From: aek@vib.usr.pu.ru (Alexander Kopilovitch)
Subject: Current "Swen" worm attack
Date: 21 Sep 2003 20:05:37 -0700
Date: 2003-09-22T03:05:39+00:00 [thread overview]
Message-ID: <e2e5731a.0309211905.2a77a257@posting.google.com> (raw)
sk wrote (I got that by gateway digest, but strangely enough, couldn't
find it
in comp.land.ada via Google and another news-server, so I reply in
separate
message) :
>The last 4 days have given me 13 attempted "swen" attacks ...
You are very lucky - just 13! I got several hundred of them in last 3
days,
and they still continue to arrive. I never before experienced an
attack of
comparable volume, and I still can't guess why I became such a
prominent
target now (all my friends, both here and in USA did not see anything
unusual
n their traffic these days).
>Most seem to have, somewhere in the headers, some relation
>to the cla mailing list ("ada-bouncer" in the "Received: "
>fields or "List-Id: comp.lang.ada" in the header).
I did not look (quite naturally -;) into all those viruses I received
these
days, but several ones that I explored had relevance neither to c.l.a.
nor
to the people visible in c.l.a. Generally, the population of senders
of
those virures seems (by their real addresses) quite respectable - they
have
well-known mail providers (no hotmail, yahoo or other free public mail
servers),
they often have names looking as normal person's name... One virus
even
came from the domain cira.premier-ministre.gouv.fr -;)
Among those (several hundred) viruses only one seems somehow
interesting (all
others that I explored look like quite common messages, alhthoug with
forged
"From:" fields). Here is its headers:
---------------------------------------------------------------------------
From hqlgu!microsoft.com!rmailroutine Sun Sep 21 05:26:10 2003
Received: by vib.usr.pu.ru (UUPC/@ v7.00, 07Jan97) with UUCP
id AA01553; Sun, 21 Sep 2003 05:26:10 +0400 (MSD)
Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214])
by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id TAA09858
for <aek@vib.usr.pu.ru>; Sat, 20 Sep 2003 19:56:38 GMT
Received: from asteroids.cybercomm.nl (arkanoid.scarlet-internet.nl
[213.204.195.164])
by becha.pu.ru (8.12.8p1/8.12.8) with SMTP id h8KKITbI047393
for <aek@vib.usr.pu.ru>; Sun, 21 Sep 2003 00:18:29 +0400 (MSD)
(envelope-from rmailroutine@microsoft.com)
Date: Sun, 21 Sep 2003 00:18:29 +0400 (MSD)
Message-Id: <200309202018.h8KKITbI047393@becha.pu.ru>
Received: (qmail-ldap/ctrl 12094 invoked from network); 20 Sep 2003
19:56:22 -0000
Received: from unknown (HELO ?192.168.0.2?) ([213.196.18.100])
(envelope-sender
<rmailroutine@microsoft.com>)
by cybercomm.vsp.scarlet-internet.nl (qmail-ldap-1.03) with
SMTP
for <tojo@hotmail.com>; 20 Sep 2003 19:56:22 -0000
Received: from FQCZQLUG by [192.168.0.2]
with SMTP (QuickMail Pro Server for Mac 2.1); 20-Sep-2003
21:39:21 +0200
FROM: "" <rmailroutine@microsoft.com>
TO: "Email Receiver" <user@smtpserver.com>
SUBJECT: Undeliverable Mail: User unknown
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="zdowicnvoammd"
Lines: 1891
Status: R
---------------------------------------------------------------------------
As you can see from the headers, the mail was initially sent to the
address
tojo@hotmail.com (I don't know what is it really), but then happened
something
strange - "qmail-ldap/ctrl", and the message was forwarded to me.
Alexander Kopilovitch aek@vib.usr.pu.ru
Saint-Petersburg
Russia
next reply other threads:[~2003-09-22 3:05 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-22 3:05 Alexander Kopilovitch [this message]
2003-09-22 10:27 ` Current "Swen" worm attack Stephane Richard
2003-09-22 11:45 ` chris
2003-09-23 3:49 ` Wes Groleau
2003-09-22 11:49 ` Preben Randhol
2003-09-22 21:42 ` Randy Brukardt
2003-09-23 7:10 ` Preben Randhol
2003-09-23 7:35 ` Vinzent Hoefler
2003-09-23 0:39 ` Alexander Kopilovitch
2003-09-23 4:11 ` David Marceau
2003-09-23 11:08 ` Jeff C,
2003-09-23 15:41 ` Ludovic Brenta
2003-09-24 1:14 ` Jeff C,
2003-09-24 8:20 ` Martin Krischik
2003-09-25 10:10 ` Ludovic Brenta
2003-09-25 11:01 ` Martin Krischik
2003-09-25 11:32 ` Preben Randhol
2003-09-25 12:07 ` Ludovic Brenta
2003-09-25 13:47 ` Stephen Leake
2003-09-23 18:47 ` Randy Brukardt
2003-09-23 20:56 ` Berend de Boer
[not found] ` <3F6FA78D.3070708@myob.com>
2003-10-03 13:41 ` sk
2003-10-03 14:17 ` Preben Randhol
2003-09-23 3:44 ` Current "Swen" worm attack - a tip Wes Groleau
2003-09-23 7:33 ` Preben Randhol
2003-09-23 17:44 ` Jeffrey Carter
2003-09-23 18:00 ` Brian Catlin
2003-09-23 19:14 ` tmoran
2003-09-23 20:55 ` Berend de Boer
2003-09-24 10:08 ` Dmitry A. Kazakov
2003-09-24 21:50 ` Wes Groleau
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox