes, Heritage, and History http://freepages.genealogy.rootsweb.com/~wgroleau/ ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-26 23:21 ` Wes Groleau @ 2003-09-27 13:45 ` Alexander Kopilovitch 2003-09-28 2:30 ` Wes Groleau 2003-09-28 2:32 ` [off-topic] open letter to ISP admins--and virus program vendors Wes Groleau 0 siblings, 2 replies; 16+ messages in thread From: Alexander Kopilovitch @ 2003-09-27 13:45 UTC (permalink / raw) Wes Groleau wrote: > Forging downstream Received headers is impossible, > but most spammer support programs routinely add > one or more fake headers to make it appear that > the origin is one or more hops further than it is. > > The headers posted appear to contain that sort of forgery. Does this mean that probably that time a spammer was infected? -;) Alexander Kopilovitch aek@vib.usr.pu.ru Saint-Petersburg Russia ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-27 13:45 ` Alexander Kopilovitch @ 2003-09-28 2:30 ` Wes Groleau 2003-09-28 17:52 ` Alexander Kopilovitch 2003-09-28 2:32 ` [off-topic] open letter to ISP admins--and virus program vendors Wes Groleau 1 sibling, 1 reply; 16+ messages in thread From: Wes Groleau @ 2003-09-28 2:30 UTC (permalink / raw) Alexander Kopilovitch wrote: > Wes Groleau wrote: >>Forging downstream Received headers is impossible, >>but most spammer support programs routinely add >>one or more fake headers to make it appear that >>the origin is one or more hops further than it is. >> >>The headers posted appear to contain that sort of forgery. > > Does this mean that probably that time a spammer was infected? -;) No, unless the virus is also a spam tool. It means that this spammer technique was included in the virus's SMTP engine, probably for the same reason spammers do it: to lengthen the time before someone goes to the correct source and stops it. -- Wes Groleau ----------- Daily Hoax: http://www.snopes2.com/cgi-bin/random/random.asp ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Current "Swen" worm attack - the best address 2003-09-28 2:30 ` Wes Groleau @ 2003-09-28 17:52 ` Alexander Kopilovitch 0 siblings, 0 replies; 16+ messages in thread From: Alexander Kopilovitch @ 2003-09-28 17:52 UTC (permalink / raw) Wes Groleau wrote: > >>... most spammer support programs routinely add > >>one or more fake headers to make it appear that > >>the origin is one or more hops further than it is. > >> > >>The headers posted appear to contain that sort of forgery. > > > > Does this mean that probably that time a spammer was infected? -;) > > No, unless the virus is also a spam tool. > > It means that this spammer technique was included > in the virus's SMTP engine, probably for the same > reason spammers do it: to lengthen the time before > someone goes to the correct source and stops it. But from where this virus got that particular, apparently non-existed, but good-looking and funny address? Note, that this is very rarely case in the whole stream; in fact I encountered only 2 funny addresses both were in gouv.fr domain, but first included personal name, therefore it was not so purely funny; and my collection of those "sender's" addresses from that stream clearly suggests that the virus does not invent them, but took them from some source. So, one may guess that that address was used by the infected user for his own spam, and just reused by the virus... well, yes, it is just vague possibility, no more. Alexander Kopilovitch aek@vib.usr.pu.ru Saint-Petersburg Russia ^ permalink raw reply [flat|nested] 16+ messages in thread
* [off-topic] open letter to ISP admins--and virus program vendors 2003-09-27 13:45 ` Alexander Kopilovitch 2003-09-28 2:30 ` Wes Groleau @ 2003-09-28 2:32 ` Wes Groleau 2003-09-28 3:18 ` Wes Groleau 1 sibling, 1 reply; 16+ messages in thread From: Wes Groleau @ 2003-09-28 2:32 UTC (permalink / raw) <RANT>I just HAD to respond to a message that was dropped into my mailbox twice in one minute, since it is similar to numerous others I've received. If your ISP is sending messages of this sort, perhaps you'd like to help them get a clue. And if your virus program sends messages like this, perhaps you could help the program's vendor get a clue. </RANT> ---------- > This e-mail is generated by the [note 1] mail > server to warn you that the e-mail [snip] is infected > with virus: HTML/IFrame_Exploit*. I had very little difficulty filtering out the hundreds of messages per day generated by the recent epidemic of this virus. I DO NOT APPRECIATE having the attack converted to hundreds of messages from ISPs bragging about how they protected me!!!! > Please contact the sender: very probably he/she doesn't > know he/she has a computer virus. It was YOUR customer that sent it--YOU contact them. Few of the recipients are aware that the apparent sender is most likely forged. You have just invited hundreds of virus recipients to drown this innocent bystander with angry e-mails. And if by some chance it is not forged, wouldn't a friendly PHONE CALL from their ISP be more effective than having them lose mail because hundreds of flames have used up their quota? ---------- note 1: ISP name withheld to protect the guilty ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [off-topic] open letter to ISP admins--and virus program vendors 2003-09-28 2:32 ` [off-topic] open letter to ISP admins--and virus program vendors Wes Groleau @ 2003-09-28 3:18 ` Wes Groleau 0 siblings, 0 replies; 16+ messages in thread From: Wes Groleau @ 2003-09-28 3:18 UTC (permalink / raw) Wes Groleau (me) wrote: > And if by some chance it is not forged, wouldn't a friendly > PHONE CALL from their ISP be more effective than having them > lose mail because hundreds of flames have used up their quota? Someone pointed out to me this is stupid because it's impossible. True. OTOH, is recommending that hundreds of victims contact an innocent bystander less stupid just because it IS possible? -- Wes Groleau Genealogical Lookups: http://groleau.freeshell.org/ref/lookups.html ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2003-09-28 17:52 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2003-09-24 22:31 Current "Swen" worm attack - the best address Alexander Kopilovitch 2003-09-25 8:19 ` Preben Randhol 2003-09-25 15:48 ` Wes Groleau 2003-09-25 20:52 ` [OT] Bad addresses (was: Current "Swen" worm attack - the best address) Henrik Motakef 2003-09-26 0:49 ` [OT] Bad addresses Wes Groleau 2003-09-25 16:43 ` Current "Swen" worm attack - the best address Alexander Kopilovitch 2003-09-25 19:38 ` Preben Randhol 2003-09-26 3:16 ` Alexander Kopilovitch 2003-09-26 9:00 ` Preben Randhol 2003-09-26 17:20 ` Alexander Kopilovitch 2003-09-26 23:21 ` Wes Groleau 2003-09-27 13:45 ` Alexander Kopilovitch 2003-09-28 2:30 ` Wes Groleau 2003-09-28 17:52 ` Alexander Kopilovitch 2003-09-28 2:32 ` [off-topic] open letter to ISP admins--and virus program vendors Wes Groleau 2003-09-28 3:18 ` Wes Groleau
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox