List-Managers: Re: Automated attack on list managers?

List-Managers
(August 2004)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Automated attack on list managers?
From:	Tom Neff <tneff @ grassyhill . net>
Date:	Sun, 22 Aug 2004 09:31:10 -0400
To:	list-managers @ greatcircle . com
In-reply-to:	<a06110408bd4e3a918193@[62.195.90.214]>
References:	<a06110408bd4e3a918193@[62.195.90.214]>

--On Sunday, August 22, 2004 2:11 PM +0200 Loek Jehee <loekjehe@xs4all.nl> 
wrote:
> I am the moderator of a Buddhist list of over 1200 subscribers. I
> frequently receive warnings that my computer is infected with some
> kind of virus or worm etc. You will understand that - as an owner of
> a Mac OS X computer - it is highly (!) unlikely that my computer indeed
> is infected :-) There is a far bigger chance that one or more of the
> computers of the subscribers is infected and generates messages out
> of his/her address book that contain virus or spam or worms or
> whatever.

It is even more likely that most of the "warning messages" you are seeing 
have nothing to do with your duties as Norbunet moderator, but are simply 
worm payloads masquerading as virus warnings.  In cases where you can 
authenticate the origin of the warning message, it's indeed most likely 
that a listmember's computer is infected.

> This is a very annoying problem and I wonder if you guys also have
> troubles with this. Today the problem even got worse: I noticed a
> port scan attack on my computer (my SNORT system started to fire)
> which persisted for over an hour. Upon sending a message to the abuse
> and amin addresses of the server hosting the malignant attacker, I
> received the following interesting (quick and polite) reply from the
> admin of that host (Yandex.ru): ...
> So, it seems that they nowadays have automatic scripts (more or
> less violently) attacking any IP address mentioned in spam or virus
> containing messages that they receive! (I consider port scanning as
> an intrusion attempt on my system and as an abusive attack).
> This doesn't promise much good for us as mailing list admins....!!

The problem with what you are saying is that spoofed virus/worm envelopes 
include fake From: addresses, but (in my experience) not spoofed IP 
addresses.  There is no easy way for the IP address for webmail.dzogchen.ru 
(a/k/a mail.dzogchen.ru, a/k/a byak.sinp.msu.ru) to appear in a Received: 
header of a message received at mx1.yandex.ru unless it was actually 
involved in transmitting the message.

Other possibilities are that you have recently approved a listmember (on 
Norbunet or any of your other lists) who receives mail through yandex.ru 
(thus causing their mailservers to see your IP address legitimately); or 
that their IP verification methodology is not quite what they describe.

Follow-Ups:

Re: Automated attack on list managers?
From: Jim Osborn <jimo@eskimo.com>
Re: Automated attack on list managers?
From: John Levine <johnl@iecc.com>

References:

Automated attack on list managers?
From: Loek Jehee <loekjehe@xs4all.nl>

Indexed By Date	Previous:	Automated attack on list managers? From: Loek Jehee <loekjehe@xs4all.nl>
Indexed By Date	Next:	Re: Automated attack on list managers? From: John Levine <johnl@iecc.com>
Indexed By Thread	Previous:	Automated attack on list managers? From: Loek Jehee <loekjehe@xs4all.nl>
Indexed By Thread	Next:	Re: Automated attack on list managers? From: John Levine <johnl@iecc.com>