HP3000-L Archives

May 2004, Week 1

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: OT:(not) Important
From:
Roy Brown <[log in to unmask]>
Reply To:
Roy Brown <[log in to unmask]>
Date:
Mon, 3 May 2004 19:08:40 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (67 lines) 
In message <4E5A2C0A6997D811B58800A0C9C551501A3109@ashland01msx>,
"Gates, Scott" <[log in to unmask]> writes
>Admit it, you did.  <GRIN>
>
>I've gotten a few spams from list serv members, including one with my name
>as sender.   I think one of us out there has a spamming virus that's walking
>though their inbox and harvesting addresses.
>
>Spambayes caught both of them.   It's a *FREE* spam filter that attaches to
>Micro$oft LOOK-OUT! And works PRETTY well once you get it trained up.
>
>You all can find it at http://spambayes.sourceforge.net/

The same thing that happened to Andreas just happened to me - a posting
here was made with my identity, but forged, and not by me.

Looking at the Andreas forged posting headers, the first (lowest)
Received: header is:

Received: from raven.utc.edu (68.113.140.156) by raven.utc.edu (LSMTP
for Windows NT v1.1b) with SMTP id <[log in to unmask]>; Thu, 29
Apr 2004 21:10:40 -0400

which looks like it came from raven.utc.edu, though that's probably
forged too: the less-easily-forgeable IP address 68.113.140.156 resolves
to:

Charter Communications CHARTER-NET-6BLK (NET-68-112-0-0-1)
                                   68.112.0.0 - 68.119.255.255
Charter Communications CHRLSTN-WV-68-113-128 (NET-68-113-128-0-1)
                                   68.113.128.0 - 68.113.143.255

whereas raven has its own IP space in reality.

We then start to worry though (which is no doubt the intention): was
that *really* Scott Gates who replied here, or the spammer [1] again?

But comparing headers with 'known good' messages from Scott seems to
reveal that it is indeed he :-)

[1] I don't know about 'the spammer'. My forgery came from a UK address
in NTL Blueyonder's address space, AFAICT; quite different from Andreas'
forgery. That smacks of zombified [2] PCs being used to launch these
attacks. But why? I fear we shall soon find out....

[2] Modern-day viruses and Trojans no longer simply destroy their hosts,
like the olden-day ones did. Instead, they infect a range of PCs, all of
which 'phone home' to say they've been zombified, and then await
instructions on what mischief to wreak - a concerted DDOS (Distributed
Denial of Service) attack, perhaps, where thousands of PCs
simultaneously bombard a website with messages. Or maybe just a 'who the
hell said that'? attack on a mailing list, like this.

Seems to be mail, though; an HP3000-L thing, rather than a
comp.sys.hp.mpe thing. And it knows it has to pretend to be a subscriber
to get through, though that's hardly unusual on a mailing list...

Further oddities are awaited with trepidation; is Jeff going to need to
starting checking that our fides are really bona before long?

--
Roy Brown        'Have nothing in your houses that you do not know to be
Kelmscott Ltd     useful, or believe to be beautiful'  William Morris

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2