Re: [Flightgear-devel] WARNING: Flightgear spam attack; open relay at baron.me.umn.edu
David Megginson said: The worst b*ds in this whole mess are not the virus writers, slimey as they are, or Microsoft, incompetent as they are; rather, it's the enterprise anti-virus software vendors, who sell systems that automatically send useless virus warnings every time a message like this comes. Either (a) they're complete idiots who couldn't be trusted with the washroom key at a gas station, much less corporate network security; or (b) they know perfectly well that they're making the problem worse and that their warnings are going to the wrong people, but cannot resist the free advertising (but it's not SPAM, it's a VIRUS WARNING!). Hehe...sizzle! Of course it has to be (b). This was a concept originaly born before SOBIG and actually provided a service as well as advertizing. As I mentioned earlier SpamCop does a good job with these. And it kind of forces the end lusers (who are I think equally culpable) to change the configuration of their mail server AVS software. Best, Jim P.S. In the end I'd put all the blame on Microsoft (or was it Netscape or Apple?)...for promoting the idea of launching executables from an email attachemnt. It's like being able to turn on the oven in your kitchen with the answering machine on your telephone. Some people will think it is a great way to have dinner ready when you get home. Others will get their house burned down. And then if the answering machine will automatically dial a list of phone numbers in its memory... So thats it...MAPI. ___ Flightgear-devel mailing list [EMAIL PROTECTED] http://mail.flightgear.org/mailman/listinfo/flightgear-devel
Re: [Flightgear-devel] WARNING: Flightgear spam attack; open relay at baron.me.umn.edu
David Megginson wrote: I'm under a serious spam attack from an infected computer of someone on the list. Here is where the spam is originating: user-24-214-247-18.knology.net Many of the spams are arriving with Curt's e-mail address spoofed on them, and unfortunately, baron.me.umn.edu seems happy to relay them for the infected computer. In fact, baron is relaying *all* of the spam, even the stuff return addresses like [EMAIL PROTECTED] Going on the defensive here. mail.flightgear.org is *not* an open relay. It only accepts mail for addresses @flightgear.org. It does *not* accept email from an arbitrary location and forward to any other arbitrary location. The big problem is that these viruses can leverage the user's address book to spoof plausible to/from addresses and they get lucky far too often. The spammers/viruses are nearly making email useless :-( I average receiving a new spam mesage about every 5 minutes. Curt. -- Curtis Olsonhttp://www.flightgear.org/~curt HumanFIRST Program http://www.humanfirst.umn.edu/ FlightGear Project http://www.flightgear.org Unique text:2f585eeea02e2c79d7b1d8c4963bae2d ___ Flightgear-devel mailing list [EMAIL PROTECTED] http://mail.flightgear.org/mailman/listinfo/flightgear-devel
Re: [Flightgear-devel] WARNING: Flightgear spam attack; open relay at baron.me.umn.edu
Curtis L. Olson said: David Megginson wrote: I'm under a serious spam attack from an infected computer of someone on the list. Here is where the spam is originating: user-24-214-247-18.knology.net Many of the spams are arriving with Curt's e-mail address spoofed on them, and unfortunately, baron.me.umn.edu seems happy to relay them for the infected computer. In fact, baron is relaying *all* of the spam, even the stuff return addresses like [EMAIL PROTECTED] Going on the defensive here. mail.flightgear.org is *not* an open relay. It only accepts mail for addresses @flightgear.org. It does *not* accept email from an arbitrary location and forward to any other arbitrary location. The big problem is that these viruses can leverage the user's address book to spoof plausible to/from addresses and they get lucky far too often. The spammers/viruses are nearly making email useless :-( I average receiving a new spam mesage about every 5 minutes. We're getting creamed here but not seeing most of it. SpamCop which we've been using for a while, does a good job of blocking those idiot virus spams from misconfigured mail servers. Of course this has started producing some (a very small number) complaints as legit servers get listed. It is currently getting 25 per hour (based on prior 5 weeks average) and that is double what it was a month ago. Also I've added a slew of procmail rules to filter out the stupid subjects they use (e.g. re: Thank You!). After all that I still end up manually clearing about 25 a day. On the Postgres list someone mentioned that he discovered a signature in the HELO that he was able to use to trap most virus emails. Best, Jim ___ Flightgear-devel mailing list [EMAIL PROTECTED] http://mail.flightgear.org/mailman/listinfo/flightgear-devel
Re: [Flightgear-devel] WARNING: Flightgear spam attack; open relay at baron.me.umn.edu
Jim Wilson wrote: Curtis L. Olson said: David Megginson wrote: I'm under a serious spam attack from an infected computer of someone on the list. Here is where the spam is originating: user-24-214-247-18.knology.net Many of the spams are arriving with Curt's e-mail address spoofed on them, and unfortunately, baron.me.umn.edu seems happy to relay them for the infected computer. In fact, baron is relaying *all* of the spam, even the stuff return addresses like [EMAIL PROTECTED] Going on the defensive here. mail.flightgear.org is *not* an open relay. It only accepts mail for addresses @flightgear.org. It does *not* accept email from an arbitrary location and forward to any other arbitrary location. The big problem is that these viruses can leverage the user's address book to spoof plausible to/from addresses and they get lucky far too often. The spammers/viruses are nearly making email useless :-( I average receiving a new spam mesage about every 5 minutes. We're getting creamed here but not seeing most of it. SpamCop which we've been using for a while, does a good job of blocking those idiot virus spams from misconfigured mail servers. Of course this has started producing some (a very small number) complaints as legit servers get listed. It is currently getting 25 per hour (based on prior 5 weeks average) and that is double what it was a month ago. Also I've added a slew of procmail rules to filter out the stupid subjects they use (e.g. re: Thank You!). After all that I still end up manually clearing about 25 a day. On the Postgres list someone mentioned that he discovered a signature in the HELO that he was able to use to trap most virus emails. I use popfile under windows and I must say that it is able to filter nearly 100% of junk mail and viruses popfile is multi platform and can be found at sourceforge -Fred ___ Flightgear-devel mailing list [EMAIL PROTECTED] http://mail.flightgear.org/mailman/listinfo/flightgear-devel
Re: [Flightgear-devel] WARNING: Flightgear spam attack; open relay at baron.me.umn.edu
On Thursday 20 May 2004 13:51, David Megginson wrote: I'm under a serious spam attack from an infected computer of someone on the list. Here is where the spam is originating: user-24-214-247-18.knology.net Many of the spams are arriving with Curt's e-mail address spoofed on them, and unfortunately, baron.me.umn.edu seems happy to relay them for the infected computer. In fact, baron is relaying *all* of the spam, even the stuff return addresses like [EMAIL PROTECTED] All the best, David These e-mails almost certainly have spoofed 'From' addresses and just about the only thing you can be sure of is that they don't come from where they say they do. The addresses are harvested from websites and publicly viewable mailing list archives. In addition to the ones from list members here, I also get lots that have been allegedly sent from my domain using unique contact e-mail addresses that I never use for sending e-mail, which are then bounced from the mail servers and 'returned'. I understand that this could be solved if the ISPs used SMTP authorisation, to confirm the originating address but they seem reluctant to do so. In the mean time there's little that can be done about it. LeeE ___ Flightgear-devel mailing list [EMAIL PROTECTED] http://mail.flightgear.org/mailman/listinfo/flightgear-devel
Re: [Flightgear-devel] WARNING: Flightgear spam attack; open relay at baron.me.umn.edu
Lee Elliott wrote: I'm under a serious spam attack from an infected computer of someone on the list. Here is where the spam is originating: user-24-214-247-18.knology.net These e-mails almost certainly have spoofed 'From' addresses and just about the only thing you can be sure of is that they don't come from where they say they do. That's not the return address -- it's the last Received: header (i.e. the first hop that the e-mail took). The infected user almost certainly had this domain, though his or her ISP might have a different name. If anyone one the list has the IP address 24.214.247.18 right now and is unfortunate enough to use Windows and Outlook, please disconnect your ethernet cable immediately and then get help disinfecting your system. In the mean time there's little that can be done about it. On a case-by-case basis, you can hunt down the individual infected machines by examining the headers. It gets tiresome after a while, though, especially when I was receiving a couple of thousand of these a day. The worst b*ds in this whole mess are not the virus writers, slimey as they are, or Microsoft, incompetent as they are; rather, it's the enterprise anti-virus software vendors, who sell systems that automatically send useless virus warnings every time a message like this comes. Either (a) they're complete idiots who couldn't be trusted with the washroom key at a gas station, much less corporate network security; or (b) they know perfectly well that they're making the problem worse and that their warnings are going to the wrong people, but cannot resist the free advertising (but it's not SPAM, it's a VIRUS WARNING!). I'm leaning towards (b), because (a) scares me even more. All the best, David ___ Flightgear-devel mailing list [EMAIL PROTECTED] http://mail.flightgear.org/mailman/listinfo/flightgear-devel
Re: [Flightgear-devel] WARNING: Flightgear spam attack; open relay at baron.me.umn.edu
On Thu, 20 May 2004 15:34:02 -0400 David Megginson [EMAIL PROTECTED] wrote: Lee Elliott wrote: I'm under a serious spam attack from an infected computer of someone on thelist. Here is where the spam is originating: user-24-214-247-18.knology.net These e-mails almost certainly have spoofed 'From' addresses and just about the only thing you can be sure of is that they don't come from where they say they do. That's not the return address -- it's the last Received: header (i.e. the first hop that the e-mail took). The infected user almost certainly had this domain, though his or her ISP might have a different name. If anyone one the list has the IP address 24.214.247.18 right now and is unfortunate enough to use Windows and Outlook, please disconnect your ethernet cable immediately and then get help disinfecting your system. Right now, that address doesn't respond to pings. A traceroute suggests that it's dynamically assigned to users in Florida, and possibly south Georgia. -c -- Chris Metzler [EMAIL PROTECTED] (remove snip-me. to email) As a child I understood how to give; I have forgotten this grace since I have become civilized. - Chief Luther Standing Bear pgp7hTIMmYiY4.pgp Description: PGP signature ___ Flightgear-devel mailing list [EMAIL PROTECTED] http://mail.flightgear.org/mailman/listinfo/flightgear-devel
Re: [Flightgear-devel] WARNING: Flightgear spam attack; open relay at baron.me.umn.edu
On Thursday 20 May 2004 8:48 pm, Chris Metzler wrote: On Thu, 20 May 2004 15:34:02 -0400 David Megginson [EMAIL PROTECTED] wrote: snip If anyone one the list has the IP address 24.214.247.18 right now and is unfortunate enough to use Windows and Outlook, please disconnect your ethernet cable immediately and then get help disinfecting your system. Right now, that address doesn't respond to pings. A traceroute suggests that it's dynamically assigned to users in Florida, and possibly south Georgia. Geobytes http://www.geobytes.com suggests a 98% probability that this IP address is assigned in Panama City, Florida. Ths is supported by the last hop I get on a traceroute from here in the UK qam1-1-3.Panc.FL.US.Knology.Net (24.214.0.141) Jonathan ___ Flightgear-devel mailing list [EMAIL PROTECTED] http://mail.flightgear.org/mailman/listinfo/flightgear-devel
Re: [Flightgear-devel] WARNING: Flightgear spam attack; open relay at baron.me.umn.edu
On Thu, 20 May 2004 21:26:39 +0100 Jonathan Richards [EMAIL PROTECTED] wrote: On Thursday 20 May 2004 8:48 pm, Chris Metzler wrote: On Thu, 20 May 2004 15:34:02 -0400 David Megginson [EMAIL PROTECTED] wrote: snip If anyone one the list has the IP address 24.214.247.18 right now and is unfortunate enough to use Windows and Outlook, please disconnect your ethernet cable immediately and then get help disinfecting your system. Right now, that address doesn't respond to pings. A traceroute suggests that it's dynamically assigned to users in Florida, and possibly south Georgia. Geobytes http://www.geobytes.com suggests a 98% probability that this IP address is assigned in Panama City, Florida. Ths is supported by the last hop I get on a traceroute from here in the UK qam1-1-3.Panc.FL.US.Knology.Net (24.214.0.141) Right. I did the traceroute to the same point, but couldn't guess what town Panc referred to. Panama City makes good sense. But, as you note, that's where it's being assigned, but not necessarily where it's being assigned *to*. Some customers of my ISP that live in Pennsylvania get their IPs assigned by a POP in Washington, D.C; hence my comment about south Georgia. -c -- Chris Metzler [EMAIL PROTECTED] (remove snip-me. to email) As a child I understood how to give; I have forgotten this grace since I have become civilized. - Chief Luther Standing Bear pgp5voxDQxR76.pgp Description: PGP signature ___ Flightgear-devel mailing list [EMAIL PROTECTED] http://mail.flightgear.org/mailman/listinfo/flightgear-devel