Boost logo

Boost :

From: Peter Dimov (pdimov_at_[hidden])
Date: 2004-02-12 08:11:14

Jeff Garland wrote:
> On Wed, 11 Feb 2004 23:38:49 -0500, Dan W. wrote
>> Yeah, never mind... below is in the IP range of the
>> University of Indiana; and the fact that it says it received the
>> email from local host ( either means that's SMTP
>> server is hacked, or that there's another machine in their campus
>> that's hacked and pretending to be local host; or else that local
>> host is hacked, or that my ISP is hacked, or that the server here at
>> work is hacked, or...
>> ...or that I'm hacked... :(
> Actually I believe one of the boosters at University of Indiana has
> been hacked. I've been receiving MyDoom infected email with sender
> names that coorespond to the user names of at least one of the
> boosters there and appear to be from there. And I'm certain that my
> machines haven't been hacked. As for me being hacked, that's less
> clear ;-)

MyDoom is a From: spoofer. The relevant header is:

Received: from ([])
 by (8.11.6/8.11.6) with ESMTP id i1C0Wq529796
 for <boost_at_[hidden]>; Wed, 11 Feb 2004 19:32:53 -0500

where "" is forged. The IP address is assigned to:

inetnum: -
netname: CHINANET-GX
descr: CHINANET Guangxi province network
descr: Data Communication Division
descr: China Telecom
country: CN

Kevlin will now receive tens of "You are infected" autoreplies, I'm sure
he'll be honored.

Boost list run by bdawes at, gregod at, cpdaniel at, john at