From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,e9d84ce06116c5ae X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-09-25 20:16:11 PST Path: archiver1.google.com!postnews1.google.com!not-for-mail From: aek@vib.usr.pu.ru (Alexander Kopilovitch) Newsgroups: comp.lang.ada Subject: Re: Current "Swen" worm attack - the best address Date: 25 Sep 2003 20:16:08 -0700 Organization: http://groups.google.com/ Message-ID: References: NNTP-Posting-Host: 213.33.245.129 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1064546170 8149 127.0.0.1 (26 Sep 2003 03:16:10 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: 26 Sep 2003 03:16:10 GMT Xref: archiver1.google.com comp.lang.ada:42959 Date: 2003-09-26T03:16:10+00:00 List-Id: Preben Randhol wrote: > > No, this is highly unlikely in the case - here is the whole headers part of > > that message: > > Why is that highly unlikely? Well, perhaps "highly" was overstatement -;) . But I still think that it is unlikely. My reason is that, although such a forgery is possible it requires extra effort (for which I don't see valid purpose), and adds unnecessary danger for the worm's creator(s). And even stronger reason (for me) is that it seems that in all messages I received within that stream (except 1), addresses at that place were quite good-looking, and single exception was simply rmailroutine@microsoft.com . > > ---------------------------------------------------------------------------- > > From cesa.air.defense.gouv.fr!informatique Wed Sep 24 13:08:00 2003 > > Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214]) > > by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id NAA01077 > > for ; Wed, 24 Sep 2003 13:08:00 GMT > > Received: from smtp6.clb.oleane.net (smtp6.clb.oleane.net [213.56.31.26]) > > by becha.pu.ru (8.12.8p1/8.12.8) with ESMTP id h8ODV3bI019490 > > for ; Wed, 24 Sep 2003 17:31:03 +0400 (MSD) > > (envelope-from informatique@cesa.air.defense.gouv.fr) > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > Received: from gbyzf ([81.80.25.150]) > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ So what? I saw similar names at this place in perfectly valid messages. > > > by smtp6.clb.oleane.net with SMTP id h8OCuhoC011468; > > Wed, 24 Sep 2003 14:56:43 +0200 > > Date: Wed, 24 Sep 2003 14:56:43 +0200 > > Message-Id: <200309241256.h8OCuhoC011468@smtp6.clb.oleane.net> > > FROM: "Network Mail Delivery Service" > > TO: "Email Recipient" > > SUBJECT: Failure Letter > > Mime-Version: 1.0 > > Content-Type: multipart/alternative; > > boundary="aywwgbok" > > ---------------------------------------------------------------------------- Anyway, this is not private person's address, and even not a company's address, so there will not be much damage (I hope that French Air Defense will be able to fight viruses more successfully than me -;) . By the way, that stream of viruses still did not stop, although it substantially weakened beginning from yesterday. Alexander Kopilovitch aek@vib.usr.pu.ru Saint-Petersburg Russia