LISTSERV - HP3000-L Archives

HP3000-L Archives

September 2003, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L September 2003, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OT: Major email problem
From:	Roy Brown <[log in to unmask]>
Reply To:	Roy Brown <[log in to unmask]>
Date:	Mon, 22 Sep 2003 20:44:10 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (78 lines)

In message <[log in to unmask]>, John
Lee <[log in to unmask]> writes
>Good (or bad) Morning:
>
>It's Monday and I'm still getting these.  My ISP theorizes that someone (or
>more than one) on the 3000L is infected and their system(s) are
>broadcasting these messages.

It could be, and much more probably is, someone who is on
comp.sys.hp.mpe, where the worm is reading their Usenet traffic, not
their Address Book.

Do you know anyone suffering from this worm who isn't an active and
recent poster to Usenet? (For which purpose, HP3000-L counts).

> My email program is unable to capture the
>full header.  Can anyone else capture a full header and send it to me?

I can get you hundreds :-( But as I'm active in several Usenet
newsgroups, I wouldn't know which ones result just from my HP3000-L
use...

Given the volumes of these things, there can't be just one attacker,
though; there's not enough time in the day to generate them all, even on
broadband. It's an army of zombified PCs, all across the nation. And
probably the world...

>  MY
>ISP is willing to look at it and try to decipher where it's coming from.

Get the kind person at your ISP to post to comp.sys.hp.mpe, using any
name that doesn't have 'delete' or 'spam' in it. Within hours, he should
have more than enough copies of his own to work on.....

>This morning I received over 100 unsolicited emails containing executable
>files.  Obviously, this presents several problems.  Most are from the
>following:
>
>Delivered-To: [log in to unmask]
>From: "Microsoft Corporation Program Security Center"
><[log in to unmask]>
>To: "User" <[log in to unmask]>
>SUBJECT: Current Internet Critical Upgrade
>Date: Fri, 19 Sep 2003 14:40:33 +0800

>Does anyone have ideas about:
>1.  Filtering software to block emails that carry .exe files?

Lots of email software can, lots of spam filters can, lots of specialist
programs can.

More to the point, what's this very limited email software you are using
that can't even show you headers?

>2.  How to trace the perpetrators?

The FBI will be doing that right now. Your stuff, though, is coming from
a few, or a lot, of people who (a) got fooled by this thing and
installed it
(b) read one or more Usenet postings you made.

Do you post to any Usenet groups other than (indirectly via HP3000-L)
comp.sys.hp.mpe, with the address above? Perhaps some other hp ones, or
some microsoft support ones?

Unless the answer is no, you can't even be sure that HP3000-L is what
got you targetted :-(

>I know that there are more informed minds on this list than mine!

(Hey, you ought to meet the guys whose brains I'm picking!!)
--
Roy Brown        'Have nothing in your houses that you do not know to be
Kelmscott Ltd     useful, or believe to be beautiful'  William Morris

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU