From list-managers-owner@greatcircle.com Mon Aug 9 19:06:52 2004 X-Original-To: list-managers@greatcircle.com Received: from www-s34d2.ununetworks.com (www-s34d2.ununetworks.com [66.36.228.29]) by mycroft.greatcircle.com (Postfix) with ESMTP id B505C32C1B8 for ; Mon, 9 Aug 2004 19:06:51 -0700 (PDT) Received: from host81-152-223-179.range81-152.btcentralplus.com ([81.152.223.179]) by www-s34d2.ununetworks.com with asmtp (Exim 4.30; FreeBSD) id 1BuM1m-000GN0-BN; Mon, 09 Aug 2004 22:06:14 -0400 Message-ID: <41182D99.2050308@btinternet.com> Date: Tue, 10 Aug 2004 03:06:17 +0100 From: lee User-Agent: Mozilla Thunderbird 0.7.2 (Windows/20040707) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mailgust , list-managers@greatcircle.com Subject: (off topic) Compressing and Saving to floppy Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - www-s34d2.ununetworks.com X-AntiAbuse: Original Domain - greatcircle.com X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - btinternet.com X-Source: X-Source-Args: X-Source-Dir: X-Archive-Number: 200408/1 X-Sequence-Number: 1792 hello everyone, Can anyone tell me how to compress a folder of files so that I can copy it onto my pc's A (floppy) drive? I currently have 3.5" discs which can otherwise not hold a complete folder of files. I've already tried saving the folder(s) using WinZip or win-gz before saving to floppy, but the overall kilobytes size seems to still be the same. Maybe any compression only reduces the folder to say, 1 file, but there is no way to actually reduce the size? Any advice appreciated, lee -- From lee - Have a PC, broadband connection and Yahoo ID? Want to hear my FREE selection of five decades of hit music and modern dance? Then VISIT HERE and click on Lee's station From list-managers-owner@greatcircle.com Tue Aug 10 05:33:30 2004 X-Original-To: list-managers@greatcircle.com Received: from slate.unet.maine.edu (slate.unet.maine.edu [130.111.39.209]) by mycroft.greatcircle.com (Postfix) with ESMTP id 3C04232C1D8 for ; Tue, 10 Aug 2004 05:33:29 -0700 (PDT) Received: from osgood.unet.maine.edu (osgood.unet.maine.edu [130.111.39.64]) by slate.unet.maine.edu (8.12.11/8.12.11) with ESMTP id i7ACXLXJ023224 for ; Tue, 10 Aug 2004 08:33:22 -0400 Received: from polaris.umpi.maine.edu (polaris.umpi.maine.edu [130.111.208.10]) by osgood.unet.maine.edu (8.11.6/8.11.6) with ESMTP id i7ACWWT30130 for ; Tue, 10 Aug 2004 08:32:32 -0400 Received: from POLARIS/SpoolDir by polaris.umpi.maine.edu (Mercury 1.48); 10 Aug 04 08:30:41 -0500 Received: from SpoolDir by POLARIS (Mercury 1.48); 10 Aug 04 08:30:29 -0500 Received: from albert (130.111.210.145) by polaris.umpi.maine.edu (Mercury 1.48) with ESMTP; 10 Aug 04 08:30:27 -0500 From: "Anthony J. Albert" Organization: University of Maine at PI To: list-managers@greatcircle.com Date: Tue, 10 Aug 2004 08:30:27 -0400 MIME-Version: 1.0 Message-ID: <411887A3.24690.39796CB@localhost> In-reply-to: <20040810020711.BF32B32C40B@mycroft.greatcircle.com> X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-MailScanner: Found to be clean, Not scanned: please contact your Internet E-Mail Service Provider for details Subject: Re: (off topic) Compressing and Saving to floppy X-MailScanner-Information: Please contact the ISP for more information X-MailScanner-From: albert@polaris.umpi.maine.edu X-Archive-Number: 200408/2 X-Sequence-Number: 1793 >---------------------------------------------------------------------- > >Date: Tue, 10 Aug 2004 03:06:17 +0100 >From: lee >To: Mailgust , list-managers@greatcircle.com >Subject: (off topic) Compressing and Saving to floppy >Message-ID: <41182D99.2050308@btinternet.com> > > >hello everyone, > >Can anyone tell me how to compress a folder of files so that I can copy >it onto my pc's A (floppy) drive? I currently have 3.5" discs which can >otherwise not hold a complete folder of files. > >I've already tried saving the folder(s) using WinZip or win-gz before >saving to floppy, but the overall kilobytes size seems to still be the same. > >Maybe any compression only reduces the folder to say, 1 file, but there >is no way to actually reduce the size? > >Any advice appreciated, >lee Compression will reduce the size of the agregate of files - if they are compressible. "Random" data is likely not to compress much, and there are several file types that approach this... .jpg .gif .mp3 among them. Text files can sometimes compress by 50% or more, because they are "non-random" like data. What you need is to split or "span" the archive across multiple disks. WinZip has this option, as does pkzip. In WinZip, check the Help file, and look in the index for "spanning" for instructions. Hope this helps, Anthony Albert =========================================================== Anthony J. Albert albert@umpi.maine.edu Systems and Software Support Specialist Postmaster Computer Services - University of Maine, Presque Isle "This is only temporary, unless it works." --- Red Green From list-managers-owner@greatcircle.com Sun Aug 22 05:11:16 2004 X-Original-To: list-managers@greatcircle.com Received: from smtp-vbr8.xs4all.nl (smtp-vbr8.xs4all.nl [194.109.24.28]) by mycroft.greatcircle.com (Postfix) with ESMTP id 40EFC32C486 for ; Sun, 22 Aug 2004 05:11:13 -0700 (PDT) Received: from [62.195.90.214] (xs1.xs4all.nl [194.109.21.2]) (authenticated bits=0) by smtp-vbr8.xs4all.nl (8.12.11/8.12.11) with ESMTP id i7MCBBcZ091289 for ; Sun, 22 Aug 2004 14:11:11 +0200 (CEST) (envelope-from loekjehe@xs4all.nl) Mime-Version: 1.0 X-Sender: loekjehe@localhost Message-Id: Date: Sun, 22 Aug 2004 14:11:08 +0200 To: list-managers@greatcircle.com From: Loek Jehee Subject: Automated attack on list managers? Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: by XS4ALL Virus Scanner X-Archive-Number: 200408/3 X-Sequence-Number: 1794 Dear all, I am the moderator of a Buddhist list of over 1200 subscribers. I frequently receive warnings that my computer is infected with some kind of virus or worm etc. You will understand that - as an owner of a Mac OS X computer - it is highly (!) unlikely that my computer indeed is infected :-) There is a far bigger chance that one or more of the computers of the subscribers is infected and generates messages out of his/her address book that contain virus or spam or worms or whatever. This is a very annoying problem and I wonder if you guys also have troubles with this. Today the problem even got worse: I noticed a port scan attack on my computer (my SNORT system started to fire) which persisted for over an hour. Upon sending a message to the abuse and amin addresses of the server hosting the malignant attacker, I received the following interesting (quick and polite) reply from the admin of that host (Yandex.ru): "Hello, our security policies require any host accessing our public resources to be portscanned to detect possibly trojaned or otherwise infected hosts, proxies etc. That is way you're observing those access attempts (sourced from clearly named hosts proxychecker.yandex.net). We won't bother you anymore (unless you obtain your IP address dynamically). Please notice that, if you didn't access any resources in yandex.ru/yandex.com or ya.ru domain, your computer is probably already infected by some third party and used to send spam received by our server, that in turned sourced the portscan in question." You will understand that I didn't visit any of their sites recently nor that there was any message sent to them from my computer at all. So, it seems that they nowadays have automatic scripts (more or less violently) attacking any IP address mentioned in spam or virus containing messages that they receive! (I consider port scanning as an intrusion attempt on my system and as an abusive attack). This doesn't promise much good for us as mailing list admins....!! Ciao! Loek From list-managers-owner@greatcircle.com Sun Aug 22 06:31:16 2004 X-Original-To: list-managers@greatcircle.com Received: from grassyhill.org (grassyhill.org [208.231.0.71]) by mycroft.greatcircle.com (Postfix) with ESMTP id 1856232C308 for ; Sun, 22 Aug 2004 06:31:11 -0700 (PDT) Received: from localhost (lyme_fw [204.60.148.242]) by grassyhill.org (8.11.0/8.11.0) with ESMTP id i7MDV8p10275 for ; Sun, 22 Aug 2004 09:31:08 -0400 (EDT) X-Envelope-To: Date: Sun, 22 Aug 2004 09:31:10 -0400 From: Tom Neff To: list-managers@greatcircle.com Subject: Re: Automated attack on list managers? Message-ID: <1B55DD9F7F4F3DD0D7060035@[192.168.0.18]> In-Reply-To: References: X-Mailer: Mulberry/3.1.6 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Archive-Number: 200408/4 X-Sequence-Number: 1795 --On Sunday, August 22, 2004 2:11 PM +0200 Loek Jehee wrote: > I am the moderator of a Buddhist list of over 1200 subscribers. I > frequently receive warnings that my computer is infected with some > kind of virus or worm etc. You will understand that - as an owner of > a Mac OS X computer - it is highly (!) unlikely that my computer indeed > is infected :-) There is a far bigger chance that one or more of the > computers of the subscribers is infected and generates messages out > of his/her address book that contain virus or spam or worms or > whatever. It is even more likely that most of the "warning messages" you are seeing have nothing to do with your duties as Norbunet moderator, but are simply worm payloads masquerading as virus warnings. In cases where you can authenticate the origin of the warning message, it's indeed most likely that a listmember's computer is infected. > This is a very annoying problem and I wonder if you guys also have > troubles with this. Today the problem even got worse: I noticed a > port scan attack on my computer (my SNORT system started to fire) > which persisted for over an hour. Upon sending a message to the abuse > and amin addresses of the server hosting the malignant attacker, I > received the following interesting (quick and polite) reply from the > admin of that host (Yandex.ru): ... > So, it seems that they nowadays have automatic scripts (more or > less violently) attacking any IP address mentioned in spam or virus > containing messages that they receive! (I consider port scanning as > an intrusion attempt on my system and as an abusive attack). > This doesn't promise much good for us as mailing list admins....!! The problem with what you are saying is that spoofed virus/worm envelopes include fake From: addresses, but (in my experience) not spoofed IP addresses. There is no easy way for the IP address for webmail.dzogchen.ru (a/k/a mail.dzogchen.ru, a/k/a byak.sinp.msu.ru) to appear in a Received: header of a message received at mx1.yandex.ru unless it was actually involved in transmitting the message. Other possibilities are that you have recently approved a listmember (on Norbunet or any of your other lists) who receives mail through yandex.ru (thus causing their mailservers to see your IP address legitimately); or that their IP verification methodology is not quite what they describe. From list-managers-owner@greatcircle.com Sun Aug 22 08:58:45 2004 X-Original-To: list-managers@greatcircle.com Received: from xuxa.iecc.com (xuxa.iecc.com [208.31.42.42]) by mycroft.greatcircle.com (Postfix) with ESMTP id AA02D32C181 for ; Sun, 22 Aug 2004 08:58:43 -0700 (PDT) Received: (qmail 26870 invoked by uid 100); 22 Aug 2004 15:58:37 -0000 Date: 22 Aug 2004 15:58:37 -0000 Message-ID: <20040822155837.26869.qmail@xuxa.iecc.com> From: John Levine To: list-managers@greatcircle.com Cc: tneff@grassyhill.net Subject: Re: Automated attack on list managers? In-Reply-To: <1B55DD9F7F4F3DD0D7060035@[192.168.0.18]> Organization: I.E.C.C., Trumansburg NY USA Cc: X-Archive-Number: 200408/5 X-Sequence-Number: 1796 >It is even more likely that most of the "warning messages" you are seeing >have nothing to do with your duties as Norbunet moderator, but are simply >worm payloads masquerading as virus warnings. In cases where you can >authenticate the origin of the warning message, it's indeed most likely >that a listmember's computer is infected. I get vast number of "you have a virus" reports and they are invariably sent by a crudware virus filter in response to a virus with a forged return address. All viruses now have forged return addresses, and most virus filters are crud, so that's a lot of bogus warnings. The most you can conclude is that someone with your list's address in his address book probably has a virus, since address books on the infected computers are a prime source of those forged addresses. Since I am a weenie, I have some mail filters here that catch the most common warning messages and forward them back to the postmaster on the system that sent the warning with a note telling them to turn off the warnings since they go 100% to the wrong place. Unfortunately, most postmasters are too dim to understand what the problem is and why it is counterproductive to send virus warnings to people who didn't send them viruses. So for most people, the best you can do is to treat them like any other kind of spam, since that's what they are. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor "A book is a sneeze." - E.B. White, on the writing of Charlotte's Web From list-managers-owner@greatcircle.com Sun Aug 22 09:25:45 2004 X-Original-To: list-managers@greatcircle.com Received: from ns.lofcom.com (unknown [69.93.98.146]) by mycroft.greatcircle.com (Postfix) with ESMTP id DED3732C456 for ; Sun, 22 Aug 2004 09:25:44 -0700 (PDT) Received: from [192.168.123.10] (wbar5.wdc2-4.16.156.115.wdc2.dsl-verizon.net [4.16.156.115]) by ns.lofcom.com (8.12.11/8.12.8) with ESMTP id i7MFSEu0016567 for ; Sun, 22 Aug 2004 11:28:14 -0400 X-Envelope-From: charlie@lofcom.com X-Envelope-To: X-Sender: adminmail2@oldradio.net Message-Id: In-Reply-To: <20040822155837.26869.qmail@xuxa.iecc.com> References: <1B55DD9F7F4F3DD0D7060035@[192.168.0.18]> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-No-Archive: yes Date: Sun, 22 Aug 2004 12:18:38 -0400 To: list-managers@greatcircle.com From: Charlie Summers Subject: Re: Automated attack on list managers? X-Archive-Number: 200408/6 X-Sequence-Number: 1797 At 11:58 AM -0400 8/22/04, John Levine is rumored to have typed: > The most you can conclude is that someone with your list's > address in his address book probably has a virus ...or on a cashed web page, or in an email sent to him from someone else, or in a TXT file on his computer... The days when viruses depended on the addressbook are long gone. Charlie From list-managers-owner@greatcircle.com Sun Aug 22 09:44:14 2004 X-Original-To: list-managers@greatcircle.com Received: from mail1.panix.com (mail1.panix.com [166.84.1.72]) by mycroft.greatcircle.com (Postfix) with ESMTP id BA40E32C171 for ; Sun, 22 Aug 2004 09:44:09 -0700 (PDT) Received: from mailspool3.panix.com (mailspool3.panix.com [166.84.1.78]) by mail1.panix.com (Postfix) with ESMTP id A764948703 for ; Sun, 22 Aug 2004 12:44:08 -0400 (EDT) Received: from [24.13.13.212] (c-24-13-13-212.client.comcast.net [24.13.13.212]) by mailspool3.panix.com (Postfix) with ESMTP id DF25A195A3 for ; Sun, 22 Aug 2004 12:44:08 -0400 (EDT) Message-ID: <4128CD5E.50403@panix.com> Date: Sun, 22 Aug 2004 11:44:14 -0500 From: "David W. Tamkin" User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: list-managers@greatcircle.com Subject: Re: Automated attack on list managers? References: <20040822155837.26869.qmail@xuxa.iecc.com> In-Reply-To: <20040822155837.26869.qmail@xuxa.iecc.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Archive-Number: 200408/7 X-Sequence-Number: 1798 John Levine wrote: > I get vast number of "you have a virus" reports and they are > invariably sent by a crudware virus filter in response to a virus with > a forged return address. Some that I get are not responses to viruses from broken filters but rather are thinly disguised viruses themselves. From list-managers-owner@greatcircle.com Sun Aug 22 09:51:22 2004 X-Original-To: list-managers@greatcircle.com Received: from grassyhill.org (grassyhill.org [208.231.0.71]) by mycroft.greatcircle.com (Postfix) with ESMTP id EDEFA32C196 for ; Sun, 22 Aug 2004 09:51:20 -0700 (PDT) Received: from localhost (lyme_fw [204.60.148.242]) by grassyhill.org (8.11.0/8.11.0) with ESMTP id i7MGpGp15381 for ; Sun, 22 Aug 2004 12:51:16 -0400 (EDT) X-Envelope-To: Date: Sun, 22 Aug 2004 12:51:19 -0400 From: Tom Neff To: list-managers@greatcircle.com Subject: Re: Automated attack on list managers? Message-ID: In-Reply-To: <4128CD5E.50403@panix.com> References: <20040822155837.26869.qmail@xuxa.iecc.com> <4128CD5E.50403@panix.com> X-Mailer: Mulberry/3.1.3 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Archive-Number: 200408/8 X-Sequence-Number: 1799 --On Sunday, August 22, 2004 11:44 AM -0500 "David W. Tamkin" wrote: > John Levine wrote: > >> I get vast number of "you have a virus" reports and they are >> invariably sent by a crudware virus filter in response to a virus with >> a forged return address. > > Some that I get are not responses to viruses from broken filters but > rather are thinly disguised viruses themselves. Those are the ones I was talking about. The legitimate filter-stops are pretty easy to trace to the mail servers of real members. We also get them for 'content' when someone calls someone else a gol-durned polecat. From list-managers-owner@greatcircle.com Mon Aug 23 12:16:52 2004 X-Original-To: list-managers@greatcircle.com Received: from ultra7.eskimo.com (ultra7.eskimo.com [204.122.16.70]) by mycroft.greatcircle.com (Postfix) with ESMTP id C4CBF32C1BD for ; Mon, 23 Aug 2004 12:16:51 -0700 (PDT) Received: from big-dog.dogswood.com (dialport63.west.eskimo.net [67.136.147.103]) by ultra7.eskimo.com (8.12.10/8.12.10) with ESMTP id i7NJAL3J004249 for ; Mon, 23 Aug 2004 12:10:22 -0700 Received: (from jimo@localhost) by big-dog.dogswood.com (8.11.6/8.11.6/SuSE Linux 0.5) id i7NI97w32401 for list-managers@greatcircle.com; Mon, 23 Aug 2004 11:09:07 -0700 Date: Mon, 23 Aug 2004 11:09:07 -0700 From: Jim Osborn To: list-managers@greatcircle.com Subject: Re: Automated attack on list managers? Message-ID: <20040823180907.GA12545@eskimo.com> Mail-Followup-To: list-managers@greatcircle.com References: <1B55DD9F7F4F3DD0D7060035@[192.168.0.18]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1B55DD9F7F4F3DD0D7060035@[192.168.0.18]> User-Agent: Mutt/1.4i X-Archive-Number: 200408/9 X-Sequence-Number: 1800 On Sun, Aug 22, 2004 at 9:31:10AM -0400, Tom Neff wrote: > The problem with what you are saying is that spoofed virus/worm > envelopes include fake From: addresses, but (in my experience) not > spoofed IP addresses. There is no easy way for the IP address for > webmail.dzogchen.ru (a/k/a mail.dzogchen.ru, a/k/a > byak.sinp.msu.ru) to appear in a Received: header of a message > received at mx1.yandex.ru unless it was actually involved in > transmitting the message. I see a lot of spam with obviously-forged Received: headers. I don't think you can trust any but the topmost, at least until the mail enters your domain. I've found many of these forgeries to be useful spam discriminators, in fact. So, it wouldn't surprise me if virii were grabbing IP numbers from their usual sources and stuffing them into forged Received lines. An iplookup of the numbers in question would likely not match any verbiage in the header, but the spam robot probably doesn't care about accuracy. :) FWIW, Jim From list-managers-owner@greatcircle.com Tue Aug 31 07:41:22 2004 X-Original-To: list-managers@greatcircle.com Received: from www-s34d2.ununetworks.com (www-s34d2.ununetworks.com [66.36.228.29]) by mycroft.greatcircle.com (Postfix) with ESMTP id DBC2C32C15D for ; Tue, 31 Aug 2004 07:41:17 -0700 (PDT) Received: from tnt-2-172.easynet.co.uk ([195.40.196.172]) by www-s34d2.ununetworks.com with asmtp (Exim 4.30; FreeBSD) id 1C29p0-000PbI-0c for list-managers@greatcircle.com; Tue, 31 Aug 2004 10:41:18 -0400 Message-ID: <41348E19.5060008@btinternet.com> Date: Tue, 31 Aug 2004 15:41:29 +0100 From: lee User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: list-managers@greatcircle.com Subject: strange spam ? Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - www-s34d2.ununetworks.com X-AntiAbuse: Original Domain - greatcircle.com X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - btinternet.com X-Source: X-Source-Args: X-Source-Dir: X-Archive-Number: 200408/10 X-Sequence-Number: 1801 hello everyone, Just wondering if anyone is aware of (the cause of) some spam one of my list zubscribers is reporting; he is often getting spam with a legitimate list message underneath it, all inline and apparently all one email. The list messages are not necessarily from him. A look through the headers he's shown me does not suggest that the spammer is zubscribed to any of my lists. Maybe a worm or virus is active in his or another list zubscriber's pc? He is zubscribed to other independent lists so presumably he could have picked it up anywhere. thanks for any thoughts, lee -- From lee - Have a PC, broadband connection and Yahoo ID? Want to hear my FREE selection of five decades of hit music and modern dance? Then VISIT HERE and click on Lee's station