on Sat, May 15, 2004 at 12:13:23AM +0100, Pigeon ([EMAIL PROTECTED]) wrote: > I have received an email from the > [EMAIL PROTECTED] mailing list, to which I am > subscribed. The originator of the email has sent it to a large number > of recipients, as shown in the To: header - legitimately, not as spam, > but there are two spurious entries in the list: > > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > "schnellbox.pigeonloft" is an internal hostname of mine, obviously not > routable from "the outside". It is the box from which I post to the > progressivemusicforum list. I don't have users named "Chipster" or > "Robert". There is nothing in my exim logs relating to "Chipster" or > "Robert" and chkrootkit says nothing untoward is on any of my machines. > > I am guessing that the guy who sent out the email in question may be > infected with some kind of virus which has found > "@schnellbox.pigeonloft" in the Message-Id: headers of my posts to > progressivemusicforum and added spurious user names to them which have > somehow found their way into the sender's list of recipients for the > email.
Unqualified senders are often qualified as they go through MTAs. Is schnellbox your mailserver, by chance? Looks it, per headers. > Googling for chipster robert virus doesn't throw up anything about a > virus that uses these fake names; does anyone on here recognise this > as possible viral behaviour? I've warned the sender just in case. The > full email is attached. > > From [EMAIL PROTECTED] Fri May 14 01:42:39 2004 > Return-path: <[EMAIL PROTECTED]> > Envelope-to: [EMAIL PROTECTED] > Received: from pigeon by schnellbox.pigeonloft with local (Exim 3.35 #1 (Debian)) > id 1BOQmd-0003dB-00 > for <[EMAIL PROTECTED]>; Fri, 14 May 2004 01:42:39 +0100 Probably rewritten here. Peace. -- Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Kerry '04 http://www.johnkerry.com/
signature.asc
Description: Digital signature
