From: aek@vib.usr.pu.ru (Alexander Kopilovitch)
Subject: Re: Current "Swen" worm attack - the best address
Date: 25 Sep 2003 20:16:08 -0700
Date: 2003-09-26T03:16:10+00:00 [thread overview]
Message-ID: <e2e5731a.0309251916.181d1016@posting.google.com> (raw)
In-Reply-To: slrnbn6h28.d5.randhol+abuse@kiuk0152.chembio.ntnu.no
Preben Randhol wrote:
> > No, this is highly unlikely in the case - here is the whole headers part of
> > that message:
>
> Why is that highly unlikely?
Well, perhaps "highly" was overstatement -;) . But I still think that it is
unlikely. My reason is that, although such a forgery is possible it requires
extra effort (for which I don't see valid purpose), and adds unnecessary danger
for the worm's creator(s). And even stronger reason (for me) is that it seems
that in all messages I received within that stream (except 1), addresses at that
place were quite good-looking, and single exception was simply
rmailroutine@microsoft.com .
> > ----------------------------------------------------------------------------
> > From cesa.air.defense.gouv.fr!informatique Wed Sep 24 13:08:00 2003
> > Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214])
> > by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id NAA01077
> > for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 13:08:00 GMT
> > Received: from smtp6.clb.oleane.net (smtp6.clb.oleane.net [213.56.31.26])
> > by becha.pu.ru (8.12.8p1/8.12.8) with ESMTP id h8ODV3bI019490
> > for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 17:31:03 +0400 (MSD)
> > (envelope-from informatique@cesa.air.defense.gouv.fr)
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> > Received: from gbyzf ([81.80.25.150])
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
So what? I saw similar names at this place in perfectly valid messages.
>
> > by smtp6.clb.oleane.net with SMTP id h8OCuhoC011468;
> > Wed, 24 Sep 2003 14:56:43 +0200
> > Date: Wed, 24 Sep 2003 14:56:43 +0200
> > Message-Id: <200309241256.h8OCuhoC011468@smtp6.clb.oleane.net>
> > FROM: "Network Mail Delivery Service" <postautomat@microsoft.net>
> > TO: "Email Recipient" <user@yourserver.com>
> > SUBJECT: Failure Letter
> > Mime-Version: 1.0
> > Content-Type: multipart/alternative;
> > boundary="aywwgbok"
> > ----------------------------------------------------------------------------
Anyway, this is not private person's address, and even not a company's address,
so there will not be much damage (I hope that French Air Defense will be able
to fight viruses more successfully than me -;) .
By the way, that stream of viruses still did not stop, although it substantially
weakened beginning from yesterday.
Alexander Kopilovitch aek@vib.usr.pu.ru
Saint-Petersburg
Russia
next prev parent reply other threads:[~2003-09-26 3:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-24 22:31 Current "Swen" worm attack - the best address Alexander Kopilovitch
2003-09-25 8:19 ` Preben Randhol
2003-09-25 15:48 ` Wes Groleau
2003-09-25 20:52 ` [OT] Bad addresses (was: Current "Swen" worm attack - the best address) Henrik Motakef
2003-09-26 0:49 ` [OT] Bad addresses Wes Groleau
2003-09-25 16:43 ` Current "Swen" worm attack - the best address Alexander Kopilovitch
2003-09-25 19:38 ` Preben Randhol
2003-09-26 3:16 ` Alexander Kopilovitch [this message]
2003-09-26 9:00 ` Preben Randhol
2003-09-26 17:20 ` Alexander Kopilovitch
2003-09-26 23:21 ` Wes Groleau
2003-09-27 13:45 ` Alexander Kopilovitch
2003-09-28 2:30 ` Wes Groleau
2003-09-28 17:52 ` Alexander Kopilovitch
2003-09-28 2:32 ` [off-topic] open letter to ISP admins--and virus program vendors Wes Groleau
2003-09-28 3:18 ` Wes Groleau
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox