Re: Current "Swen" worm attack - the best address

[Preben Randhol <randhol+abuse@pvv.org>]

On 2003-09-26, Alexander Kopilovitch <aek@vib.usr.pu.ru> wrote:
>
> Well, perhaps "highly" was overstatement -;) . But I still think that
> it is unlikely. My reason is that, although such a forgery is possible
> it requires extra effort (for which I don't see valid purpose), and
> adds unnecessary danger for the worm's creator(s). And even stronger
> reason (for me) is that it seems that in all messages I received
> within that stream (except 1), addresses at that place were quite
> good-looking, and single exception was simply
> rmailroutine@microsoft.com .

Huh? It is common that viruses take the e-mail addresses and forge mails
in these names as they get sent. The source is the machine the virus was
installed on so there isn't much danger for the worm creators from that.

> So what? I saw similar names at this place in perfectly valid
> messages.

Valid as in from cesa.air.defense.gouv.fr ? There is no site with that
name. The point is that 81.80.25.150 is probably the source, but I'm not
an expert on how the mails routes.

nslookup cesa.air.defense.gouv.fr

Non-authoritative answer:
*** Can't find cesa.air.defense.gouv.fr: No answer

> Anyway, this is not private person's address, and even not a company's
> address, so there will not be much damage (I hope that French Air
> Defense will be able to fight viruses more successfully than me -;) .

See above

Preben