Re: Current "Swen" worm attack - the best address

[aek@vib.usr.pu.ru (Alexander Kopilovitch)]

Preben Randhol wrote:

> > I still think that
> > it is unlikely. My reason is that, although such a forgery is possible
> > it requires extra effort (for which I don't see valid purpose), and
> > adds unnecessary danger for the worm's creator(s). And even stronger
> > reason (for me) is that it seems that in all messages I received
> > within that stream (except 1), addresses at that place were quite
> > good-looking, and single exception was simply
> > rmailroutine@microsoft.com .
>
> Huh? It is common that viruses take the e-mail addresses and forge mails
> in these names as they get sent.

Forging "From:" field is certainly common, but forging headers require more
effort. Also, it is not a simple thing to get over 1000 different good-looking
addresses this way.

> The source is the machine the virus was
> installed on so there isn't much danger for the worm creators from that.

I meant the danger that comes when one annoys expert postmasters community
too strongly. -;) .

> cesa.air.defense.gouv.fr ? There is no site with that name.

I know that, I tried ping and tracert yesterday. Nevertheless, the headers
contained that address, and I doubt that virus invented it from scratch.
I also tried tracert for addresses in that place in several other messages
from that virus stream, and they responded.



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia