hmm.. On Mon, Mar 22, 2004 at 11:32:53PM -0600, Paul Schmehl wrote: > From: "Paul Schmehl" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Re: [Full-Disclosure] viruses being sent to this list > Date: Mon, 22 Mar 2004 23:32:53 -0600
/* snippage */ > Not picking on you, your post is just a convenient point to jump in > to this "conversation", but I really wonder if anyone thinks before > they post any more. I read Gadi's post, and I happen to know him, > so I didn't instantly think he was an idiot or uninformed or naive. > Instead, I downloaded the entire raw archives of the list and > started grepping for patterns. What I've found so far is > suspicious. I won't post any results yet, because they're > incomplete, but suffice it to say that it is at least *possible* > that this list is deliberately being used to spread viruses. It's > equally possible that it's just the random seeding that viruses do > these days. I just don't know for sure yet, one way or the other. mutt is my MUA. Currently I have 4,924 assorted messages in ~/Mail/in-Full-Disclosure. Sorting by size, and picking a familiar size range, we see: 3368 Mar 22 [EMAIL PROTECTED] ( 421) [Full-Disclosure] Re: Thanks :) 3369 Mar 11 [EMAIL PROTECTED] ( 420) [Full-Disclosure] Hi! :-) 3370 Mar 16 [EMAIL PROTECTED] ( 425) [Full-Disclosure] hi 3371 Mar 03 [EMAIL PROTECTED] ( 426) [Full-Disclosure] stolen 3372 Mar 01 [EMAIL PROTECTED] ( 428) [Full-Disclosure] unknown 3373 Mar 13 [EMAIL PROTECTED] ( 427) [Full-Disclosure] stolen 3374 Jan 26 [EMAIL PROTECTED] ( 420) [Full-Disclosure] hello 3375 Feb 05 [EMAIL PROTECTED] ( 420) [Full-Disclosure] Test 3376 Jan 30 [EMAIL PROTECTED] ( 420) [Full-Disclosure] Server Report 3377 Jan 26 [EMAIL PROTECTED] ( 420) [Full-Disclosure] Status 3378 Jan 27 [EMAIL PROTECTED] ( 420) [Full-Disclosure] Status 3379 Feb 04 [EMAIL PROTECTED] ( 420) [Full-Disclosure] (no subject) 3380 Feb 12 [EMAIL PROTECTED] ( 422) [Full-Disclosure] HELLO 3381 Feb 11 [EMAIL PROTECTED] ( 422) [Full-Disclosure] Hi 3382 Jan 27 [EMAIL PROTECTED] ( 422) [Full-Disclosure] hello 3383 Jan 27 [EMAIL PROTECTED] ( 422) [Full-Disclosure] (no subject) 3384 Jan 28 [EMAIL PROTECTED] ( 422) [Full-Disclosure] STATUS 3385 Feb 07 [EMAIL PROTECTED] ( 422) [Full-Disclosure] TEST 3386 Mar 03 [EMAIL PROTECTED] ( 424) [Full-Disclosure] TEST 3387 Feb 08 [EMAIL PROTECTED] ( 424) [Full-Disclosure] Server Report 3388 Jan 30 [EMAIL PROTECTED] ( 424) [Full-Disclosure] (no subject) 3389 Feb 09 [EMAIL PROTECTED] ( 441) [Full-Disclosure] hi 3390 Feb 08 [EMAIL PROTECTED] ( 465) [Full-Disclosure] Error 3391 Jan 27 [EMAIL PROTECTED] ( 466) [Full-Disclosure] Status 3392 Feb 26 [EMAIL PROTECTED] ( 494) [Full-Disclosure] something for you 3393 Feb 26 [EMAIL PROTECTED] ( 494) [Full-Disclosure] something for you 3394 Mar 16 [EMAIL PROTECTED] ( 496) [Full-Disclosure] greetings Without exception, these are all virii-laden. Whether they got here by malice or by chance, they all contain the following: Received: from NETSYS.COM (localhost [127.0.0.1]) by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i2H1kI327175; Tue, 16 Mar 2004 20:46:18 -0500 (EST) in the "Received: " sequence immediately following the two examples below, varying only in the date and timestamp, and ESMPT id. Comparing one virus to one known list member (http-equiv -- sorry!) we can see an obvious forgery: Received: from excite.com (dt083n7c.san.rr.com [204.210.26.124]) by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0QMicU18817 for <[EMAIL PROTECTED]>; Mon, 26 Jan 2004 17:44:39 -0500 versus a presumable "real" post: Received: from mailrelay.megawebservers.com (mailrelay1-2.megawebservers.com [216.251.35.241]) by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0R01gU17220 for <[EMAIL PROTECTED]>; Mon, 26 Jan 2004 19:01:43 -0500 What does this tell us? Virii are getting out via the list; whether they are being transmitted inadvertently or deliberately is still open to question... - John -- "Mad cow? You'd be mad too, if someone was trying to eat you." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html