Heh.
That one sure looks like a Klez worm to me. A file called "width.exe"
masquerading as a .JPG, the forged HELO with a capitalized fake
hostname, the Klez-y subject. The probably forged "From:" line swiped
from the address book of the true host of this worm, of whom all we know
is that his mail emerged to the Internet via 203.88.156.147, claiming to
be be webloc.portofmundra.com, a claim not supported by the DNS.
Have you folks over there at lprng considered doing a bit of
pre-filtering on the mailing lists? I don't know what majordomo
provides these days, but it should be pretty easy to add a procmail
filter up-front, maybe one that invokes Vipul's Razor via SpamAssassin
to sideline suspicious posts until a list manager gets a chance
to vette them?
At SSC we use such a setup to front-end a bunch of Mailman lists.
We've had pretty good luck with not broadcasting vermiform things,
even though at least one of our lists is open to public posting.
----- Forwarded message from jarausch <[EMAIL PROTECTED]> -----
Return-Path: <[EMAIL PROTECTED]>
Received: from mail.ssc.com (dilbert.ssc.com [192.168.1.3])
by chinacat.ssc.com (Postfix) with ESMTP id 240C22F8DA
for <[EMAIL PROTECTED]>; Fri, 11 Oct 2002 10:33:15 -0700 (PDT)
Received: by mail.ssc.com (Postfix)
id D3BF8EE81D; Fri, 11 Oct 2002 10:33:14 -0700 (PDT)
Received: from lprng.com (www.lprng.com [216.86.138.141])
by mail.ssc.com (Postfix) with ESMTP id 10C0EEE7D4
for <[EMAIL PROTECTED]>; Fri, 11 Oct 2002 10:33:03 -0700 (PDT)
Received: (from majordom@localhost)
by lprng.com (8.11.6/8.11.6) id g9BFSKk49010;
Fri, 11 Oct 2002 08:28:20 -0700 (PDT)
(envelope-from [EMAIL PROTECTED])
Received: from webloc.portofmundra.com (IDENT:qmailr@[203.88.156.147])
by lprng.com (8.11.6/8.11.6) with SMTP id g9BF5Mx48908
for <[EMAIL PROTECTED]>; Fri, 11 Oct 2002 08:05:24 -0700 (PDT)
(envelope-from [EMAIL PROTECTED])
Date: Fri, 11 Oct 2002 08:05:24 -0700 (PDT)
Message-Id: <[EMAIL PROTECTED]>
Received: (qmail 15073 invoked from network); 11 Oct 2002 13:59:28 -0000
Received: from unknown (HELO Cznlsidrv) ([192.168.40.231]) (envelope-sender
<[EMAIL PROTECTED]?>)
by 0 (qmail-ldap-1.03) with SMTP
for <[EMAIL PROTECTED]>; 11 Oct 2002 13:59:28 -0000
From: jarausch <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: LPRng: Eager to see you
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q35k00Giz91Vf03hxiO677b75fWBcHo810Bx
Sender: [EMAIL PROTECTED]
Precedence: bulk
Reply-To: [EMAIL PROTECTED]
Content-Type: application/octet-stream;
name=START.JPG
Content-Transfer-Encoding: base64
Content-ID: <F56z5953YY6>
/9j/4AAQSkZJRgABAgEAYABgAAD/7QqcUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAAYAAA
[ ... Guts of the worm excised ... ]
+mUlsCe2/bKSzCcQ9sqLIJhH0HzyBZhMU6DIJCNTt8sgUquBL//Z
----- End forwarded message -----
--
-----------------------------------------------------------------
Dan Wilder <[EMAIL PROTECTED]> Technical Manager
SSC, Inc. P.O. Box 55549 Phone: 206-782-8808
Seattle, WA 98155-0549 URL http://www.linuxjournal.com/
-----------------------------------------------------------------
-----------------------------------------------------------------------------
YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST
The address you post from MUST be your subscription address
If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body. For the impatient,
to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED]
with: | example:
subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED]
unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED]
If you have major problems, send email to [EMAIL PROTECTED] with the word
LPRNGLIST in the SUBJECT line.
-----------------------------------------------------------------------------
