Hi Alan and all,
Hi all, it would seem that though not being sent through the Reflector, some
reflector member's PC has been infected and is sending out quanties of
infected mail. The message mentioned by Andre is not from Mike, I believe,
(someone else received a spoofed message with his name about 10 days ago.)
This is correct.
but as Andre, Brian, and myself have received the same message today it
would seem that someone's machine still has an undectected virus which is
using his address list of Reflector members and / or message Inbox (which
must be quite big for Mike changed his address some time ago, I only have an
archive folder back to April 2002 ...not in the Inbox...and it is not in
there.....I believe that Mike announced the change last year.....so whoever
is infected has an enormous INbox folder ) to forge the instantly
recognisable message with a 69kB attachment (a size that would not pass
through the reflector)
The bugbear virus fakes a "from" address with a user name (mike.dennison)
from one message on the infected machine and a domain name (compuserve.com)
from another. So the faked address, in general, does not exist at all!
Bugbear sends itself out to addresses harvested from saved messages (not
just the inbox) and cached web pages on the victim's machine.
There is, however, some info in the headers of a bugbear message which
may help you find and warn the victim. I did not receive "Mike's"
message myself, but if you still have the message on your system,
with all headers, here's what to look for:
Below are headers from a bugbear message I got "from" another mailing
list.
Return-Path: <[email protected]>
Received: from gadolinium.btinternet.com (194.73.73.111) by mail.mcf.com
with ESMTP (Eudora Internet Mail Server 3.1.3) for <[email protected]>;
Sat, 12 Oct 2002 04:41:06 -0400
Received: from host213-122-88-90.in-addr.btopenworld.com ([213.122.88.90]
helo=msalt2)
by gadolinium.btinternet.com with smtp (Exim 3.22 #8)
id 180HlH-00064c-00; Sat, 12 Oct 2002 09:36:40 +0100
From: [email protected]
Subject: Re: Was sumo more popular in the '30s?
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----------AK72WDRHLCHWMV4"
Message-Id: <[email protected]>
Bcc:
Date: Sat, 12 Oct 2002 09:36:40 +0100
The 'Return-Path:' and 'From:' are forged.
The 'Received:' headers are all real. Bugbear uses the victim's normal
outgoing SMTP server to send mail, so the top header (typically generated
by your ISP) indicates that he probably has a btinternet.com address.
The second header (typically generated by his ISP) will usually give the
real computer name (in this case 'msalt2') his IP address at the
time (in this case 213.122.88.90), and the sender's time zone (+0100).
People often choose a computer name which matches their first or last
name. Or, if you can search an archive including full headers, you
may find a post with the same host name. You can try a tracert
command to the IP involved; the names of the routers in the path may
give a clue to the victim's city. If the victim has a broadband
connection with a static or rarely changing IP, you might find the
address in a prior post.
If you can't easily identify the victim, send me a copy of the
headers and I'll try to puzzle it out.
73,
Stewart
|
