From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,e9d84ce06116c5ae
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-09-26 02:00:28 PST
Path: 
 archiver1.google.com!news1.google.com!newsfeed.stanford.edu!newsmi-us.news.garr.it!NewsITBone-GARR!news.mailgate.org!newsfeed.stueberl.de!newsfeed.vmunix.org!uio.no!ntnu.no!not-for-mail
From: Preben Randhol <randhol+abuse@pvv.org>
Newsgroups: comp.lang.ada
Subject: Re: Current "Swen" worm attack - the best address
Date: Fri, 26 Sep 2003 09:00:21 +0000 (UTC)
Organization: PVV
Message-ID: <slrnbn8014.m8.randhol+abuse@kiuk0152.chembio.ntnu.no>
References: <e2e5731a.0309241431.10694993@posting.google.com>
 <slrnbn598s.gt.randhol+abuse@kiuk0152.chembio.ntnu.no>
 <e2e5731a.0309250843.7f8efab6@posting.google.com>
 <slrnbn6h28.d5.randhol+abuse@kiuk0152.chembio.ntnu.no>
 <e2e5731a.0309251916.181d1016@posting.google.com>
NNTP-Posting-Host: kiuk0152.chembio.ntnu.no
X-Trace: tyfon.itea.ntnu.no 1064566821 24118 129.241.83.78 (26 Sep 2003
 09:00:21 GMT)
X-Complaints-To: usenet@itea.ntnu.no
NNTP-Posting-Date: Fri, 26 Sep 2003 09:00:21 +0000 (UTC)
User-Agent: slrn/0.9.8.0 (Linux)
Xref: archiver1.google.com comp.lang.ada:42975
Date: 2003-09-26T09:00:21+00:00
List-Id: <comp.lang.ada>

On 2003-09-26, Alexander Kopilovitch <aek@vib.usr.pu.ru> wrote:
>
> Well, perhaps "highly" was overstatement -;) . But I still think that
> it is unlikely. My reason is that, although such a forgery is possible
> it requires extra effort (for which I don't see valid purpose), and
> adds unnecessary danger for the worm's creator(s). And even stronger
> reason (for me) is that it seems that in all messages I received
> within that stream (except 1), addresses at that place were quite
> good-looking, and single exception was simply
> rmailroutine@microsoft.com .

Huh? It is common that viruses take the e-mail addresses and forge mails
in these names as they get sent. The source is the machine the virus was
installed on so there isn't much danger for the worm creators from that.

> So what? I saw similar names at this place in perfectly valid
> messages.

Valid as in from cesa.air.defense.gouv.fr ? There is no site with that
name. The point is that 81.80.25.150 is probably the source, but I'm not
an expert on how the mails routes.

nslookup cesa.air.defense.gouv.fr

Non-authoritative answer:
*** Can't find cesa.air.defense.gouv.fr: No answer

> Anyway, this is not private person's address, and even not a company's
> address, so there will not be much damage (I hope that French Air
> Defense will be able to fight viruses more successfully than me -;) .

See above

Preben