Re: [Full-Disclosure] viruses being sent to this list

From: Byron Copeland (nodialtone_at_comcast.net)
Date: 03/24/04

  • Next message: Dave Horsfall: "Re: [Full-Disclosure] viruses being sent to this list"
    To: John Sage <jsage@finchhaven.com>
    Date: 23 Mar 2004 23:48:55 -0500
    
    
    

    This message has not been *** Expunged ***

    Reason: Because your a God!

    But, non the less, truthfully, it isn't any fault of any list managers
    here.

    -b

    On Tue, 2004-03-23 at 23:22, John Sage wrote:
    > hmm..
    >
    > On Mon, Mar 22, 2004 at 11:32:53PM -0600, Paul Schmehl wrote:
    > > From: "Paul Schmehl" <pauls@utdallas.edu>
    > > To: <full-disclosure@lists.netsys.com>
    > > Subject: Re: [Full-Disclosure] viruses being sent to this list
    > > Date: Mon, 22 Mar 2004 23:32:53 -0600
    >
    > /* snippage */
    >
    > > Not picking on you, your post is just a convenient point to jump in
    > > to this "conversation", but I really wonder if anyone thinks before
    > > they post any more. I read Gadi's post, and I happen to know him,
    > > so I didn't instantly think he was an idiot or uninformed or naive.
    > > Instead, I downloaded the entire raw archives of the list and
    > > started grepping for patterns. What I've found so far is
    > > suspicious. I won't post any results yet, because they're
    > > incomplete, but suffice it to say that it is at least *possible*
    > > that this list is deliberately being used to spread viruses. It's
    > > equally possible that it's just the random seeding that viruses do
    > > these days. I just don't know for sure yet, one way or the other.
    >
    > mutt is my MUA.
    >
    > Currently I have 4,924 assorted messages in ~/Mail/in-Full-Disclosure.
    >
    > Sorting by size, and picking a familiar size range, we see:
    >
    > 3368 Mar 22 ge@egotistical. ( 421) [Full-Disclosure] Re: Thanks :)
    > 3369 Mar 11 bugzilla@redhat ( 420) [Full-Disclosure] Hi! :-)
    > 3370 Mar 16 nexus@patrol.i- ( 425) [Full-Disclosure] hi
    > 3371 Mar 03 psirt@cisco.com ( 426) [Full-Disclosure] stolen
    > 3372 Mar 01 psirt@cisco.com ( 428) [Full-Disclosure] unknown
    > 3373 Mar 13 nexus@patrol.i- ( 427) [Full-Disclosure] stolen
    > 3374 Jan 26 jyowell@kennedy ( 420) [Full-Disclosure] hello
    > 3375 Feb 05 nakal@web.de ( 420) [Full-Disclosure] Test
    > 3376 Jan 30 brian@pc-radio. ( 420) [Full-Disclosure] Server Report
    > 3377 Jan 26 http-equiv@exci ( 420) [Full-Disclosure] Status
    > 3378 Jan 27 jeff01@email.un ( 420) [Full-Disclosure] Status
    > 3379 Feb 04 jim@wangtrading ( 420) [Full-Disclosure] (no subject)
    > 3380 Feb 12 franjime@cisco. ( 422) [Full-Disclosure] HELLO
    > 3381 Feb 11 psirt@cisco.com ( 422) [Full-Disclosure] Hi
    > 3382 Jan 27 lsawyer@gci.com ( 422) [Full-Disclosure] hello
    > 3383 Jan 27 http-equiv@malw ( 422) [Full-Disclosure] (no subject)
    > 3384 Jan 28 jkarp@visionael ( 422) [Full-Disclosure] STATUS
    > 3385 Feb 07 jim@wangtrading ( 422) [Full-Disclosure] TEST
    > 3386 Mar 03 je@sekure.net ( 424) [Full-Disclosure] TEST
    > 3387 Feb 08 hobbit@avian.or ( 424) [Full-Disclosure] Server Report
    > 3388 Jan 30 psirt@cisco.com ( 424) [Full-Disclosure] (no subject)
    > 3389 Feb 09 psirt@cisco.com ( 441) [Full-Disclosure] hi
    > 3390 Feb 08 joel@helgeson.c ( 465) [Full-Disclosure] Error
    > 3391 Jan 27 lsawyer@gci.com ( 466) [Full-Disclosure] Status
    > 3392 Feb 26 psirt@cisco.com ( 494) [Full-Disclosure] something for you
    > 3393 Feb 26 psirt@cisco.com ( 494) [Full-Disclosure] something for you
    > 3394 Mar 16 phlox@comcast.n ( 496) [Full-Disclosure] greetings
    >
    >
    > Without exception, these are all virii-laden. Whether they got here by
    > malice or by chance, they all contain the following:
    >
    > Received: from NETSYS.COM (localhost [127.0.0.1])
    > by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i2H1kI327175;
    > Tue, 16 Mar 2004 20:46:18 -0500 (EST)
    >
    > in the "Received: " sequence immediately following the two examples
    > below, varying only in the date and timestamp, and ESMPT id.
    >
    >
    > Comparing one virus to one known list member (http-equiv -- sorry!) we
    > can see an obvious forgery:
    >
    > Received: from excite.com (dt083n7c.san.rr.com [204.210.26.124])
    > by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0QMicU18817
    > for <full-disclosure@lists.netsys.com>; Mon, 26 Jan 2004 17:44:39 -0500
    >
    > versus a presumable "real" post:
    >
    > Received: from mailrelay.megawebservers.com
    > (mailrelay1-2.megawebservers.com [216.251.35.241])
    > by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0R01gU17220
    > for <full-disclosure@lists.netsys.com>; Mon, 26 Jan 2004 19:01:43 -0500
    >
    >
    > What does this tell us? Virii are getting out via the list; whether
    > they are being transmitted inadvertently or deliberately is still open
    > to question...
    >
    >
    >
    > - John

    -- 
    "Save yourself from the 'Gates' of hell, use Linux." -- The_Kind @
    LinuxNet
    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: Dave Horsfall: "Re: [Full-Disclosure] viruses being sent to this list"