Re: Current "Swen" worm attack - the best address

comp.lang.ada
 help / color / mirror / Atom feed

From: aek@vib.usr.pu.ru (Alexander Kopilovitch)
Subject: Re: Current "Swen" worm attack - the best address
Date: 28 Sep 2003 10:52:41 -0700
Date: 2003-09-28T17:52:48+00:00	[thread overview]
Message-ID: <e2e5731a.0309280952.2d7d5239@posting.google.com> (raw)
In-Reply-To: 7decna18Xfwz2uuiXTWJig@gbronline.com

Wes Groleau wrote:

> >>... most spammer support programs routinely add
> >>one or more fake headers to make it appear that
> >>the origin is one or more hops further than it is.
> >>
> >>The headers posted appear to contain that sort of forgery.
> >
> > Does this mean that probably that time a spammer was infected? -;)
>
> No, unless the virus is also a spam tool.
>
> It means that this spammer technique was included
> in the virus's SMTP engine, probably for the same
> reason spammers do it: to lengthen the time before
> someone goes to the correct source and stops it.

But from where this virus got that particular, apparently non-existed, but
good-looking and funny address? Note, that this is very rarely case in the
whole stream; in fact I encountered only 2 funny addresses both were in
gouv.fr domain, but first included personal name, therefore it was not so
purely funny; and my collection of those "sender's" addresses from that stream
clearly suggests that the virus does not invent them, but took them from some
source. So, one may guess that that address was used by the infected user for
his own spam, and just reused by the virus... well, yes, it is just vague
possibility, no more.

Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

next prev parent reply	other threads:[~2003-09-28 17:52 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-09-24 22:31 Current "Swen" worm attack - the best address Alexander Kopilovitch
2003-09-25  8:19 ` Preben Randhol
2003-09-25 15:48   ` Wes Groleau
2003-09-25 20:52     ` [OT] Bad addresses (was: Current "Swen" worm attack - the best address) Henrik Motakef
2003-09-26  0:49       ` [OT] Bad addresses Wes Groleau
2003-09-25 16:43   ` Current "Swen" worm attack - the best address Alexander Kopilovitch
2003-09-25 19:38     ` Preben Randhol
2003-09-26  3:16       ` Alexander Kopilovitch
2003-09-26  9:00         ` Preben Randhol
2003-09-26 17:20           ` Alexander Kopilovitch
2003-09-26 23:21             ` Wes Groleau
2003-09-27 13:45               ` Alexander Kopilovitch
2003-09-28  2:30                 ` Wes Groleau
2003-09-28 17:52                   ` Alexander Kopilovitch [this message]
2003-09-28  2:32                 ` [off-topic] open letter to ISP admins--and virus program vendors Wes Groleau
2003-09-28  3:18                   ` Wes Groleau

replies disabled

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox