Great Circle Associates List-Managers
(June 2004) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Mandrakesoft list....
From: Nick Simicich <njs @ scifi . squawk . com>
Date: Thu, 24 Jun 2004 21:04:29 -0400
To: talk <talk @ flux . org>,List Managers <list-managers @ greatcircle . com> 
So, I just got an e-mail from mandrake - it came from mandrakesoft, and
it came to my tagged address that is only used for that mailing list. 
The headers seemed to indicate that it really came from there.  I think
that the assertion made in the headers is that it really was from a
poster to the mailing list.

The actual origin was a machine in Italy. I don't have another piece of
mail to see if the origin actually matches the origin of the real mail
in received lines, but the headers sure looked reasonable.

The type is multipart/mixed.  There is a plain text section which is
empty, a details.doc.scr, and a plain text section called
"message.footer" that actually looks like a message footer from the
mandrakesoft security list.  I have no idea if it was created by the
mailing list software or if it was plugged in by the malware.

The other content was an attachment with the name "details.doc.scr" of a
type application/octet-stream.  Of course, this is a virus.

I doubt that ppp-62-10-51-103.dialup.tiscali.it is making these postings
by hand to get around mailing list origin filters.  I also suspect that
the people at Mandrake are likely not running infected Windows boxes -
they would be running infected Linux boxes, were there viruses handy, I
guess.  What is more likely is that our friends the virus writers are
starting to look at the mail that they send out and maybe they are
duplicating old combinations that they see in the mail files saved on
disk, which will result in more of this - mailing lists which check
origins and which have been virus resistant because of that will be
getting hit. 

Makes me glad that I am running demime on all my mailing lists.

It was amusing that it came on a security mailing list. They should
probably make this a moderated mailing list.

Of course :-), this week, anyway, I am reading this on Linux, so I am
not worried about this worm-thing. But many people like Windows for
console interaction. And they will be infectable.
-- 
Blog: http://majordomo.squawk.com/njs/blog/blogger.html
Atom: http://majordomo.squawk.com/njs/blog/atom.xml
RSS: http://majordomo.squawk.com/njs/blog/atom.rdf
Indexed By Date Previous: Suggestions for host for commercial adult material by scrupulously legit client
From: rogerk@queernet.org
Next: (off topic) advice needed using demime for sig removal
From: lee <lee.davis12@btopenworld.com>
Indexed By Thread Previous: Suggestions for host for commercial adult material by scrupulously legit client
From: rogerk@queernet.org
Next: (off topic) advice needed using demime for sig removal
From: lee <lee.davis12@btopenworld.com>
Google
 
Search Internet Search www.greatcircle.com