[rescue] Crazy viruses from the list...

Thomas Gallaway rescue at port11.net
Mon May 24 21:27:38 CDT 2004 

D.A. Muran-de Assereto wrote:

>It's one of the harvesters, not necessarily a list member.  I get viruses from
>myself all the time, and I KNOW I'm not infected.
>
>Dave
>
>On Mon, 24 May 2004 13:11:02 -0400, Thomas Gallaway wrote
>  
>
>>Patrick Giagnocavo +1.717.201.3366 wrote:
>>
>>    
>>
>>>On Mon, May 24, 2004 at 12:45:40PM -0400, William Enestvedt wrote:
>>> 
>>>
>>>      
>>>
>>>>Thomas Gallaway wrote:
>>>>   
>>>>
>>>>        
>>>>
>>>>>I dont know but I have within the last 2 hours received 4 viruses
>>>>>          
>>>>>
>>>>>from [an email address that's probably only for this list.]. All
>>>>        
>>>>
>>>>>of wich originated from
>>>>>
>>>>>Received: from 19-02.com (gtw13-2.esc13.net [170.76.20.253])
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>  I just got two more virus-laden email messages; their headers include
>>>>"<20040112131716.ga7951 at jdboyd.zill.net>" and "[170.76.20.253]" (which
>>>>is a group named AcNet Gobierno Mexicano who changed their DNS record a
>>>>week ago). The attachment, Your_money.vbs, was dropped by our mail
>>>>system.
>>>>   
>>>>
>>>>        
>>>>
>>>This is a virus that randomly spoofs From: headers.  It spreads by
>>>reading Outlook's address book then spoofing itself as one of the
>>>addresses listed there.
>>>
>>>I have found it very difficult to trace these back to the infected box.
>>>
>>>The procmail anti-virus script (look on freshmeat.net) I have found to
>>>be helpful.  Along with runing Mutt :-)
>>>
>>>Cordially
>>> 
>>>
>>>      
>>>
>>Yeah but I dont think is can spoof the received from header (IP of the 
>>gateway it originated from).
>>Actually all those are the same in my headers. Received a bunch more..
>>
>>-- Thomas
>>
>>    
>>
Funny thing just is I usually NEVER get any spam/viruses on this 
account. Just today my inbox has been flooded with 2 different kinds of 
viruses and the day be4 I got a bunch of nigerian spam messages.

Also the fact that the virus is using a From: address that is from the 
list most likely means it is somebody else on the list that received the 
From: email adress somehow.

-- Thomas

More information about the rescue mailing list