[extropy-chat] Mail Delivery (failure extropy-chat at lists.extropy.org)

Hal Finney hal at finney.org
Wed Apr 7 00:32:59 UTC 2004


I can provide some information about this.  I read my extropians mail
in text mode on a Linux box by running "less" over the mailbox file.
So I see all the information that is available.

I received the virus message, and I assume that all other list subscribers
did so as well.  Some of you may not have seen it in case some anti-virus
software or filter deleted it.

The virus was actually included in the message.  The attachment was
not scrubbed by the list.

The attachment containing the virus looked like:

> ------=_NextPart_000_001B_01C0CA80.6B015D10
> Content-Type: audio/x-wav;
>         name="message.scr"
> Content-Transfer-Encoding: base64
> Content-ID: <031401Mfdab4$3f3dL780$73387018 at 57W81fa70Re>
>
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUAAEwBAwAAAAAA
> AAAAAAAAAADgAA8BCwEAAAAEAAAAcgAAAAAAAAAgAQAAEAAAACAAAAAAQAAAEAAAAAIAAAQA
> [approximately 600 lines deleted]
> AzjqrwAAAeAgcEAOS0VSTmBMMzIuZHFs4EbobwZzZUhhbhjtwFpyPml0OkZuFb6/KWELHEEd
> Vp96R29mUudzUXVyY582Tzqpaw1iYWQWEElpbrZueko9dE2+ZClsXbMiRvFweUlSm+R0RkTA
> JFfBa293c0TfPuRj+ep5pTmgLRROYW1MhlBy8PJk45xMc2p2H0xpYjtTLz5UUJNDz+5uNA0Y
> TGG8RXLcXOvFjE11CHjMTgMAAAAAAAAAAAAAAAAA
>
> ------=_NextPart_000_001B_01C0CA80.6B015D10--

I'm not sure how most mail clients would display this attachment; as
Eugen has noted, his PGP signature attachments are generally not handled
well after passing through the list server, because they get wrapped or
encapsulated in another MIME layer to allow the list to add its standard
3-line trailer that appears at the end of every message.

The part about the attachment being saved at the list is fake:

> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
> <META content="MSHTML 5.00.2920.0" name=GENERATOR>
> <STYLE></STYLE>
> </HEAD>
> <BODY bgColor=#ffffff>If the message will not displayed automatically,<br>
> follow the link to read the delivered message.<br><br>
> Received message is available at:<br>
> <a href=cid:031401Mfdab4$3f3dL780$73387018 at 57W81fa70Re height=0 width=0>ww
> w.lists.extropy.org/inbox/extropy-chat/read.php?sessionid-27444</a>
> <iframe
> src=cid:031401Mfdab4$3f3dL780$73387018 at 57W81fa70Re height=0 width=0></ifra
> me> 
> <DIV> </DIV></BODY></HTML>

If you study this closely (sadly, this is how an increasing percentage
of list mail looks to me), you will see that the "href" field on the 10th
line is a cid: URL.  This points to the attachment itself (note that the
string after the cid: matches the Content-ID of the attachment I displayed
above).  So this is a way of getting you to open the attachment, while
making it appear that you are opening something at www.lists.extropy.org.

(Not that it would necessarily be safe to open something at the list;
the archive of the message at
http://www.lucifer.com/pipermail/extropy-chat/2004-April/005439.html
includes an actual link to a saved copy of the virus.)

The mail headers give a hint about where it came from:

> Received: from tick.javien.com (javien2-3.spots.ab.ca [209.115.169.3])
>         by finney.org (8.11.6/8.11.6) with ESMTP id i36DBu632454
>         for <hal at finney.org>; Tue, 6 Apr 2004 06:11:57 -0700
> Received: from tick.javien.com (localhost.localdomain [127.0.0.1])
>         by tick.javien.com (8.11.6/8.11.2) with ESMTP id i36Cipc29866;
>         Tue, 6 Apr 2004 06:44:51 -0600
> Received: from lists.extropy.org (adsl-67-38-1-7.dsl.sfldmi.ameritech.net
>         [67.38.1.7])
>         by tick.javien.com (8.11.6/8.11.2) with ESMTP id i36Cibc29830
>         for <extropy-chat at lists.extropy.org>; Tue, 6 Apr 2004 06:44:38 -0600

The problematic one is the last one, where it came into tick.javien.com,
which is the actual mail server.  When it says "Received: from" and gives
a system name, that is the name that the delivering system CLAIMS to be.
Then in parentheses it puts in the actual IP address the mail came from,
and the name you get from that IP address via reverse-DNS.  It's not too
unusual for the claimed and reverse-DNS names to be different; you can see
on the first line that tick.javien.com is "really" javien2-3.spots.ab.ca.
My own system finney.org has the same problem.  It's because ISPs tend
to give a generic name while individuals can pay for and register their
own chosen name.

In this case the system which connected to tick.javien.com claimed
to be lists.extropy.org.  But it was not; it was a random DSL address
belonging to ameritech.net, which is now SBC Yahoo DSL.  In other words,
this mail came from a Yahoo DSL subscriber's computer, 67.38.1.7,
and falsely claimed to be from lists.extropy.org.  Undoubtedly, that
is someone's personal computer, hooked up to the net via Yahoo DSL;
it is infected with a virus and is sending out bogus email.

Most viruses choose a random "From" address and a random "To" address from
an address book found on the infected computer.  In this case, the To: was
extropy-chat at lists.extropy.org, and the From: was eliasen at mindspring.com,
which is list member Alan Eliasen's email address.  However it is
important to understand this does not mean that it came from Alan;
in fact, the headers show very convincingly that it came from the poor
owner of 67.38.1.7.

The sad thing is, in most cases these people are not even aware that their
system has been compromised.  It may be running a little more sluggishly
or showing other problems, but by and large the successful viruses leave
computers usable.  It's the same process of evolution that has largely
eliminated biological viruses which kill their hosts too quickly.

Chances are, this person is or has been a list subscriber, since he has
both the list address and Alan's email address in his address book.
He has probably communicated with Alan via private email, for the
same reason.  In fact, there is a good chance that he will receive this
message.  However he probably won't see this part because this message
is quite technical and the kind of people who get infected are usually
non-technical, so they wouldn't read this far.

These kinds of IP addresses are usually given out dynamically and somewhat
randomly, so the victim wouldn't have the same IP address all the time.
I did a search of my Extropians email for the past few years, and only
one poster came from a 67.38.X.X. address; that was Kevin Freels.  But
it is equally likely to be from a lurker (on most lists, lurkers far
outnumber posters) who happens to be a Yahoo DSL subscriber.

I get a lot of spam and virus emails, hundreds every day, and I look
at a few to see where they are coming from.  Most of them these days
come from systems like this, compromised personal computers.  I wish
there were some way to get in contact with the owners and warn them
that their systems are infected, but I don't know how to do it.  I just
spent about 10 minutes trying to find some place on the SBC DSL site to
notify the sysadmins about this problem with one of their subscribers,
without much luck.  I finally found a cramped little form where I pasted
in the Received header, but I doubt that it will do much good.

Given the increased prevalence of spam and viruses, it would be helpful
for ISPs to make it easier to report the problems.  Usually a moment's
inspection of the Received headers makes it pretty clear.  Some viruses
put in fake headers, but they're always at the end, and it's not that
hard to see where things first went bad.  It's frustrating that I
know the exact IP address of the infected system (or at least what
its address was at a specific time a few hours earlier), but I have
no way to communicate with them.

Of course, a certain percentage of these systems aren't infected but are
actually malicious, which makes it even more important for the ISP to be
notified.  There was a good story on slashdot yesterday about a sysadmin
at an Internet Cafe who got notified about a Nigerian spam (Hello, I am
the widow of former prime minister Dr. so-and-so, and I need your help
getting my money out of the country...) which came from one of his users,
and he was actually able to track the guy down and have him arrested.

Regardless of whether it's accidental or on purpose, ISPs should have
a big red REPORT SPAM/VIRUS button on their front page.  It's crazy in
our information age to make it so hard to close the loop on one of the
most crucial pieces of information out there, that a system has been
broken and is causing trouble for others.

Hal



More information about the extropy-chat mailing list