email virus == over the top
No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers: user@cisco.com user@tacnet.com user@wcom.com user@sprint.com Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember. I hate to rub it in, but I've got fifty days of uptime on everything I'm responsible for and the only reason it isn't a hundred and fifty is due to me taking them down for an OS upgrade. root 1 0.0 0.1 5520 ?? ILs 3Jul03 0:01.56 /sbin/init -- Windows is a question presented to each of us. Some find their answer here == http://freebsd.org
Re: email virus == over the top
Probably not. The virus grabs a From address at random from the infected person's email in box. So its more likely someone who has got mail FROM those people rather than those people. See http://vil.nai.com/vil/content/v_100561.htm To quote, The From: address may be spoofed with an address extracted from the victim machine. ---Mike At 10:10 AM 21/08/2003 -0500, neal rauhauser wrote: user@cisco.com user@tacnet.com user@wcom.com user@sprint.com Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a
Re: email virus == over the top
On Thu, 21 Aug 2003, neal rauhauser wrote: No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers: user@cisco.com user@tacnet.com user@wcom.com user@sprint.com it (sobig) forges the source email address using the same set of files that it looks in to find email adresses to send to... So all you can insure is that the user sending it to you is on some mailing list you're on or your email address is in their browser cache someplace... you have to look at the source ip address for the first hop to identify the culprit... joelja Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember. I hate to rub it in, but I've got fifty days of uptime on everything I'm responsible for and the only reason it isn't a hundred and fifty is due to me taking them down for an OS upgrade. root 1 0.0 0.1 5520 ?? ILs 3Jul03 0:01.56 /sbin/init -- Windows is a question presented to each of us. Some find their answer here == http://freebsd.org -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: email virus == over the top
Even they don't like you dude ... the sources are forged ... :) -Steve * neal rauhauser said: No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers: user@cisco.com user@tacnet.com user@wcom.com user@sprint.com Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember. I hate to rub it in, but I've got fifty days of uptime on everything I'm responsible for and the only reason it isn't a hundred and fifty is due to me taking them down for an OS upgrade. root 1 0.0 0.1 5520 ?? ILs 3Jul03 0:01.56 /sbin/init -- Windows is a question presented to each of us. Some find their answer here == http://freebsd.org
Re: email virus == over the top
At 08:10 AM 8/21/2003, neal rauhauser wrote: No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers: user@cisco.com user@tacnet.com user@wcom.com user@sprint.com Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember. Today's problem virus forges the from field. So all those emails from user@cisco/tacnet/wcom/sprint were sent from an infected computer (or computers) that had those email addresses in it. Probably from a computer on a competitor's network. You need to look at the received headers to find out where the emails are are *really* coming from. jc
Re: email virus == over the top
On Thu, 21 Aug 2003 10:10:12 CDT, neal rauhauser [EMAIL PROTECTED] said: No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers: user@cisco.com user@tacnet.com user@wcom.com user@sprint.com Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a No, it looks like some poor schmuck who happened to have those e-mail addresses somewhere on the disk has their windows system in trouble. W32/SoBig-F is known to forge the From: field. Which explains why I've gotten at least 103 you sent us a virus postings regarding my Linux laptop.. ;) Which of course just goes to show that people can be behind the knowledge curve no matter *what* operating system they happen to be using. pgp0.pgp Description: PGP signature
Re: email virus == over the top
Email for me is becoming more of a pain in the ass than it's worth.. On Thu, Aug 21, 2003 at 10:10:12AM -0500, neal rauhauser wrote: No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers: user@cisco.com user@tacnet.com user@wcom.com user@sprint.com Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember. I hate to rub it in, but I've got fifty days of uptime on everything I'm responsible for and the only reason it isn't a hundred and fifty is due to me taking them down for an OS upgrade. root 1 0.0 0.1 5520 ?? ILs 3Jul03 0:01.56 /sbin/init -- Windows is a question presented to each of us. Some find their answer here == http://freebsd.org
Re: email virus == over the top
I prefer to think of it as having evolved to a higher plane of existence :-) [EMAIL PROTECTED] wrote: On Thu, 21 Aug 2003 10:10:12 CDT, neal rauhauser [EMAIL PROTECTED] said: No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers: user@cisco.com user@tacnet.com user@wcom.com user@sprint.com Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a No, it looks like some poor schmuck who happened to have those e-mail addresses somewhere on the disk has their windows system in trouble. W32/SoBig-F is known to forge the From: field. Which explains why I've gotten at least 103 you sent us a virus postings regarding my Linux laptop.. ;) Which of course just goes to show that people can be behind the knowledge curve no matter *what* operating system they happen to be using. Part 1.2Type: application/pgp-signature
Re: email virus == over the top
neal rauhauser wrote: No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers: user@cisco.com user@tacnet.com user@wcom.com user@sprint.com Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember. --snip-- Aww, Neal, you know that I still love you and send you email from time to time;) In some cases you can determine the infected machine from the IP in the header. Of course, if it's that IP is dynamically assigned it's a little harder. If the volume of email from one source IP gets too high, a friendly call to their company or ISP might get results--a lookup of the IP at whois.arin.net should give you the contact info you need. This virus has been a royal pain for me. My personal, work, postmaster and webmaster accounts have finally dropped off receiving it, but if anyone wants the more than several thousand I received Tues. and Wed., they're welcome to it. Anyway, just a note on the consequences here. Each time one of these silly things hit that forge sender addresses, the number of possible future infectees who have your email address increases. Let's say that your brother was infected by Klez. His computer sent out a bunch of emails as other people--some of them as you. One of those folks gets infected. Their computer sends out a bunch of emails as other people--some of them as you. Now you've got people that are friends and co-workers of other friends that were infected. Each time that circle gets larger and the number of folks who potentially have your email address somewhere on their system widens. THIS SUCKS! The postmaster account is by far the worst one as far as receiving. If anyone ever finds out where to send the bill and the firing squad, I'll be at the front of the line;) -- -Susan -- Susan Zeigler | Technical Services [EMAIL PROTECTED] | Spindustry Systems 515.225.0920 | You cannot strengthen the weak by weakening the strong. -- Abraham Lincoln
