From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,e9d84ce06116c5ae
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-09-28 10:52:49 PST
Path: news1.google.com!newsfeed.stanford.edu!postnews1.google.com!not-for-mail
From: aek@vib.usr.pu.ru (Alexander Kopilovitch)
Newsgroups: comp.lang.ada
Subject: Re: Current "Swen" worm attack - the best address
Date: 28 Sep 2003 10:52:41 -0700
Organization: http://groups.google.com/
Message-ID: <e2e5731a.0309280952.2d7d5239@posting.google.com>
References: <e2e5731a.0309241431.10694993@posting.google.com>
 <e2e5731a.0309250843.7f8efab6@posting.google.com>
 <slrnbn6h28.d5.randhol+abuse@kiuk0152.chembio.ntnu.no>
 <e2e5731a.0309251916.181d1016@posting.google.com>
 <slrnbn8014.m8.randhol+abuse@kiuk0152.chembio.ntnu.no>
 <e2e5731a.0309260920.451e1323@posting.google.com>
 <DpSdnbIMXJuSV-miU-KYgw@gbronline.com>
 <e2e5731a.0309270545.1647c7cb@posting.google.com>
 <7decna18Xfwz2uuiXTWJig@gbronline.com>
NNTP-Posting-Host: 195.242.17.172
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1064771568 28438 127.0.0.1 (28 Sep 2003 17:52:48
 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 28 Sep 2003 17:52:48 GMT
Xref: news1.google.com comp.lang.ada:78
Date: 2003-09-28T17:52:48+00:00
List-Id: <comp.lang.ada>

Wes Groleau wrote:

> >>... most spammer support programs routinely add
> >>one or more fake headers to make it appear that
> >>the origin is one or more hops further than it is.
> >>
> >>The headers posted appear to contain that sort of forgery.
> >
> > Does this mean that probably that time a spammer was infected? -;)
>
> No, unless the virus is also a spam tool.
>
> It means that this spammer technique was included
> in the virus's SMTP engine, probably for the same
> reason spammers do it: to lengthen the time before
> someone goes to the correct source and stops it.

But from where this virus got that particular, apparently non-existed, but
good-looking and funny address? Note, that this is very rarely case in the
whole stream; in fact I encountered only 2 funny addresses both were in
gouv.fr domain, but first included personal name, therefore it was not so
purely funny; and my collection of those "sender's" addresses from that stream
clearly suggests that the virus does not invent them, but took them from some
source. So, one may guess that that address was used by the infected user for
his own spam, and just reused by the virus... well, yes, it is just vague
possibility, no more.



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia