It appears that someone (maybe on gimp-developer, maybe not) has been 
socked with the W32/Sobig virus/worm. It's similar to the KLEZ worm, but is a 
bit more picky. I've been getting a lot of messages like below, but since my 
main machine is a linux box, I'm not getting infected. Spamassassin is helping 
to find it, but thought everyone would want to know. From the NANOG mailing 


>On 03.06 13:44, Dominic J. Eidson wrote:
>> I'm having a feeling that someone harvested a bunch of adresses, possibly
>> from NANOG, and is using them as the sender address in pretend-to-be KLEZ
>> spams.. I have received several bounces lately, several of them appearing
>> to be KLEZ, all with me as the original sender ....
>Just to add another data point:
>The same thing started happening to me a few days ago.  I do not know
>any of the recipients of the bounces but some people I *do* know advised me
>they are getting them.  I cannot say whether this is really KLEZ or not,
>not enough data. (W32/[EMAIL PROTECTED]) which is klez
like in how it picks its targets....  Its been on a rampage since the
Friday night.


        If you're on the list with your MUA being windows based, please visit 
the URL above, get info on the worm, and update your virus programs and 
mailfilters. Right now, I have virii and spam going to /dev/null, but brought 
this out to give everyone a heads up.

----- Forwarded message from [EMAIL PROTECTED] -----

Subject: [Gimp-developer] Re: Approved
Date: Wed, 4 Jun 2003 17:02:24 +0200
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=5.5 required=5.0
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.55 (

This mail is probably spam.  The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future.  See for more details.

Content preview:  This is a multipart message in MIME format Please see
  the attached file. MIME-Version: 1.0 Gimp-developer mailing list

Content analysis details:   (5.50 points, 5 required)
NO_REAL_NAME       (1.1 points)  From: does not include a real name
RAZOR2_CF_RANGE_91_100 (1.2 points)  BODY: Razor2 gives a spam confidence level 
between 91 and 100
                   [cf: 100]
RAZOR2_CHECK       (0.9 points)  Listed in Razor2, see
MISSING_MIMEOLE    (0.1 points)  Message has X-MSMail-Priority, but no X-MimeOLE
FORGED_MUA_OUTLOOK (2.2 points)  Forged mail pretending to be from MS Outlook

The original message did not contain plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Content-Description: original message before SpamAssassin
Date: Wed, 4 Jun 2003 17:02:24 +0200
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
Subject: [Gimp-developer] Re: Approved
X-Mailman-Version: 2.1b4
Precedence: list
List-Id: <>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <>,
        <mailto:[EMAIL PROTECTED]>
List-Unsubscribe: <>,
        <mailto:[EMAIL PROTECTED]>
List-Archive: </lists/gimp-developer>
List-Help: <mailto:[EMAIL PROTECTED]>

Please see the attached file.
Gimp-developer mailing list

----- End forwarded message -----

Brad Littlejohn                         | Email:        [EMAIL PROTECTED]
Unix Systems Administrator,             |           [EMAIL PROTECTED]
Web + NewsMaster, BOFH.. Smeghead! :)   |
  PGP: 1024D/E319F0BF 6980 AAD6 7329 E9E6 D569  F620 C819 199A E319 F0BF

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to