Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com X-Originating-IP: [195.92.67.67] From: "Elfyn McBratney" To: Subject: Fw: Viruses being transported with Cygwin messages Date: Mon, 14 Oct 2002 00:54:18 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Message-ID: X-OriginalArrivalTime: 13 Oct 2002 23:55:43.0460 (UTC) FILETIME=[0AA01A40:01C27314] Note-from-DJ: This may be spam I didnt mean that. I meant how it came through the system (mailing list)... :) i was looking at the headers sent by e-mails from me and its all plain text, no mime encoded blocks for attatched stuff... Elfyn > ----- Original Message ----- > From: Randall R Schulz > To: Elfyn McBratney > Cc: > Sent: Monday, October 14, 2002 12:50 AM > Subject: Re: Viruses being transported with Cygwin messages > > > > Elfyn, > > > > Let me be clear that I'm not accusing you (or Gareth or Chris F.) of > > anything here. As others have pointed out, these worms are clever about > > coming up with addresses both for the apparent "From:" address and the > next > > ply of intended victim recipients. > > > > Here are the routing headers from the message _ostensibly_ from you: > > > > Return-Path: > > Received: from mail18.svr.pol.co.uk (mail18.svr.pol.co.uk [195.92.67.23]) > > by morse.concentric.net [Concentric SMTP MX 1.0] > > id g9DJ7ih10880; Sun, 13 Oct 2002 15:07:44 -0400 (EDT) > > [1-800-745-2747 The Concentric Network] > > Errors-To: > > Received: from modem-2289.chimpanzee.dialup.pol.co.uk ([217.134.120.241] > > helo=mcb-home) > > by mail18.svr.pol.co.uk with smtp (Exim 3.35 #1) > > id 180nmm-0007hQ-00; Sun, 13 Oct 2002 19:48:20 +0100 > > From: "Elfyn McBratney" > > > > > > As you can see, although it claims (suggests? "From:" headers are > > distinctly non-authoritative) you're at UT Austin, the message itself did > > not originate or traverse any servers there. Nor does Hotmail appear in > the > > SMTP server-supplied forwarding header. (Concentric is my ISP.) > > > > As I understand these worms, they use other user's address books (are they > > called "Contact Lists" in Outlook and Outlook Express?) to come up with > > both fraudulent "From:" addresses and recipients. Win32 DOT Bugbear AT mm uses > > registry data to propagate, too. > > > > Randall Schulz > > Mountain View, CA USA > > > > > > Here's the full text of the message I receive (attachment graciously > > elided--in fact, I delete them as soon as I confirm my hunch that they're > > worms): > > > > -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==- > > Return-Path: > > Received: from mail18.svr.pol.co.uk (mail18.svr.pol.co.uk [195.92.67.23]) > > by morse.concentric.net [Concentric SMTP MX 1.0] > > id g9DJ7ih10880; Sun, 13 Oct 2002 15:07:44 -0400 (EDT) > > [1-800-745-2747 The Concentric Network] > > Errors-To: > > Received: from modem-2289.chimpanzee.dialup.pol.co.uk ([217.134.120.241] > > helo=mcb-home) > > by mail18.svr.pol.co.uk with smtp (Exim 3.35 #1) > > id 180nmm-0007hQ-00; Sun, 13 Oct 2002 19:48:20 +0100 > > From: "Elfyn McBratney" > > Subject: Re: Need your Mac OS 8 support plan... > > MIME-Version: 1.0 > > Content-Type: multipart/alternative; boundary="----------ISQROT15KBZQSTO" > > Message-Id: > > Bcc: > > Date: Sun, 13 Oct 2002 19:48:20 +0100 > > > > Content-Type: text/html; > > > > That is really not fare :( > > > > Do you know when we'll get a time-indexed beta-sp ??? > > > > ----- Original Message ----- > > From: Michael Aumeerally > > To: > > Sent: Sunday, August 25, 2002 9:52 PM > > Subject: Re: Need your Mac OS 8 support plan... > > > > > > > > Just wanted to beg you to bring in Mac OS 8 if your on your travels > > > towards the office :)... > > > > > > I may come in Wednesday evening, depending on how the week unfolds... > > > > > [] > > connexionscard-pass.txt.scr > > -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==- > > > > > > At 16:33 2002-10-13, Elfyn McBratney wrote: > > >I for one would like to know how that happend. If its from hotmail then > fare > > >do's, sorry. If it was from elfyn AT exposure DOT org DOT uk thats impossible > because > > >all I can send through my mailgate is .txt or tars/gz's files...even then > > >all archives are extracted/scanned. > > > > > >What month??? > > > > > >Elfyn > > > > > >----- Original Message ----- > > >From: Randall R Schulz > > >To: > > >Sent: Sunday, October 13, 2002 11:03 PM > > >Subject: Re: Viruses being transported with Cygwin messages > > > > > > > > > > Hi, > > > > > > > > I might help to know this is the "W32 DOT Bugbear AT mm" worm. It has been > > > > spreading a lot lately. In today's batch I received 3 copies under > > > > different names (supposedly from Christopher Faylor, Gareth Pearce and > > > > Elfyn McBratney), each with different contents and different > attachment > > >names. > > > > > > > > Here's what Symantec has to say about this worm: > > > > > > > > > > > > Randall Schulz > > > > Mountain View, CA USA > > > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/