[extropy-chat] Mail Delivery (failureextropy-chat at lists.extropy.org)

Kevin Freels kevinfreels at hotmail.com
Thu Apr 8 14:41:06 UTC 2004


HAL,
You scared the heck out of me. But I don;t think it is me. But it still
worries me.

I update my virus signatures for my VCOM system suite twice per day. Once in
the morning, and once in the evening.

After reading your amazingly clear message, I thought that it may be missing
something. I went to the trend micro website and did their online virus
scan.

When it didn;t find anything, I went to the Panda website for their online
virus scan.
Still nothing.

I am running Win2k prof with all of the service packs and zone alarm Pro. I
do complete virus scans (all files) each night when I go to bed.

Is there anythign I can be missing? Any suggestions? Nothing is showing up
here, but your message has me all freaked out.  I am on SBC Yahoo and my IP
at this moment is 66.72.x.x but that 67.38.x.x looks familiar.

Thanks!
Kevin Freels




----- Original Message ----- 
From: "Hal Finney" <hal at finney.org>
To: <extropy-chat at lists.extropy.org>
Sent: Tuesday, April 06, 2004 7:32 PM
Subject: RE: [extropy-chat] Mail Delivery
(failureextropy-chat at lists.extropy.org)


> I can provide some information about this.  I read my extropians mail
> in text mode on a Linux box by running "less" over the mailbox file.
> So I see all the information that is available.
>
> I received the virus message, and I assume that all other list subscribers
> did so as well.  Some of you may not have seen it in case some anti-virus
> software or filter deleted it.
>
> The virus was actually included in the message.  The attachment was
> not scrubbed by the list.
>
> The attachment containing the virus looked like:
>
> > ------=_NextPart_000_001B_01C0CA80.6B015D10
> > Content-Type: audio/x-wav;
> >         name="message.scr"
> > Content-Transfer-Encoding: base64
> > Content-ID: <031401Mfdab4$3f3dL780$73387018 at 57W81fa70Re>
> >
> > TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUAAEwBAwAAAAAA
> > AAAAAAAAAADgAA8BCwEAAAAEAAAAcgAAAAAAAAAgAQAAEAAAACAAAAAAQAAAEAAAAAIAAAQA
> > [approximately 600 lines deleted]
> > AzjqrwAAAeAgcEAOS0VSTmBMMzIuZHFs4EbobwZzZUhhbhjtwFpyPml0OkZuFb6/KWELHEEd
> > Vp96R29mUudzUXVyY582Tzqpaw1iYWQWEElpbrZueko9dE2+ZClsXbMiRvFweUlSm+R0RkTA
> > JFfBa293c0TfPuRj+ep5pTmgLRROYW1MhlBy8PJk45xMc2p2H0xpYjtTLz5UUJNDz+5uNA0Y
> > TGG8RXLcXOvFjE11CHjMTgMAAAAAAAAAAAAAAAAA
> >
> > ------=_NextPart_000_001B_01C0CA80.6B015D10--
>
> I'm not sure how most mail clients would display this attachment; as
> Eugen has noted, his PGP signature attachments are generally not handled
> well after passing through the list server, because they get wrapped or
> encapsulated in another MIME layer to allow the list to add its standard
> 3-line trailer that appears at the end of every message.
>
> The part about the attachment being saved at the list is fake:
>
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > <HTML><HEAD>
> > <META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
> > <META content="MSHTML 5.00.2920.0" name=GENERATOR>
> > <STYLE></STYLE>
> > </HEAD>
> > <BODY bgColor=#ffffff>If the message will not displayed
automatically,<br>
> > follow the link to read the delivered message.<br><br>
> > Received message is available at:<br>
> > <a href=cid:031401Mfdab4$3f3dL780$73387018 at 57W81fa70Re height=0
width=0>ww
> > w.lists.extropy.org/inbox/extropy-chat/read.php?sessionid-27444</a>
> > <iframe
> > src=cid:031401Mfdab4$3f3dL780$73387018 at 57W81fa70Re height=0
width=0></ifra
> > me>
> > <DIV> </DIV></BODY></HTML>
>
> If you study this closely (sadly, this is how an increasing percentage
> of list mail looks to me), you will see that the "href" field on the 10th
> line is a cid: URL.  This points to the attachment itself (note that the
> string after the cid: matches the Content-ID of the attachment I displayed
> above).  So this is a way of getting you to open the attachment, while
> making it appear that you are opening something at www.lists.extropy.org.
>
> (Not that it would necessarily be safe to open something at the list;
> the archive of the message at
> http://www.lucifer.com/pipermail/extropy-chat/2004-April/005439.html
> includes an actual link to a saved copy of the virus.)
>
> The mail headers give a hint about where it came from:
>
> > Received: from tick.javien.com (javien2-3.spots.ab.ca [209.115.169.3])
> >         by finney.org (8.11.6/8.11.6) with ESMTP id i36DBu632454
> >         for <hal at finney.org>; Tue, 6 Apr 2004 06:11:57 -0700
> > Received: from tick.javien.com (localhost.localdomain [127.0.0.1])
> >         by tick.javien.com (8.11.6/8.11.2) with ESMTP id i36Cipc29866;
> >         Tue, 6 Apr 2004 06:44:51 -0600
> > Received: from lists.extropy.org
(adsl-67-38-1-7.dsl.sfldmi.ameritech.net
> >         [67.38.1.7])
> >         by tick.javien.com (8.11.6/8.11.2) with ESMTP id i36Cibc29830
> >         for <extropy-chat at lists.extropy.org>; Tue, 6 Apr 2004
06:44:38 -0600
>
> The problematic one is the last one, where it came into tick.javien.com,
> which is the actual mail server.  When it says "Received: from" and gives
> a system name, that is the name that the delivering system CLAIMS to be.
> Then in parentheses it puts in the actual IP address the mail came from,
> and the name you get from that IP address via reverse-DNS.  It's not too
> unusual for the claimed and reverse-DNS names to be different; you can see
> on the first line that tick.javien.com is "really" javien2-3.spots.ab.ca.
> My own system finney.org has the same problem.  It's because ISPs tend
> to give a generic name while individuals can pay for and register their
> own chosen name.
>
> In this case the system which connected to tick.javien.com claimed
> to be lists.extropy.org.  But it was not; it was a random DSL address
> belonging to ameritech.net, which is now SBC Yahoo DSL.  In other words,
> this mail came from a Yahoo DSL subscriber's computer, 67.38.1.7,
> and falsely claimed to be from lists.extropy.org.  Undoubtedly, that
> is someone's personal computer, hooked up to the net via Yahoo DSL;
> it is infected with a virus and is sending out bogus email.
>
> Most viruses choose a random "From" address and a random "To" address from
> an address book found on the infected computer.  In this case, the To: was
> extropy-chat at lists.extropy.org, and the From: was eliasen at mindspring.com,
> which is list member Alan Eliasen's email address.  However it is
> important to understand this does not mean that it came from Alan;
> in fact, the headers show very convincingly that it came from the poor
> owner of 67.38.1.7.
>
> The sad thing is, in most cases these people are not even aware that their
> system has been compromised.  It may be running a little more sluggishly
> or showing other problems, but by and large the successful viruses leave
> computers usable.  It's the same process of evolution that has largely
> eliminated biological viruses which kill their hosts too quickly.
>
> Chances are, this person is or has been a list subscriber, since he has
> both the list address and Alan's email address in his address book.
> He has probably communicated with Alan via private email, for the
> same reason.  In fact, there is a good chance that he will receive this
> message.  However he probably won't see this part because this message
> is quite technical and the kind of people who get infected are usually
> non-technical, so they wouldn't read this far.
>
> These kinds of IP addresses are usually given out dynamically and somewhat
> randomly, so the victim wouldn't have the same IP address all the time.
> I did a search of my Extropians email for the past few years, and only
> one poster came from a 67.38.X.X. address; that was Kevin Freels.  But
> it is equally likely to be from a lurker (on most lists, lurkers far
> outnumber posters) who happens to be a Yahoo DSL subscriber.
>
> I get a lot of spam and virus emails, hundreds every day, and I look
> at a few to see where they are coming from.  Most of them these days
> come from systems like this, compromised personal computers.  I wish
> there were some way to get in contact with the owners and warn them
> that their systems are infected, but I don't know how to do it.  I just
> spent about 10 minutes trying to find some place on the SBC DSL site to
> notify the sysadmins about this problem with one of their subscribers,
> without much luck.  I finally found a cramped little form where I pasted
> in the Received header, but I doubt that it will do much good.
>
> Given the increased prevalence of spam and viruses, it would be helpful
> for ISPs to make it easier to report the problems.  Usually a moment's
> inspection of the Received headers makes it pretty clear.  Some viruses
> put in fake headers, but they're always at the end, and it's not that
> hard to see where things first went bad.  It's frustrating that I
> know the exact IP address of the infected system (or at least what
> its address was at a specific time a few hours earlier), but I have
> no way to communicate with them.
>
> Of course, a certain percentage of these systems aren't infected but are
> actually malicious, which makes it even more important for the ISP to be
> notified.  There was a good story on slashdot yesterday about a sysadmin
> at an Internet Cafe who got notified about a Nigerian spam (Hello, I am
> the widow of former prime minister Dr. so-and-so, and I need your help
> getting my money out of the country...) which came from one of his users,
> and he was actually able to track the guy down and have him arrested.
>
> Regardless of whether it's accidental or on purpose, ISPs should have
> a big red REPORT SPAM/VIRUS button on their front page.  It's crazy in
> our information age to make it so hard to close the loop on one of the
> most crucial pieces of information out there, that a system has been
> broken and is causing trouble for others.
>
> Hal
> _______________________________________________
> extropy-chat mailing list
> extropy-chat at lists.extropy.org
> http://lists.extropy.org/mailman/listinfo/extropy-chat
>



More information about the extropy-chat mailing list