This message has not been *** Expunged *** Reason: Because your a God! But, non the less, truthfully, it isn't any fault of any list managers here. -b On Tue, 2004-03-23 at 23:22, John Sage wrote: > hmm.. > > On Mon, Mar 22, 2004 at 11:32:53PM -0600, Paul Schmehl wrote: > > From: "Paul Schmehl" <pauls@xxxxxxxxxxxx> > > To: <full-disclosure@xxxxxxxxxxxxxxxx> > > Subject: Re: [Full-Disclosure] viruses being sent to this list > > Date: Mon, 22 Mar 2004 23:32:53 -0600 > > /* snippage */ > > > Not picking on you, your post is just a convenient point to jump in > > to this "conversation", but I really wonder if anyone thinks before > > they post any more. I read Gadi's post, and I happen to know him, > > so I didn't instantly think he was an idiot or uninformed or naive. > > Instead, I downloaded the entire raw archives of the list and > > started grepping for patterns. What I've found so far is > > suspicious. I won't post any results yet, because they're > > incomplete, but suffice it to say that it is at least *possible* > > that this list is deliberately being used to spread viruses. It's > > equally possible that it's just the random seeding that viruses do > > these days. I just don't know for sure yet, one way or the other. > > mutt is my MUA. > > Currently I have 4,924 assorted messages in ~/Mail/in-Full-Disclosure. > > Sorting by size, and picking a familiar size range, we see: > > 3368 Mar 22 ge@egotistical. ( 421) [Full-Disclosure] Re: Thanks :) > 3369 Mar 11 bugzilla@redhat ( 420) [Full-Disclosure] Hi! :-) > 3370 Mar 16 nexus@xxxxxxxxx ( 425) [Full-Disclosure] hi > 3371 Mar 03 psirt@xxxxxxxxx ( 426) [Full-Disclosure] stolen > 3372 Mar 01 psirt@xxxxxxxxx ( 428) [Full-Disclosure] unknown > 3373 Mar 13 nexus@xxxxxxxxx ( 427) [Full-Disclosure] stolen > 3374 Jan 26 jyowell@kennedy ( 420) [Full-Disclosure] hello > 3375 Feb 05 nakal@xxxxxx ( 420) [Full-Disclosure] Test > 3376 Jan 30 brian@pc-radio. ( 420) [Full-Disclosure] Server Report > 3377 Jan 26 http-equiv@exci ( 420) [Full-Disclosure] Status > 3378 Jan 27 jeff01@xxxxxxxx ( 420) [Full-Disclosure] Status > 3379 Feb 04 jim@wangtrading ( 420) [Full-Disclosure] (no subject) > 3380 Feb 12 franjime@cisco. ( 422) [Full-Disclosure] HELLO > 3381 Feb 11 psirt@xxxxxxxxx ( 422) [Full-Disclosure] Hi > 3382 Jan 27 lsawyer@xxxxxxx ( 422) [Full-Disclosure] hello > 3383 Jan 27 http-equiv@malw ( 422) [Full-Disclosure] (no subject) > 3384 Jan 28 jkarp@visionael ( 422) [Full-Disclosure] STATUS > 3385 Feb 07 jim@wangtrading ( 422) [Full-Disclosure] TEST > 3386 Mar 03 je@xxxxxxxxxx ( 424) [Full-Disclosure] TEST > 3387 Feb 08 hobbit@xxxxxxxx ( 424) [Full-Disclosure] Server Report > 3388 Jan 30 psirt@xxxxxxxxx ( 424) [Full-Disclosure] (no subject) > 3389 Feb 09 psirt@xxxxxxxxx ( 441) [Full-Disclosure] hi > 3390 Feb 08 joel@xxxxxxxxxx ( 465) [Full-Disclosure] Error > 3391 Jan 27 lsawyer@xxxxxxx ( 466) [Full-Disclosure] Status > 3392 Feb 26 psirt@xxxxxxxxx ( 494) [Full-Disclosure] something for you > 3393 Feb 26 psirt@xxxxxxxxx ( 494) [Full-Disclosure] something for you > 3394 Mar 16 phlox@xxxxxxxxx ( 496) [Full-Disclosure] greetings > > > Without exception, these are all virii-laden. Whether they got here by > malice or by chance, they all contain the following: > > Received: from NETSYS.COM (localhost [127.0.0.1]) > by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i2H1kI327175; > Tue, 16 Mar 2004 20:46:18 -0500 (EST) > > in the "Received: " sequence immediately following the two examples > below, varying only in the date and timestamp, and ESMPT id. > > > Comparing one virus to one known list member (http-equiv -- sorry!) we > can see an obvious forgery: > > Received: from excite.com (dt083n7c.san.rr.com [204.210.26.124]) > by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0QMicU18817 > for <full-disclosure@xxxxxxxxxxxxxxxx>; Mon, 26 Jan 2004 17:44:39 -0500 > > versus a presumable "real" post: > > Received: from mailrelay.megawebservers.com > (mailrelay1-2.megawebservers.com [216.251.35.241]) > by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i0R01gU17220 > for <full-disclosure@xxxxxxxxxxxxxxxx>; Mon, 26 Jan 2004 19:01:43 -0500 > > > What does this tell us? Virii are getting out via the list; whether > they are being transmitted inadvertently or deliberately is still open > to question... > > > > - John -- "Save yourself from the 'Gates' of hell, use Linux." -- The_Kind @ LinuxNet
Attachment:
signature.asc
Description: This is a digitally signed message part