Re: [Full-Disclosure] viruses being sent to this list

From: Byron Copeland (nodialtone_at_comcast.net)
Date: 03/24/04

  • Next message: Dave Horsfall: "Re: [Full-Disclosure] viruses being sent to this list"
    To: John Sage <jsage@finchhaven.com>
    Date: 23 Mar 2004 23:48:55 -0500
    
    
    

    This message has not been *** Expunged ***

    Reason: Because your a God!

    But, non the less, truthfully, it isn't any fault of any list managers
    here.

    -b

    On Tue, 2004-03-23 at 23:22, John Sage wrote:
    > hmm..
    >
    > On Mon, Mar 22, 2004 at 11:32:53PM -0600, Paul Schmehl wrote:
    > > From: "Paul Schmehl" <pauls@utdallas.edu>
    > > To: <full-disclosure@lists.netsys.com>
    > > Subject: Re: [Full-Disclosure] viruses being sent to this list
    > > Date: Mon, 22 Mar 2004 23:32:53 -0600
    >
    > /* snippage */
    >
    > > Not picking on you, your post is just a convenient point to jump in
    > > to this "conversation", but I really wonder if anyone thinks before
    > > they post any more. I read Gadi's post, and I happen to know him,
    > > so I didn't instantly think he was an idiot or uninformed or naive.
    > > Instead, I downloaded the entire raw archives of the list and
    > > started grepping for patterns. What I've found so far is
    > > suspicious. I won't post any results yet, because they're
    > > incomplete, but suffice it to say that it is at least *possible*
    > > that this list is deliberately being used to spread viruses. It's
    > > equally possible that it's just the random seeding that viruses do
    > > these days. I just don't know for sure yet, one way or the other.
    >
    > mutt is my MUA.
    >
    > Currently I have 4,924 assorted messages in ~/Mail/in-Full-Disclosure.
    >
    > Sorting by size, and picking a familiar size range, we see:
    >
    > 3368 Mar 22 ge@egotistical. ( 421) [Full-Disclosure] Re: Thanks :)
    > 3369 Mar 11 bugzilla@redhat ( 420) [Full-Disclosure] Hi! :-)
    > 3370 Mar 16 nexus@patrol.i- ( 425) [Full-Disclosure] hi
    > 3371 Mar 03 psirt@cisco.com ( 426) [Full-Disclosure] stolen
    > 3372 Mar 01 psirt@cisco.com ( 428) [Full-Disclosure] unknown
    > 3373 Mar 13 nexus@patrol.i- ( 427) [Full-Disclosure] stolen
    > 3374 Jan 26 jyowell@kennedy ( 420) [Full-Disclosure] hello
    > 3375 Feb 05 nakal@web.de ( 420) [Full-Disclosure] Test
    > 3376 Jan 30 brian@pc-radio. ( 420) [Full-Disclosure] Server Report
    > 3377 Jan 26 http-equiv@exci ( 420) [Full-Disclosure] Status
    > 3378 Jan 27 jeff01@email.un ( 420) [Full-Disclosure] Status
    > 3379 Feb 04 jim@wangtrading ( 420) [Full-Disclosure] (no subject)
    > 3380 Feb 12 franjime@cisco. ( 422) [Full-Disclosure] HELLO
    > 3381 Feb 11 psirt@cisco.com ( 422) [Full-Disclosure] Hi
    > 3382 Jan 27 lsawyer@gci.com ( 422) [Full-Disclosure] hello
    > 3383 Jan 27 http-equiv@malw ( 422) [Full-Disclosure] (no subject)
    > 3384 Jan 28 jkarp@visionael ( 422) [Full-Disclosure] STATUS
    > 3385 Feb 07 jim@wangtrading ( 422) [Full-Disclosure] TEST
    > 3386 Mar 03 je@sekure.net ( 424) [Full-Disclosure] TEST
    > 3387 Feb 08 hobbit@avian.or ( 424) [Full-Disclosure] Server Report
    > 3388 Jan 30 psirt@cisco.com ( 424) [Full-Disclosure] (no subject)
    > 3389 Feb 09 psirt@cisco.com ( 441) [Full-Disclosure] hi
    > 3390 Feb 08 joel@helgeson.c ( 465) [Full-Disclosure] Error
    > 3391 Jan 27 lsawyer@gci.com ( 466) [Full-Disclosure] Status
    > 3392 Feb 26 psirt@cisco.com ( 494) [Full-Disclosure] something for you
    > 3393 Feb 26 psirt@cisco.com ( 494) [Full-Disclosure] something for you
    > 3394 Mar 16 phlox@comcast.n ( 496) [Full-Disclosure] greetings
    >
    >
    > Without exception, these are all virii-laden. Whether they got here by
    > malice or by chance, they all contain the following:
    >
    > Received: from NETSYS.COM (localhost [127.0.0.1])
    > by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i2H1kI327175;
    > Tue, 16 Mar 2004 20:46:18 -0500 (EST)
    >
    > in the "Received: " sequence immediately following the two examples
    > below, varying only in the date and timestamp, and ESMPT id.
    >
    >
    > Comparing one virus to one known list member (http-equiv -- sorry!) we
    > can see an obvious forgery:
    >
    > Received: from excite.com (dt083n7c.san.rr.com [204.210.26.124])
    > by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0QMicU18817
    > for <full-disclosure@lists.netsys.com>; Mon, 26 Jan 2004 17:44:39 -0500
    >
    > versus a presumable "real" post:
    >
    > Received: from mailrelay.megawebservers.com
    > (mailrelay1-2.megawebservers.com [216.251.35.241])
    > by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0R01gU17220
    > for <full-disclosure@lists.netsys.com>; Mon, 26 Jan 2004 19:01:43 -0500
    >
    >
    > What does this tell us? Virii are getting out via the list; whether
    > they are being transmitted inadvertently or deliberately is still open
    > to question...
    >
    >
    >
    > - John

    -- 
    "Save yourself from the 'Gates' of hell, use Linux." -- The_Kind @
    LinuxNet
    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: Dave Horsfall: "Re: [Full-Disclosure] viruses being sent to this list"

    Relevant Pages

    • Re: OT - Why No Tea and Sympathy?
      ... >> Linda this just means LZ can't find fault with your satements:) He now ... >> starts picking at the spellings, and word forms, as is typical. ...
      (rec.outdoors.rv-travel)
    • Re: Arabic script recognition req.
      ... My fault entirely: ... sheer laziness in not looking more closely at it, and picking up the ... before flicking it over to him. ...
      (rec.collecting.stamps.discuss)
    • Re: The reasons why Im tired of SCF (Re: we saw wowowie people...)
      ... Don't forget to cry, "It's all their fault! ... They're picking on poor ... innocent me! ...
      (soc.culture.filipino)
    • Re: Great YO performance.
      ... does not equal "it was John's fault that the world was picking on ... They're not even close in meaning! ... Even saying she "resented" the above is Fatty's typically overeager spin. ...
      (rec.music.beatles)