|
Boost : |
From: Peter Dimov (pdimov_at_[hidden])
Date: 2004-02-12 08:11:14
Jeff Garland wrote:
> On Wed, 11 Feb 2004 23:38:49 -0500, Dan W. wrote
>> Yeah, never mind... 129.79.245.244 below is in the IP range of the
>> University of Indiana; and the fact that it says it received the
>> email from local host (127.0.0.1) either means that IU.edu's SMTP
>> server is hacked, or that there's another machine in their campus
>> that's hacked and pretending to be local host; or else that local
>> host is hacked, or that my ISP is hacked, or that the server here at
>> work is hacked, or...
>>
>> ...or that I'm hacked... :(
>
> Actually I believe one of the boosters at University of Indiana has
> been hacked. I've been receiving MyDoom infected email with sender
> names that coorespond to the user names of at least one of the
> boosters there and appear to be from there. And I'm certain that my
> machines haven't been hacked. As for me being hacked, that's less
> clear ;-)
MyDoom is a From: spoofer. The relevant header is:
Received: from curbralan.com ([202.103.247.70])
by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0Wq529796
for <boost_at_[hidden]>; Wed, 11 Feb 2004 19:32:53 -0500
where "curbralan.com" is forged. The IP address is assigned to:
inetnum: 202.103.192.0 - 202.103.255.255
netname: CHINANET-GX
descr: CHINANET Guangxi province network
descr: Data Communication Division
descr: China Telecom
country: CN
Kevlin will now receive tens of "You are infected" autoreplies, I'm sure
he'll be honored.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk