From: aek@vib.usr.pu.ru (Alexander Kopilovitch)
Subject: Re: Current "Swen" worm attack - the best address
Date: 26 Sep 2003 10:20:01 -0700
Date: 2003-09-26T17:20:02+00:00 [thread overview]
Message-ID: <e2e5731a.0309260920.451e1323@posting.google.com> (raw)
In-Reply-To: slrnbn8014.m8.randhol+abuse@kiuk0152.chembio.ntnu.no
Preben Randhol wrote:
> > I still think that
> > it is unlikely. My reason is that, although such a forgery is possible
> > it requires extra effort (for which I don't see valid purpose), and
> > adds unnecessary danger for the worm's creator(s). And even stronger
> > reason (for me) is that it seems that in all messages I received
> > within that stream (except 1), addresses at that place were quite
> > good-looking, and single exception was simply
> > rmailroutine@microsoft.com .
>
> Huh? It is common that viruses take the e-mail addresses and forge mails
> in these names as they get sent.
Forging "From:" field is certainly common, but forging headers require more
effort. Also, it is not a simple thing to get over 1000 different good-looking
addresses this way.
> The source is the machine the virus was
> installed on so there isn't much danger for the worm creators from that.
I meant the danger that comes when one annoys expert postmasters community
too strongly. -;) .
> cesa.air.defense.gouv.fr ? There is no site with that name.
I know that, I tried ping and tracert yesterday. Nevertheless, the headers
contained that address, and I doubt that virus invented it from scratch.
I also tried tracert for addresses in that place in several other messages
from that virus stream, and they responded.
Alexander Kopilovitch aek@vib.usr.pu.ru
Saint-Petersburg
Russia
next prev parent reply other threads:[~2003-09-26 17:20 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-24 22:31 Current "Swen" worm attack - the best address Alexander Kopilovitch
2003-09-25 8:19 ` Preben Randhol
2003-09-25 15:48 ` Wes Groleau
2003-09-25 20:52 ` [OT] Bad addresses (was: Current "Swen" worm attack - the best address) Henrik Motakef
2003-09-26 0:49 ` [OT] Bad addresses Wes Groleau
2003-09-25 16:43 ` Current "Swen" worm attack - the best address Alexander Kopilovitch
2003-09-25 19:38 ` Preben Randhol
2003-09-26 3:16 ` Alexander Kopilovitch
2003-09-26 9:00 ` Preben Randhol
2003-09-26 17:20 ` Alexander Kopilovitch [this message]
2003-09-26 23:21 ` Wes Groleau
2003-09-27 13:45 ` Alexander Kopilovitch
2003-09-28 2:30 ` Wes Groleau
2003-09-28 17:52 ` Alexander Kopilovitch
2003-09-28 2:32 ` [off-topic] open letter to ISP admins--and virus program vendors Wes Groleau
2003-09-28 3:18 ` Wes Groleau
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox