[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] viruses being sent to this list

To: Paul Schmehl <pauls@xxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] viruses being sent to this list
From: John Sage <jsage@xxxxxxxxxxxxxx>
Date: Tue, 23 Mar 2004 20:22:55 -0800

hmm..

On Mon, Mar 22, 2004 at 11:32:53PM -0600, Paul Schmehl wrote:
> From: "Paul Schmehl" <pauls@xxxxxxxxxxxx>
> To: <full-disclosure@xxxxxxxxxxxxxxxx>
> Subject: Re: [Full-Disclosure] viruses being sent to this list
> Date: Mon, 22 Mar 2004 23:32:53 -0600

/* snippage */

> Not picking on you, your post is just a convenient point to jump in
> to this "conversation", but I really wonder if anyone thinks before
> they post any more.  I read Gadi's post, and I happen to know him,
> so I didn't instantly think he was an idiot or uninformed or naive.
> Instead, I downloaded the entire raw archives of the list and
> started grepping for patterns.  What I've found so far is
> suspicious.  I won't post any results yet, because they're
> incomplete, but suffice it to say that it is at least *possible*
> that this list is deliberately being used to spread viruses.  It's
> equally possible that it's just the random seeding that viruses do
> these days.  I just don't know for sure yet, one way or the other.

mutt is my MUA.

Currently I have 4,924 assorted messages in ~/Mail/in-Full-Disclosure.

Sorting by size, and picking a familiar size range, we see:

3368     Mar 22 ge@egotistical. ( 421) [Full-Disclosure] Re: Thanks :)
3369     Mar 11 bugzilla@redhat ( 420) [Full-Disclosure] Hi! :-)
3370     Mar 16 nexus@xxxxxxxxx ( 425) [Full-Disclosure] hi
3371     Mar 03 psirt@xxxxxxxxx ( 426) [Full-Disclosure] stolen
3372     Mar 01 psirt@xxxxxxxxx ( 428) [Full-Disclosure] unknown
3373     Mar 13 nexus@xxxxxxxxx ( 427) [Full-Disclosure] stolen
3374     Jan 26 jyowell@kennedy ( 420) [Full-Disclosure] hello
3375     Feb 05 nakal@xxxxxx    ( 420) [Full-Disclosure] Test
3376     Jan 30 brian@pc-radio. ( 420) [Full-Disclosure] Server Report
3377     Jan 26 http-equiv@exci ( 420) [Full-Disclosure] Status
3378     Jan 27 jeff01@xxxxxxxx ( 420) [Full-Disclosure] Status
3379     Feb 04 jim@wangtrading ( 420) [Full-Disclosure] (no subject)
3380     Feb 12 franjime@cisco. ( 422) [Full-Disclosure] HELLO
3381     Feb 11 psirt@xxxxxxxxx ( 422) [Full-Disclosure] Hi
3382     Jan 27 lsawyer@xxxxxxx ( 422) [Full-Disclosure] hello
3383     Jan 27 http-equiv@malw ( 422) [Full-Disclosure] (no subject)
3384     Jan 28 jkarp@visionael ( 422) [Full-Disclosure] STATUS
3385     Feb 07 jim@wangtrading ( 422) [Full-Disclosure] TEST
3386     Mar 03 je@xxxxxxxxxx   ( 424) [Full-Disclosure] TEST
3387     Feb 08 hobbit@xxxxxxxx ( 424) [Full-Disclosure] Server Report
3388     Jan 30 psirt@xxxxxxxxx ( 424) [Full-Disclosure] (no subject)
3389     Feb 09 psirt@xxxxxxxxx ( 441) [Full-Disclosure] hi
3390     Feb 08 joel@xxxxxxxxxx ( 465) [Full-Disclosure] Error
3391     Jan 27 lsawyer@xxxxxxx ( 466) [Full-Disclosure] Status
3392     Feb 26 psirt@xxxxxxxxx ( 494) [Full-Disclosure] something for you
3393     Feb 26 psirt@xxxxxxxxx ( 494) [Full-Disclosure] something for you
3394     Mar 16 phlox@xxxxxxxxx ( 496) [Full-Disclosure] greetings


Without exception, these are all virii-laden. Whether they got here by
malice or by chance, they all contain the following:

Received: from NETSYS.COM (localhost [127.0.0.1])
 by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i2H1kI327175;
 Tue, 16 Mar 2004 20:46:18 -0500 (EST)

in the "Received: " sequence immediately following the two examples
below, varying only in the date and timestamp, and ESMPT id.


Comparing one virus to one known list member (http-equiv -- sorry!) we
can see an obvious forgery:

Received: from excite.com (dt083n7c.san.rr.com [204.210.26.124])
 by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0QMicU18817
 for <full-disclosure@xxxxxxxxxxxxxxxx>; Mon, 26 Jan 2004 17:44:39 -0500

versus a presumable "real" post:

Received: from mailrelay.megawebservers.com
 (mailrelay1-2.megawebservers.com [216.251.35.241])
 by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0R01gU17220
 for <full-disclosure@xxxxxxxxxxxxxxxx>; Mon, 26 Jan 2004 19:01:43 -0500


What does this tell us? Virii are getting out via the list; whether
they are being transmitted inadvertently or deliberately is still open
to question...



- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] viruses being sent to this list
  - From: Byron Copeland
- Re: [Full-Disclosure] viruses being sent to this list
  - From: Gadi Evron
- Re: [Full-Disclosure] viruses being sent to this list
  - From: Paul Schmehl

References:
- Re: [Full-Disclosure] viruses being sent to this list
  - From: MICHAEL coles
- Re: [Full-Disclosure] viruses being sent to this list
  - From: Paul Schmehl

Prev by Date: RE: [Full-Disclosure] Re: How to crash a harddisk - the Ipswitch WS_FTP Server way
Next by Date: Re: [Full-Disclosure] viruses being sent to this list
Previous by thread: Re: [Full-Disclosure] viruses being sent to this list
Next by thread: Re: [Full-Disclosure] viruses being sent to this list
Index(es):
- Date
- Thread