
WARNING!!! (from bach.merit.edu) The following message attachments were flagged by the antivirus scanner: Attachment [2.2] Message.scr, virus infected: W32/Bagle-CF. Action taken: deleted VIRUS WARNING Message (from bach.merit.edu) The virus W32/Bagle-CF was detected in email attachment [2.2] Message.scr. The infected attachment has been deleted.

Once upon a time, Hex Star <hexstar@gmail.com> said:
Why would someone in the ISP industry try to spread a virus? Ironically I suppose a ISP admin may have their own computer infected... :P
Why would someone assume that the sender in a virus email is valid? Also, I want to thank all those with auto-responders that respond to list email for letting me know about this message to NANOG. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.

Hi Guys, It seems to me a lot of virus scanners picked up this behavior in the days of the "I Love You" and Melissa viruses, when virii tended to infect documents rather than be self-propagating worms. We haven't lived in a world where its likely a legitimate sender is unwittingly sending infected documents for awhile. It'd be nice if the AV/MTA vendors would take this feature out, or AV the message before they accept the DATA section and leave it to the sending mail server to bounce it. -J -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Chris Adams Sent: Thursday, August 02, 2007 8:22 PM To: nanog@merit.edu Subject: Re: Gwd: crypted document Once upon a time, Hex Star <hexstar@gmail.com> said:
Why would someone assume that the sender in a virus email is valid? Also, I want to thank all those with auto-responders that respond to list email for letting me know about this message to NANOG. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. !SIG:46b294c9156537812920785!

On Thu, 02 Aug 2007 20:51:10 MDT, "Jason J. W. Williams" said:
What? And lose the free opportunity to spam you and tell you how good it is at finding viruses? (Particularly annoying when their products usually don't do anything useful on the platform that I actually send my mail from, but that's another rant)

On Aug 2, 2007, at 7:22 PM, Chris Adams wrote:
A few, it's because the developers really are that stupid. Mostly, though, it's that they think that if they pretend to be that stupid then they can advertise their product via spam that's sent from a wide variety of places that can't all be easily blocked. (Most of the developers I've talked to say that they know it's stupid, but that's the product requirements they have to work with). Cheers, Steve

On Thu, 2 Aug 2007, Hex Star wrote:
Why would someone in the ISP industry try to spread a virus? Ironically I suppose a ISP admin may have their own computer infected... :P
If you could read the header, the question you would have asked is, "What is Chris Adams doing in Korea sending virus mail to nanog?" :) It's a shame there's no test before people subscribe. For the humor impaired, obviously, some PC in Korea is infected with the latest virus and has both Chris's and the nanog list's addresses handy. I wasn't kidding about the test thing though :) ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

Once upon a time, Jon Lewis <jlewis@lewis.org> said:
If you could read the header, the question you would have asked is, "What is Chris Adams doing in Korea sending virus mail to nanog?" :)
Especially as this particular Chris Adams is not well traveled and has never been west of the Mississippi! -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.

On Thu, 2 Aug 2007, Chris Adams wrote:
I think at this point, its fairly clear what happened (fake sender, reply that went to list etc) so continued discussion is rather fruitless. Lesson to be learned: You cannot protect from human factors. :( -alex (mlc chair)

On 8/2/07, Jon Lewis <jlewis@lewis.org> wrote:
Haha, good catch: Received: from BSLEE.net ([59.16.185.214]) by bach.merit.edu (MOS 3.8.2-GA) with SMTP id AEE75050; *inetnum*: 59.0.0.0 - 59.31.255.255 netname: KORNET descr: KOREA TELECOM descr: Network Management Center country: KR admin-c: IM76-AP <http://wq.apnic.net/apnic-bin/whois.pl?searchtext=IM76-AP&form_type=advanced> tech-c: IM76-AP <http://wq.apnic.net/apnic-bin/whois.pl?searchtext=IM76-AP&form_type=advanced> Thu, 2 Aug 2007 21:34:17 -0400 (EDT)
participants (9)
-
Alex Pilosov
-
Chris Adams
-
Cmadams
-
Hex Star
-
Jason J. W. Williams
-
Jim Popovitch
-
Jon Lewis
-
Steve Atkins
-
Valdis.Kletnieks@vt.edu