At 12:13 PM -0400 06/29/2002, Bill Cole wrote: >At 8:34 AM -0700 6/28/02, Warren Michelsen imposed structure on a stream of >electrons, yielding: >>Is this email just a virus at work? > >Yes, I think. There is weirdness here.
No kidding. >> >> >> >>Is the Return-path the likely infected source? > >Not likely. At first glance it looked like something out there is sending a virus >(probably Klez) from some infected machine where the owner has ><[EMAIL PROTECTED]> in a local address book. Klez uses random address book >entries as the Return-path on its mail, so when mail appearing to be from you hit the >MTA with this filter on it, it sent the bounce back to you. > >Then I looked again. This bounce just isn't right. It isn't coming from <> and it >isn't coming from anywhere near mossmotorsdodge.com. The immediate source is a >stupidly misconfigured Solaris machine running sendmail which seems to have no >connection to you, but seems like a possible nearest relay for what appears to be the >true origin, which is trying to claim to be "Lwkuuiokj" > >I think "Lwkuuiokj" is infected, and the bounce message itself is the viral vector, >made to look like a bounce of a viral vector. Thanks for your take on this. Normally I'd trash and ignore it but I've been getting a whole lot of klez-looking stuff and it all references mossmotorsdodge. Just wondering if there was someone I could notify, just in case there is someone there (wherever that is) that cares. -- "Your new computer's not gonna be a Mac? Dude, you're getting a Dull!" ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
