[H-GEN] Re: [H-ANNOUNCE] Virus spam warning

Tony Bilbrough mtbilbro at bigpond.net.au
Mon Mar 21 18:55:53 EST 2005


G'day All,
I too have been getting them for a wee while
BUT.............
1] they all purported to have come from the exec mail list, so I wrote 
back to the exec mail list for an explanation.
Mark Suter took the trouble to explain how to read the headers. Then it 
became obvious that Caliburn was not compromised. Mark's reply is 
pasted, just below Jason's laughing vivisection, for those that are 
interested.

2] the virus only shows up when a mailer is opened under a windows 
operating system, and lets face it not too many Humbug members use that 
one, outside work hours!
However from a work place .........
I think that most businesses have suitable protection, by now, if they 
use a windows os? If not,the chances of you getting paid as a 
contractor, have suddenly diminished!!!!
- Under Debian & Thunderbird the note just shows as a load of strange 
asci symbols, with an .exe attachment, which quite obviously, there is 
not much point in opening. Not sure how it would effect XOver, with any 
MS office in it, but? Any one know?

Thank you Mathew S. for taking the time to advise us all. Perhaps a 
little more technical explanation to go with it next time?

I guess that having followed the 'reply to ' discussion
with a lot of pleasure, this really under scores what a few of you were 
trying to point out.
...... vis [this case only, this point only]
The Suter Beast replied only to me, and not back to the exec list. So MS 
had no idea about the follow up explanation.
-[that discussion certainly had moved a long way away from the original 
'Software rules the world']

cheers Tony Bilbrough

> On Tue, Mar 22, 2005 at 02:07:37AM +1000, Matthew Sellers wrote:
> 
> 
>>If anyone receives a message similar to the above, they should delete and
>>disregard it. Do not open the attachment, it is malicious.

Jason Parker-Burlingham wrote:
> I have been getting copies of this virus for weeks now.  Why the late
> warning?  In fact, why bother warning at all?  Which virus is contained
> within the attachment?  Which systems are affected?  This warning
> strikes me as being of very questionable utility.
> 
> I've very suprised to see a (presumably) Windows virus warning sent to a
> HUMBUG mailing list.  This is an event almost entirely without
> precedent; even Robert's announcements of vulnerabilities go to general
> or chat (I can't remember which).
> 
> jason, who dissects VB "viruses" for laughs
> 


Tony Bilbrough wrote and Mark Suter replied in line, thusly::,


 >> just wondering if any one else is getting these warnings?



I've received them, and ignored them.


 >> The header looks genuine [caliburn etc] - but it has the Netsky
 >> virus attached


This email genuinely went through Caliburn; however, it didn't come
from there.  Based on the Received: headers, it looks to have come from
128.61.42.87, gone though Caliburn and ended up in your Bigpond account.

     Received: from caliburn.humbug.org.au ([203.15.51.6])
	by imta02sl.mx.bigpond.com
	with ESMTP id 
<20050317181903.PZYB343.imta02sl.mx.bigpond.com at caliburn.humbug.org.au>
	for <mtbilbro at bigpond.net.au>; Thu, 17 Mar 2005 18:19:03 +0000
     Received: from r42h87.res.gatech.edu ([128.61.42.87] 
helo=humbug.org.au)
	by caliburn.humbug.org.au
	with esmtp (Exim 3.35 #1 (Debian)) id 1DBza8-0004dS-00
	for <exec at humbug.org.au>; Fri, 18 Mar 2005 04:18:52 +1000

As a rule, read from the newest down and stop at the last host
you recognise as being legitimate.  Confirm tat entry from the
logs and that's where you leave it to "who knows?"

     $ ssh caliburn sudo grep 1DBza8-0004dS-00 /var/log/exim/mainlog
     $ ssh caliburn sudo grep 1DBza8-0004dS-00 /var/log/exim/mainlog.0
     2005-03-18 04:18:54 1DBza8-0004dS-00 <= postmaster at humbug.org.au 
H=r42h87.res.gatech.edu (humbug.org.au) [128.61.42.87] P=esmtp S=58057
     2005-03-18 04:18:57 1DBza8-0004dS-00 => bc at ripe.net 
<exec at humbug.org.au> R=lookuphost T=remote_smtp H=postman.ripe.net 
[193.0.0.199]
     2005-03-18 04:19:03 1DBza8-0004dS-00 ** clinton.roy at gmail.com 
<c.roy at humbug.org.au> R=lookuphost T=remote_smtp: SMTP error from remote 
mailer after end of data: host gsmtp171.google.com [64.233.171.27]: 552 
5.7.0 Illegal Attachment
     2005-03-18 04:19:04 1DBza8-0004dS-00 => mtbilbro at bigpond.net.au 
<exec at humbug.org.au> R=lookuphost T=remote_smtp 
H=extmail.bpbb.bigpond.com [144.140.90.14]
     2005-03-18 04:19:05 1DBza8-0004dS-00 => 
suter at zwitterion.humbug.org.au <exec at humbug.org.au> R=lookuphost 
T=remote_smtp H=zwitterion.humbug.org.au [150.101.184.57]
     2005-03-18 04:19:08 1DBza8-0004dS-00 => humbug at hitcho.com.au 
<exec at humbug.org.au> R=lookuphost T=remote_smtp H=mail.hitcho.com.au 
[69.59.157.120]
     2005-03-18 04:19:08 1DBza8-0004dS-00 => msellers at bigpond.com 
<exec at humbug.org.au> R=lookuphost T=remote_smtp H=extmail.bigpond.com 
[144.140.90.13]
     2005-03-18 04:19:11 1DBza8-0004dS-00 ** bradm at internode.on.net 
<jiko at humbug.org.au> R=lookuphost T=remote_smtp: SMTP error from remote 
mailer after end of data: host bep.internode.on.net [203.16.214.250]: 
554 Failure Found Worm.Mydoom.M-unp
     2005-03-18 04:19:12 1DBzaR-0004ds-00 <= <> R=1DBza8-0004dS-00 
U=mail P=local S=59288
     2005-03-18 04:19:12 1DBza8-0004dS-00 Error message sent to 
postmaster at humbug.org.au
     2005-03-18 04:19:12 1DBza8-0004dS-00 Completed

Yours sincerely,

Mark Suter




More information about the General mailing list