On Wed, Aug 20, 2003 at 06:57:22PM +1200, cr wrote: > Is there a rash of viruses with spoofed origin lines all of a sudden? > I had *120* emails in my other email account today (not the one I use on > Debian), many of them were Re: Wicked Screensaver. I thought they were all > spam but I guess they were mostly bounce messages - something's been spoofing > my (other) email addy.
I think they're connected with that worm that's been giving me lots of
excuses to tell people that Linux is cool :-) I had 15 of them today;
common characteristics being:
Size: approximately 100kB ( * 15 over dialup, AARGH)
Subject: [Re:[Re:]] {Wicked screensaver|Your details|My details|Your application|Thank
you!}
X-MailScanner: Found to be clean
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
From: [EMAIL PROTECTED]|yahoo.com|compuserve.com|netscape.net] |
[EMAIL PROTECTED] |
unsuspecting_schmuck'[EMAIL PROTECTED]'s_domain}
and in many but not all of them:
Received: from ua-dip1.nat.okstate.edu ([139.78.10.73] helo=BHIDE)
I guess okstate.edu is infected with this thing (where is that?
Oklahoma State University?)
Nothing in the headers indicates that a bounce has been involved
anywhere along the chain, typical sample:
> From [EMAIL PROTECTED] Wed Aug 20 18:34:11 2003
> Return-path: <[EMAIL PROTECTED]>
> Envelope-to: [EMAIL PROTECTED]
<local Received: headers snipped>
> Received: from mx1.mail.uk.easynet.net ([195.40.1.235])
> by store2.mail.uk.easynet.net with esmtp (Exim 4.10)
> id 19pVMh-0006cI-00
> for [EMAIL PROTECTED]; Wed, 20 Aug 2003 16:59:15 +0100
> Received: from ua-dip1.nat.okstate.edu ([139.78.10.73] helo=BHIDE)
> by mx1.mail.uk.easynet.net with esmtp (Exim 4.20) id 19pVNh-000E32-HC
> for [EMAIL PROTECTED]; Wed, 20 Aug 2003 17:00:18 +0100
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: Re: Wicked screensaver
> Date: Wed, 20 Aug 2003 10:58:56 --0500
> X-MailScanner: Found to be clean
> Importance: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MSMail-Priority: Normal
> X-Priority: 3 (Normal)
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="_NextPart_000_0F30A5A7"
> Message-Id: <[EMAIL PROTECTED]>
> X-Spambayes-Classification: spam; 1.00
> Content-Length: 100777
> Lines: 1323
>
I suspect that it may not be unconnected with this explosion of large
emails that my dialup has been giving me grief (timeouts attempting to
connect, line dropped for no apparent reason, random extreme slowness)
- guess the ISP is having problems with the traffic?
--
Pigeon
Be kind to pigeons
Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F
pgp00000.pgp
Description: PGP signature
