Re: Spam (?) with virus (?) attachment from pci-powermacs list?

[Robert Gray]

>#2 of the three I recieved around 12 hours.
>Pci-digest #1013
>Pci-digest #941
>Welcome to collectable..

Those go back to 2001, don't they?

>Oh no! It's not me is it?

Don't get paranoid; get virus protection.  ;-)

-- 
Quadlist is sponsored by  and...

 Small Dog Electronicshttp://www.smalldog.com   | Enter To Win A |
 -- Canon PowerShot Digital Cameras start at $299   |  Free iBook!   |

  Support Low End Mac 

Quadlist info:  
The FAQ:
  --> AOL users, remove "mailto:";
Send list messages to:  
To unsubscribe, email:  
For digest mode, email: 
Subscription questions: 
Archive: 

Using a Mac? Free email & more at Applelinks! http://www.applelinks.com

Re: Spam (?) with virus (?) attachment from pci-powermacs list?

[Sque]

Jason,
perhaps one of your emails, sent to one of the lists, is the basis of 
half the address. ;)
Two points:
1) the person may no longer subbed to LEM lists at all.
The account these messages was sent to, I no longer use for LEM lists 
and haven't for a while.
2) the virus makes up a sending address from the infected machines 
address book and tries to infect other addresses in the same address 
book by posting it self out to them, strange that the subject line 
hasn't varied.

When I'm a pc user I take some responsibility for what comes out of the 
machine, especially if the machine is used in pulic forums such as this. 
I do not wish to cause embarrassment to the infected machines owner but 
I do hope all pc users follow some pretty basic security routines to 
help bolt down their OS and prevent it infecting others. More of the 
same goes for those IT types who feel updating the OS with security 
updates is a waste of their time, the patches have been around quite 
some time before W32 hit the web. There is very little excuse for not 
applying them.

A side note, using yahoo for lists seems to prevent viruses from being 
downloaded to my pc. If a infected message is on the server my client 
baulks at downloading messages until I use webmail to delete the 
offending message. Handy so far but not properly tested.

Jason White wrote:

>If it's not me, and if I am the only subscriber with a netnitco.net 
>(netnitco is a small ISP serving NW Indiana; it has about 10 access 
>numbers), then I'm guessing based on what pickle said above, that whoever 
>it is has emailed me in the past, probably more just a reply (if I'm in 
>their address book), and is subscribed to PCI-Powermacs list. 
>
>
>J White
>
>Buy American
>S.O.S. Save Our Steel
>
>
>  
>




-- 
Quadlist is sponsored by  and...

 Small Dog Electronicshttp://www.smalldog.com   | Enter To Win A |
 -- Canon PowerShot Digital Cameras start at $299   |  Free iBook!   |

  Support Low End Mac 

Quadlist info:  
The FAQ:
  --> AOL users, remove "mailto:";
Send list messages to:  
To unsubscribe, email:  
For digest mode, email: 
Subscription questions: 
Archive: 

Using a Mac? Free email & more at Applelinks! http://www.applelinks.com

Re: Spam (?) with virus (?) attachment from pci-powermacs list?

[the pickle]

The following header lines are common to every instance of the virus I've seen
thus far:

Received: from dialup-64.154.186.147.dial1.seattle1.level3.net
([64.154.186.147] helo=stanwoodhardware.)
by barry.mail.mindspring.net with smtp (Exim 3.33 #1)
id 18ro0j-0002Rk-00; Sat, 08 Mar 2003 18:45:50 -0500

It isn't anyone currently subbed to this list.  In the interest of saving the
infected party major embarrassment (he's an innocent bystander, like so many
others who run Windoze and don't run virus protection software) I won't name
names, but rest assured that the listmoms know who is involved and are taking
appropriate steps to rectify the problem.

Meanwhile, there doesn't appear to be much need to discuss this on the list any
further.  Anyone who has questions can contact me or one of the listmoms
off-list.
-- 

the pickle

FAQ 
_

-- 
Quadlist is sponsored by  and...

 Small Dog Electronicshttp://www.smalldog.com   | Enter To Win A |
 -- Canon PowerShot Digital Cameras start at $299   |  Free iBook!   |

  Support Low End Mac 

Quadlist info:  
The FAQ:
  --> AOL users, remove "mailto:";
Send list messages to:  
To unsubscribe, email:  
For digest mode, email: 
Subscription questions: 
Archive: 

Using a Mac? Free email & more at Applelinks! http://www.applelinks.com

Re: Spam (?) with virus (?) attachment from pci-powermacs list?

[Jason White]

>
>What has happened is a digest subscriber to that list has recently become
>infected with a virus.  The virus, being the devious little thing that it is,
>then does the following:
>
>1) picks out a user name from an address book entry (in this case,
>pci-powermacs, originating from [EMAIL PROTECTED])
>2) picks out a domain from an address book entry (in this case, someone whose
>e-mail is @netnitco.net)
>3) combines those to create an return e-mail address (what you see above)
>4) appends the beginning of an e-mail (probably the one used to harvest the
>user name, based on the fact that I have yet to see this with something 
>*other*
>than a PCI-Powermacs digest as its contents) to a new e-mail message
>5) sets the subject of this e-mail message to that of the harvested e-mail 
>(in
>the two cases where I got it, a PCI-Powermacs digest)
>6) sends the e-mail to everyone in that person's address book, using the 
>faked
>from: address.
>
>Having examined the headers on the e-mail, I know - or have a pretty damn 
>good
>idea - of *exactly* who is responsible for this.  I've let the listmom 
>know and
>I've told the guy he needs to run a virus scan on his Windoze box.
>-- 
>
>the pickle

Oh no! It's not me is it? I'm guessing I'm the only person on any of 
these lists with a netnitco.net address. If it is, (off topic now) how 
would I go about finding the virus? I'm using an SE/30 with system 7.1 
and Claris Emailer 1.1.3 to handle the email for these lists (Compact 
Macs, Vintage Macs, QuadList, 1st PPC, PCI PPC, G list and LEM Swaplist) 
Would such a virus exist?

For what it's worth, I've only got the posting addresses for the vatious 
lists and a few family email addresses in my address book. I don't think 
I've got any list members' addresses in it at all.

If it's not me, and if I am the only subscriber with a netnitco.net 
(netnitco is a small ISP serving NW Indiana; it has about 10 access 
numbers), then I'm guessing based on what pickle said above, that whoever 
it is has emailed me in the past, probably more just a reply (if I'm in 
their address book), and is subscribed to PCI-Powermacs list. 


J White

Buy American
S.O.S. Save Our Steel


-- 
Quadlist is sponsored by  and...

 Small Dog Electronicshttp://www.smalldog.com   | Enter To Win A |
 -- Canon PowerShot Digital Cameras start at $299   |  Free iBook!   |

  Support Low End Mac 

Quadlist info:  
The FAQ:
  --> AOL users, remove "mailto:";
Send list messages to:  
To unsubscribe, email:  
For digest mode, email: 
Subscription questions: 
Archive: 

Using a Mac? Free email & more at Applelinks! http://www.applelinks.com

Re: Spam (?) with virus (?) attachment from pci-powermacs list?

[Sque]

Paul Tansom wrote:

>** Peter Heinemann <[EMAIL PROTECTED]> [2003-03-09 01:51]:
>  
>
>>Today I got mail from:
>>
>>[EMAIL PROTECTED]
>>
>>Never subscribed to pci-powermacs list, so the mail with the 100kb
>>attachment I received today looked very suspicious to me. I opened it as
>>source only and saw advertesing from Smalldog and also something from
>>"Lowend Mac". Maybe someone has hijacked the database of a good list and now
>>sends out spam with viruses just to knock out Mac users.
>>
>>Maybe I am wrong, but if you don?t have subsribed to pci-powermacs list and
>>get mail with attachments, better be carefully and better don not open it...
>>
>>
>>
>** end quote [Peter Heinemann]
>
>Interesting, I've just had a welcome message to the Collectible Macs
>list on Yahoo!  I can't find any such list on Yahoo! and certainly
>haven't joined the list.  Hmmm.
>

.#2 of the three I recieved around 12 hours.
Pci-digest #1013
Pci-digest #941
Welcome to collectable..

mindspring.net is the common theme, bugbear is the virus.
No biggy for macs or pc's running current virus-defs.


>
>  
>




-- 
Quadlist is sponsored by  and...

 Small Dog Electronicshttp://www.smalldog.com   | Enter To Win A |
 -- Canon PowerShot Digital Cameras start at $299   |  Free iBook!   |

  Support Low End Mac 

Quadlist info:  
The FAQ:
  --> AOL users, remove "mailto:";
Send list messages to:  
To unsubscribe, email:  
For digest mode, email: 
Subscription questions: 
Archive: 

Using a Mac? Free email & more at Applelinks! http://www.applelinks.com

Re: Spam (?) with virus (?) attachment from pci-powermacs list?

[Paul Tansom]

** Peter Heinemann <[EMAIL PROTECTED]> [2003-03-09 01:51]:
> Today I got mail from:
> 
> [EMAIL PROTECTED]
> 
> Never subscribed to pci-powermacs list, so the mail with the 100kb
> attachment I received today looked very suspicious to me. I opened it as
> source only and saw advertesing from Smalldog and also something from
> "Lowend Mac". Maybe someone has hijacked the database of a good list and now
> sends out spam with viruses just to knock out Mac users.
> 
> Maybe I am wrong, but if you don?t have subsribed to pci-powermacs list and
> get mail with attachments, better be carefully and better don not open it...
> 
** end quote [Peter Heinemann]

Interesting, I've just had a welcome message to the Collectible Macs
list on Yahoo!  I can't find any such list on Yahoo! and certainly
haven't joined the list.  Hmmm.

-- 
Paul Tansom:  -  contact [EMAIL PROTECTED] for more information
Internet and Intranet Solutions   --   http://www.aptanet.com/

-- 
Quadlist is sponsored by  and...

 Small Dog Electronicshttp://www.smalldog.com   | Enter To Win A |
 -- Canon PowerShot Digital Cameras start at $299   |  Free iBook!   |

  Support Low End Mac 

Quadlist info:  
The FAQ:
  --> AOL users, remove "mailto:";
Send list messages to:  
To unsubscribe, email:  
For digest mode, email: 
Subscription questions: 
Archive: 

Using a Mac? Free email & more at Applelinks! http://www.applelinks.com

Re: Spam (?) with virus (?) attachment from pci-powermacs list?

[Sque]

3 all told today.
Bugbear, you have to love the way new clients save all the addresses.
I dont think Mac users have anything to worry about.
The address is probably generated by the virus on the infected machine. 
In other words bogus.
mindsprings.com, if you run a pc you have to run a virus checker if you 
dont, dont sub to mailing lists. Simple.
Still looking forward to that bottle, pickle.

Peter Heinemann wrote:

Today I got mail from:

[EMAIL PROTECTED]

Never subscribed to pci-powermacs list, so the mail with the 100kb
attachment I received today looked very suspicious to me. I opened it as
source only and saw advertesing from Smalldog and also something from
"Lowend Mac". Maybe someone has hijacked the database of a good list and now
sends out spam with viruses just to knock out Mac users.
Maybe I am wrong, but if you don´t have subsribed to pci-powermacs list and
get mail with attachments, better be carefully and better don not open it...
-Peter





 





--
Quadlist is sponsored by  and...
Small Dog Electronicshttp://www.smalldog.com   | Enter To Win A |
-- Canon PowerShot Digital Cameras start at $299   |  Free iBook!   |
 Support Low End Mac 

Quadlist info:  
The FAQ:
 --> AOL users, remove "mailto:";
Send list messages to:  
To unsubscribe, email:  
For digest mode, email: 
Subscription questions: 
Archive: 
Using a Mac? Free email & more at Applelinks! http://www.applelinks.com

Re: Spam (?) with virus (?) attachment from pci-powermacs list?

[the pickle]

At 02:51 +0100 on 09/03/03, Peter Heinemann wrote:

>Today I got mail from:
>
>[EMAIL PROTECTED]

The from address isn't useful as diagnosis here.

What has happened is a digest subscriber to that list has recently become
infected with a virus.  The virus, being the devious little thing that it is,
then does the following:

1) picks out a user name from an address book entry (in this case,
pci-powermacs, originating from [EMAIL PROTECTED])
2) picks out a domain from an address book entry (in this case, someone whose
e-mail is @netnitco.net)
3) combines those to create an return e-mail address (what you see above)
4) appends the beginning of an e-mail (probably the one used to harvest the
user name, based on the fact that I have yet to see this with something *other*
than a PCI-Powermacs digest as its contents) to a new e-mail message
5) sets the subject of this e-mail message to that of the harvested e-mail (in
the two cases where I got it, a PCI-Powermacs digest)
6) sends the e-mail to everyone in that person's address book, using the faked
from: address.

Having examined the headers on the e-mail, I know - or have a pretty damn good
idea - of *exactly* who is responsible for this.  I've let the listmom know and
I've told the guy he needs to run a virus scan on his Windoze box.
-- 

the pickle

FAQ 
_

-- 
Quadlist is sponsored by  and...

 Small Dog Electronicshttp://www.smalldog.com   | Enter To Win A |
 -- Canon PowerShot Digital Cameras start at $299   |  Free iBook!   |

  Support Low End Mac 

Quadlist info:  
The FAQ:
  --> AOL users, remove "mailto:";
Send list messages to:  
To unsubscribe, email:  
For digest mode, email: 
Subscription questions: 
Archive: 

Using a Mac? Free email & more at Applelinks! http://www.applelinks.com