Current "Swen" worm attack - the best address

Current "Swen" worm attack - the best address

[Alexander Kopilovitch]

Today I received that infamous virus from this beautiful address:

  informatique@cesa.air.defense.gouv.fr

As that stream of viruses is certainly fading, that address probably will
remain the best in this session.



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Current "Swen" worm attack - the best address

[Preben Randhol]

On 2003-09-24, Alexander Kopilovitch <aek@vib.usr.pu.ru> wrote:
> Today I received that infamous virus from this beautiful address:
>
>   informatique@cesa.air.defense.gouv.fr
>
> As that stream of viruses is certainly fading, that address probably will
> remain the best in this session.

It doesn't have to be from that machine it could just as well be a man
in another country that had this address in the address book or that the
worm found it on the news groups/web and fakes the sender. I have gotten
tons of automatic replys saying I'm trying to send some virus mail
although I don't even use Windows for anything to and from the net :-)

Preben

Re: Current "Swen" worm attack - the best address

[Wes Groleau]

I find it ironic that just when I perfect
the filters to drop 100% of the hundreds of
messages per day from this virus, numerous
ISPs finally get smart [1] and now I have to
tweak the filters to discard hundreds per day
of

   "We just protected you from receiving a virus!
    Aren't we cool?  By the way, the meaningless
    forged From address was not.real@no.such.net
    in case you want to warn that person."

[1] I use the word "smart" VERY facetiously.  :-)

-- 
Wes Groleau
-----------
Daily Hoax: http://www.snopes2.com/cgi-bin/random/random.asp

Re: Current "Swen" worm attack - the best address

[Alexander Kopilovitch]

Preben Randhol wrote:

> > Today I received that infamous virus from this beautiful address:
> >
> >   informatique@cesa.air.defense.gouv.fr
> 
>...
>
> It doesn't have to be from that machine it could just as well be a man
> in another country that had this address in the address book or that the
> worm found it on the news groups/web and fakes the sender.

No, this is highly unlikely in the case - here is the whole headers part of
that message:

----------------------------------------------------------------------------
From cesa.air.defense.gouv.fr!informatique  Wed Sep 24 13:08:00 2003
Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214])
	by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id NAA01077
	for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 13:08:00 GMT
Received: from smtp6.clb.oleane.net (smtp6.clb.oleane.net [213.56.31.26])
	by becha.pu.ru (8.12.8p1/8.12.8) with ESMTP id h8ODV3bI019490
	for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 17:31:03 +0400 (MSD)
	(envelope-from informatique@cesa.air.defense.gouv.fr)
Received: from gbyzf ([81.80.25.150]) 
	by smtp6.clb.oleane.net with SMTP id h8OCuhoC011468;
	Wed, 24 Sep 2003 14:56:43 +0200
Date: Wed, 24 Sep 2003 14:56:43 +0200
Message-Id: <200309241256.h8OCuhoC011468@smtp6.clb.oleane.net>
FROM: "Network Mail Delivery Service" <postautomat@microsoft.net>
TO: "Email Recipient" <user@yourserver.com>
SUBJECT: Failure Letter
Mime-Version: 1.0
Content-Type: multipart/alternative;
	boundary="aywwgbok"
----------------------------------------------------------------------------



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Current "Swen" worm attack - the best address

[Preben Randhol]

On 2003-09-25, Alexander Kopilovitch <aek@vib.usr.pu.ru> wrote:
> No, this is highly unlikely in the case - here is the whole headers part of
> that message:

Why is that highly unlikely?

>
> ----------------------------------------------------------------------------
> From cesa.air.defense.gouv.fr!informatique  Wed Sep 24 13:08:00 2003
> Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214])
> 	by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id NAA01077
> 	for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 13:08:00 GMT
> Received: from smtp6.clb.oleane.net (smtp6.clb.oleane.net [213.56.31.26])
> 	by becha.pu.ru (8.12.8p1/8.12.8) with ESMTP id h8ODV3bI019490
> 	for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 17:31:03 +0400 (MSD)
> 	(envelope-from informatique@cesa.air.defense.gouv.fr)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

> Received: from gbyzf ([81.80.25.150]) 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

> 	by smtp6.clb.oleane.net with SMTP id h8OCuhoC011468;
> 	Wed, 24 Sep 2003 14:56:43 +0200
> Date: Wed, 24 Sep 2003 14:56:43 +0200
> Message-Id: <200309241256.h8OCuhoC011468@smtp6.clb.oleane.net>
> FROM: "Network Mail Delivery Service" <postautomat@microsoft.net>
> TO: "Email Recipient" <user@yourserver.com>
> SUBJECT: Failure Letter
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary="aywwgbok"
> ----------------------------------------------------------------------------

[OT] Bad addresses (was: Current "Swen" worm attack - the best address)

[Henrik Motakef]

On Thu, 25 Sep 2003 11:48:51 -0500, Wes Groleau wrote:

>     Aren't we cool?  By the way, the meaningless forged From address was
[...]

While we are talking about being smart: I guess that Robust Design, LLC
(Seattle) will be really thrilled by you burning their addresses at
no.such.net (which happens to resolve to 216.57.210.200) by posting them
to arbitrary newsgroups, especially since Swen, a worm known for
harvesting newsgroups for victim email addresses, is still active.

Please, people, if you want to use a domain or email address as an
example, don't just guess one - chances are high that it is a real,
existing domain, even if it sounds stupid. At least use "whois" before.

There is even a formal RFC listing addresses that can be used instead
without harming anyone (RFC 2606,
http://www.rfc-editor.org/rfc/rfc2606.txt), these are "example.org",
"example.net", "example.com" and all of their subdomains as well as any
domain with a top-level domain of "example", "test", "invalid" or
"localhost", like for example "no.such.net.example" or "this.is.a.test".

And yes, I write this because I have been burnt by this before. It is a
hostile world.

Re: [OT] Bad addresses

[Wes Groleau]

Henrik Motakef wrote:
> While we are talking about being smart: I guess that Robust Design, LLC
> (Seattle) will be really thrilled by you burning their addresses at
> no.such.net (which happens to resolve to 216.57.210.200) by posting them

Bummer.  Mea culpa.  And I should have known better, too,
since three years ago I was getting spam forged as nowhere.com
and I looked it up to find that it did exist.

On the other hand, if they actually have a userID of
"not.real" on that host, they must WANT to get stuff.

-- 
Wes Groleau

Is it an on-line compliment to call someone a Net Wit ?

Re: Current "Swen" worm attack - the best address

[Alexander Kopilovitch]

Preben Randhol wrote:

> > No, this is highly unlikely in the case - here is the whole headers part of
> > that message:
> 
> Why is that highly unlikely?

Well, perhaps "highly" was overstatement -;) . But I still think that it is
unlikely. My reason is that, although such a forgery is possible it requires
extra effort (for which I don't see valid purpose), and adds unnecessary danger
for the worm's creator(s). And even stronger reason (for me) is that it seems
that in all messages I received within that stream (except 1), addresses at that
place were quite good-looking, and single exception was simply
rmailroutine@microsoft.com .

> > ----------------------------------------------------------------------------
> > From cesa.air.defense.gouv.fr!informatique  Wed Sep 24 13:08:00 2003
> > Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214])
> > 	by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id NAA01077
> > 	for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 13:08:00 GMT
> > Received: from smtp6.clb.oleane.net (smtp6.clb.oleane.net [213.56.31.26])
> > 	by becha.pu.ru (8.12.8p1/8.12.8) with ESMTP id h8ODV3bI019490
> > 	for <aek@vib.usr.pu.ru>; Wed, 24 Sep 2003 17:31:03 +0400 (MSD)
> > 	(envelope-from informatique@cesa.air.defense.gouv.fr)
> 
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> > Received: from gbyzf ([81.80.25.150]) 
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

So what? I saw similar names at this place in perfectly valid messages.

> 
> > 	by smtp6.clb.oleane.net with SMTP id h8OCuhoC011468;
> > 	Wed, 24 Sep 2003 14:56:43 +0200
> > Date: Wed, 24 Sep 2003 14:56:43 +0200
> > Message-Id: <200309241256.h8OCuhoC011468@smtp6.clb.oleane.net>
> > FROM: "Network Mail Delivery Service" <postautomat@microsoft.net>
> > TO: "Email Recipient" <user@yourserver.com>
> > SUBJECT: Failure Letter
> > Mime-Version: 1.0
> > Content-Type: multipart/alternative;
> > 	boundary="aywwgbok"
> > ----------------------------------------------------------------------------

Anyway, this is not private person's address, and even not a company's address,
so there will not be much damage (I hope that French Air Defense will be able
to fight viruses more successfully than me -;) .

By the way, that stream of viruses still did not stop, although it substantially
weakened beginning from yesterday.


Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Current "Swen" worm attack - the best address

[Preben Randhol]

On 2003-09-26, Alexander Kopilovitch <aek@vib.usr.pu.ru> wrote:
>
> Well, perhaps "highly" was overstatement -;) . But I still think that
> it is unlikely. My reason is that, although such a forgery is possible
> it requires extra effort (for which I don't see valid purpose), and
> adds unnecessary danger for the worm's creator(s). And even stronger
> reason (for me) is that it seems that in all messages I received
> within that stream (except 1), addresses at that place were quite
> good-looking, and single exception was simply
> rmailroutine@microsoft.com .

Huh? It is common that viruses take the e-mail addresses and forge mails
in these names as they get sent. The source is the machine the virus was
installed on so there isn't much danger for the worm creators from that.

> So what? I saw similar names at this place in perfectly valid
> messages.

Valid as in from cesa.air.defense.gouv.fr ? There is no site with that
name. The point is that 81.80.25.150 is probably the source, but I'm not
an expert on how the mails routes.

nslookup cesa.air.defense.gouv.fr

Non-authoritative answer:
*** Can't find cesa.air.defense.gouv.fr: No answer

> Anyway, this is not private person's address, and even not a company's
> address, so there will not be much damage (I hope that French Air
> Defense will be able to fight viruses more successfully than me -;) .

See above

Preben

Re: Current "Swen" worm attack - the best address

[Alexander Kopilovitch]

Preben Randhol wrote:

> > I still think that
> > it is unlikely. My reason is that, although such a forgery is possible
> > it requires extra effort (for which I don't see valid purpose), and
> > adds unnecessary danger for the worm's creator(s). And even stronger
> > reason (for me) is that it seems that in all messages I received
> > within that stream (except 1), addresses at that place were quite
> > good-looking, and single exception was simply
> > rmailroutine@microsoft.com .
>
> Huh? It is common that viruses take the e-mail addresses and forge mails
> in these names as they get sent.

Forging "From:" field is certainly common, but forging headers require more
effort. Also, it is not a simple thing to get over 1000 different good-looking
addresses this way.

> The source is the machine the virus was
> installed on so there isn't much danger for the worm creators from that.

I meant the danger that comes when one annoys expert postmasters community
too strongly. -;) .

> cesa.air.defense.gouv.fr ? There is no site with that name.

I know that, I tried ping and tracert yesterday. Nevertheless, the headers
contained that address, and I doubt that virus invented it from scratch.
I also tried tracert for addresses in that place in several other messages
from that virus stream, and they responded.



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Current "Swen" worm attack - the best address

[Wes Groleau]

Alexander Kopilovitch wrote:
> Forging "From:" field is certainly common, but forging headers require more
> effort. Also, it is not a simple thing to get over 1000 different good-looking
> addresses this way.

Forging downstream Received headers is impossible,
but most spammer support programs routinely add
one or more fake headers to make it appear that
the origin is one or more hops further than it is.

The headers posted appear to contain that sort of forgery.

-- 
Wes Groleau
Heroes, Heritage, and History
http://freepages.genealogy.rootsweb.com/~wgroleau/

Re: Current "Swen" worm attack - the best address

[Alexander Kopilovitch]

Wes Groleau wrote:

> Forging downstream Received headers is impossible,
> but most spammer support programs routinely add
> one or more fake headers to make it appear that
> the origin is one or more hops further than it is.
>
> The headers posted appear to contain that sort of forgery.

Does this mean that probably that time a spammer was infected? -;)



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Current "Swen" worm attack - the best address

[Wes Groleau]

Alexander Kopilovitch wrote:

> Wes Groleau wrote:
>>Forging downstream Received headers is impossible,
>>but most spammer support programs routinely add
>>one or more fake headers to make it appear that
>>the origin is one or more hops further than it is.
>>
>>The headers posted appear to contain that sort of forgery.
> 
> Does this mean that probably that time a spammer was infected? -;)

No, unless the virus is also a spam tool.

It means that this spammer technique was included
in the virus's SMTP engine, probably for the same
reason spammers do it: to lengthen the time before
someone goes to the correct source and stops it.

-- 
Wes Groleau
-----------
Daily Hoax: http://www.snopes2.com/cgi-bin/random/random.asp

[off-topic] open letter to ISP admins--and virus program vendors

[Wes Groleau]

<RANT>I just HAD to respond to a message that was dropped
into my mailbox twice in one minute, since it is similar
to numerous others I've received.  If your ISP is sending
messages of this sort, perhaps you'd like to help them
get a clue.  And if your virus program sends messages like
this, perhaps you could help the program's vendor get a clue.
</RANT>
----------
 > This e-mail is generated by the [note 1] mail
 > server to warn you that the e-mail  [snip]  is infected
 > with virus: HTML/IFrame_Exploit*.

I had very little difficulty filtering out the hundreds of
messages per day generated by the recent epidemic of this
virus.  I DO NOT APPRECIATE having the attack converted to
hundreds of messages from ISPs bragging about how they
protected me!!!!


 > Please contact the sender: very probably he/she doesn't
 > know he/she has a computer virus.

It was YOUR customer that sent it--YOU contact them.
Few of the recipients are aware that the apparent sender
is most likely forged.  You have just invited hundreds of
virus recipients to drown this innocent bystander with
angry e-mails.

And if by some chance it is not forged, wouldn't a friendly
PHONE CALL from their ISP be more effective than having them
lose mail because hundreds of flames have used up their quota?
----------

note 1: ISP name withheld to protect the guilty

Re: [off-topic] open letter to ISP admins--and virus program vendors

[Wes Groleau]

Wes Groleau (me) wrote:
> And if by some chance it is not forged, wouldn't a friendly
> PHONE CALL from their ISP be more effective than having them
> lose mail because hundreds of flames have used up their quota?

Someone pointed out to me this is stupid
because it's impossible.  True.

OTOH, is recommending that hundreds of victims
contact an innocent bystander less stupid just
because it IS possible?

-- 
Wes Groleau
Genealogical Lookups:  http://groleau.freeshell.org/ref/lookups.html

Re: Current "Swen" worm attack - the best address

[Alexander Kopilovitch]

Wes Groleau wrote:

> >>... most spammer support programs routinely add
> >>one or more fake headers to make it appear that
> >>the origin is one or more hops further than it is.
> >>
> >>The headers posted appear to contain that sort of forgery.
> >
> > Does this mean that probably that time a spammer was infected? -;)
>
> No, unless the virus is also a spam tool.
>
> It means that this spammer technique was included
> in the virus's SMTP engine, probably for the same
> reason spammers do it: to lengthen the time before
> someone goes to the correct source and stops it.

But from where this virus got that particular, apparently non-existed, but
good-looking and funny address? Note, that this is very rarely case in the
whole stream; in fact I encountered only 2 funny addresses both were in
gouv.fr domain, but first included personal name, therefore it was not so
purely funny; and my collection of those "sender's" addresses from that stream
clearly suggests that the virus does not invent them, but took them from some
source. So, one may guess that that address was used by the infected user for
his own spam, and just reused by the virus... well, yes, it is just vague
possibility, no more.



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia