Re: virus-laden emails from someone on the Vim list
George V. Reilly wrote: [CCing the Vim and Vim-Dev lists. Not that it did any good the last time I raised this subject.] It is NOT me, dammit! Someone on the Vim list is infected with a virus that trawls through his address book and forges the From address. I too get dozens of virus-laden emails every week that purport to be from various people on the Vim list. Bram, Henk, Arpaffdy, and my own name are some of the names that I see regularly. This has been going on for at least two years :-( This laptop has been running a fresh install of Ubuntu 6.06 for the last four weeks, so if you've seen any mails from me in that interval, it definitely wasn't me. And I run antivirus and antispyware software when I'm running Windows, and I keep the signatures up to date. Vimmers, for the love of God, download antivirus and antispyware software, and run a scan on your machines. Windows users, start here: http://www.microsoft.com/athome/security/default.mspx /George Dear George, I for one don't believe it's you. Some spammer(s) somehow got your handle and the list added to their reserve of "From" and "To" addresses, possibly distributed them on one or more versions the infamous "Millions CDs", and started faking messages to the list with your "From:" address on them but sending them from anywhere in the world, especially from places like Korea where ISPs don't nuke spammers very diligently if at all. I guess that at least some of the above spammers aren't even subscribed to the vim lists; they use hour handle (in the From: header) as the key to get their crap into the lists. From then on there's no stopping them. You can't imagine the lot of spam I get with my own "From:" on them, or spam disguised as bounces purportedly telling "me" that "my own address" was rejected by "my own ISP" as "unknown recipient". Imagine! If your fromline appears oftener as some others on the list spam, it's just that for some reason the list spammers hide behide it oftener than behind other masquerade names. Maybe they just got you more times than others on their lists of pseudo-customers and pseudo-suppliers. And I repeat (you, George, probably know the following but maybe other Vimmers don't): it's very easy to fake a From: address. A baby could do it. It's in the menus of every mail client I know, not even hidden in a place difficult to reach. With the list in its To: line and any subscriber's addy on the (possibly faked) From: line, anything (with any actual origin) will be sent to everyone on the list. So there's no telling who actually sent the spam, except by analyzing the Received: lines (which are added to any email after it has left its original sender). But to thwart that mode of attack, many spammers add "fake" received-lines to their spam to make it appear that it came from elsewhere. The rule I go by is that whoever sent the spam to my ISP's "incoming mail" routers is the culprit. He usually can only be identified as a dotted-quad IP address similar to 123.45.67.89 but at least that tells us where in the world it came from. Best regards, Tony.
Re: virus-laden emails from someone on the Vim list
To make this a little more concrete, here's some data from the last few such emails that I've received. First, typical headers: From - Thu Jul 6 18:56:35 2006 X-Account-Key: account2 X-UIDL: 1152233907.18606.mta6-4 X-Mozilla-Status: 0001 X-Mozilla-Status2: 1000 Return-Path: <[EMAIL PROTECTED]> Delivered-To: george:[EMAIL PROTECTED] X-OB-Received: from unknown (192.168.9.207) by 192.168.8.190; 7 Jul 2006 00:58:27 - Received: from 30013-2004-0009.com (unknown [203.229.175.114]) by spf6-3.us4.outblaze.com (Postfix) with SMTP id 1D21C10DADB for <[EMAIL PROTECTED]>; Fri, 7 Jul 2006 00:58:22 + (GMT) Date: Fri, 07 Jul 2006 09:58:30 +0900 To: "George" <[EMAIL PROTECTED]> From: "Agiorgio" <[EMAIL PROTECTED]> Subject: Avis Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; Next, the IP addresses and the purported senders: 221.163.190.71 - "Tal" <[EMAIL PROTECTED]> 203.229.175.114 - "Agiorgio" <[EMAIL PROTECTED]> 218.155.24.56 - "Tal" <[EMAIL PROTECTED]> 210.222.7.64 - "Slouken" <[EMAIL PROTECTED]> 211.192.1.102 - "Eljay" <[EMAIL PROTECTED]> 214.180.5.118 - "Tal" <[EMAIL PROTECTED]> The last IP address is in Estonia; the rest are in Korea. Can anyone take this further? -- /George V. Reilly [EMAIL PROTECTED] http://www.georgevreilly.com/blog George V. Reilly wrote: > [CCing the Vim and Vim-Dev lists. Not that it did any good the last time I raised this subject.] > > It is NOT me, dammit! Someone on the Vim list is infected with a virus that trawls through his address book and forges the From address. I too get dozens of virus-laden emails every week that purport to be from various people on the Vim list. Bram, Henk, Arpaffdy, and my own name are some of the names that I see regularly. This has been going on for at least two years :-( > > This laptop has been running a fresh install of Ubuntu 6.06 for the last four weeks, so if you've seen any mails from me in that interval, it definitely wasn't me. And I run antivirus and antispyware software when I'm running Windows, and I keep the signatures up to date. > > Vimmers, for the love of God, download antivirus and antispyware software, and run a scan on your machines. > > Windows users, start here: http://www.microsoft.com/athome/security/default.mspx > > /George > > @ Rocteur CC wrote: >> I can't believe it, is this really you. >> >> I receive at least 5 spams a week from your email address. >> >> I can't believe it, is this a legitimate mail from you ? >> >> I'll be damned, the worlds biggest spammer is from the VIM list.. >> >> I didn't realize.. >> >> Virus, worms, spam, you name it, I get it from your address, I always thought it was a phony email address and now I see it is a real one.. >> >> Can you not do something about this ? >> >> Anyway, I have hundreds of spam mail from you and it was a shock to see one that was not spam.. >> >> Jerry >> >> On 06 Jul 2006, at 21:10, George Reilly wrote: [snip]