|
|
Boost : |
From: Dan W. (danw_at_[hidden])
Date: 2004-02-12 10:11:30
Peter Dimov wrote:
> MyDoom is a From: spoofer. The relevant header is:
>
> Received: from curbralan.com ([202.103.247.70])
> by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0Wq529796
> for <boost_at_[hidden]>; Wed, 11 Feb 2004 19:32:53 -0500
>
> where "curbralan.com" is forged. The IP address is assigned to:
>
> inetnum: 202.103.192.0 - 202.103.255.255
> netname: CHINANET-GX
> descr: CHINANET Guangxi province network
> descr: Data Communication Division
> descr: China Telecom
> country: CN
>
> Kevlin will now receive tens of "You are infected" autoreplies, I'm sure
> he'll be honored.
What I find fascintating is that the infected email I got was not
automatically generated like other similar emails. (Got MyDoom infected
spams several times before.) This one appears hand-crafted. In fact, the
email was the 6th issue for yesterdays' boost-request digests, and the
last posting in it, allegedly from kevlin, appears before the notices
and links at the end of such digests. And I did not receive a repeat of
issue # 6. It's as if the email had been grabbed in flight, carefully
altered, then sent along. Unless, that is, it was actually sent to the
mailing list, and the digest producing software itself included it, but
if that's the case, I'm not sure why the bogus message doesn't show in
the news reader as well. And yet, a spade analysis of the header of a
normal boost request digest email reads pretty much the same...
------------------------------------------------------
02/12/04 10:01:20 Spade Log
02/12/04 10:02:05 Input
The Received: headers are the important ones to read
My comments are just hints, and should be considered only
an opinion. I may have guessed wrong, or things may have
changed since I was written
Return-Path: <boost-bounces_at_[hidden]>
Delivered-To:
raytron-controls.com-danw_at_[hidden]
Received: (qmail 3143 invoked by uid 417); 12 Feb 2004
01:56:58 -0000
This received header was added by your mailserver
Just a qmail status line
Received: from unknown (HELO heart-of-gold.osl.iu.edu)
(129.79.245.244) by 192.168.0.39 with SMTP; 12 Feb 2004
01:56:58 -0000
192.168.0.39 received this from someone claiming
to be unknown
(192.168.0.39 doesn't record the senders IP
address in any way I recognise, so it's impossible to be
sure. All received headers after this one should be
treated with suspicion)
Received: from heart-of-gold.osl.iu.edu
(localhost.localdomain [127.0.0.1]) by
heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id
i1C0b0529863; Wed, 11 Feb 2004 19:37:00 -0500
heart-of-gold.osl.iu.edu received this from someone claiming
to be heart-of-gold.osl.iu.edu
but really from 127.0.0.1(No rDNS)
All headers below may be forged
Date: Wed, 11 Feb 2004 19:37:00 -0500
Message-Id:
<200402120037.i1C0b0529863_at_[hidden]>
From: boost-request_at_[hidden]
Subject: Boost Digest, Vol 639, Issue 6
To: boost_at_[hidden]
X-BeenThere: boost_at_[hidden]
X-Mailman-Version: 2.1.4
Precedence: list
List-Id: Boost mailing list <boost.lists.boost.org>
Hmmm list-id: isn't a header I recognise
------------------------------------------------------
It looks as if my normal boost digest emails come through indiana
university, in fact. So, my first guess was probably right as well, that
the SMTP server for the boost mailing list doesn't scan outgoing emails
for viruses --if it isn't altogether hacked...
And now that I remember, I'd had this email address for a whole year and
hadn't received any spam until I joined the mailing list. About an hour
later I got my first 3 spams, and it's been downhill since.
Cheers!
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk