WARNING!!! (from bach.merit.edu) The following message attachments were flagged by the antivirus scanner: Attachment [2.2] Message.scr, virus infected: W32/Bagle-CF. Action taken: deleted VIRUS WARNING Message (from bach.merit.edu) The virus W32/Bagle-CF was detected in email attachment [2.2] Message.scr. The infected attachment has been deleted.
On 8/2/07, Cmadams <cmadams@hiwaay.net> wrote:
WARNING!!! (from bach.merit.edu)
The following message attachments were flagged by the antivirus scanner:
Attachment [2.2] Message.scr, virus infected: W32/Bagle-CF. Action taken: deleted
Ok. See attach.
VIRUS WARNING Message (from bach.merit.edu)
The virus W32/Bagle-CF was detected in email attachment [2.2] Message.scr. The infected attachment has been deleted.
Why would someone in the ISP industry try to spread a virus? Ironically I suppose a ISP admin may have their own computer infected... :P
Once upon a time, Hex Star <hexstar@gmail.com> said:
Why would someone in the ISP industry try to spread a virus? Ironically I suppose a ISP admin may have their own computer infected... :P
Why would someone assume that the sender in a virus email is valid? Also, I want to thank all those with auto-responders that respond to list email for letting me know about this message to NANOG. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Hi Guys, It seems to me a lot of virus scanners picked up this behavior in the days of the "I Love You" and Melissa viruses, when virii tended to infect documents rather than be self-propagating worms. We haven't lived in a world where its likely a legitimate sender is unwittingly sending infected documents for awhile. It'd be nice if the AV/MTA vendors would take this feature out, or AV the message before they accept the DATA section and leave it to the sending mail server to bounce it. -J -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Chris Adams Sent: Thursday, August 02, 2007 8:22 PM To: nanog@merit.edu Subject: Re: Gwd: crypted document Once upon a time, Hex Star <hexstar@gmail.com> said:
Why would someone in the ISP industry try to spread a virus? Ironically I suppose a ISP admin may have their own computer infected... :P
Why would someone assume that the sender in a virus email is valid? Also, I want to thank all those with auto-responders that respond to list email for letting me know about this message to NANOG. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. !SIG:46b294c9156537812920785!
On Thu, 02 Aug 2007 20:51:10 MDT, "Jason J. W. Williams" said:
It seems to me a lot of virus scanners picked up this behavior in the days of the "I Love You" and Melissa viruses, when virii tended to infect documents rather than be self-propagating worms. We haven't lived in a world where its likely a legitimate sender is unwittingly sending infected documents for awhile. It'd be nice if the AV/MTA vendors would take this feature out, or AV the message before they accept the DATA section and leave it to the sending mail server to bounce it.
What? And lose the free opportunity to spam you and tell you how good it is at finding viruses? (Particularly annoying when their products usually don't do anything useful on the platform that I actually send my mail from, but that's another rant)
On Aug 2, 2007, at 7:22 PM, Chris Adams wrote:
Once upon a time, Hex Star <hexstar@gmail.com> said:
Why would someone in the ISP industry try to spread a virus? Ironically I suppose a ISP admin may have their own computer infected... :P
Why would someone assume that the sender in a virus email is valid?
A few, it's because the developers really are that stupid. Mostly, though, it's that they think that if they pretend to be that stupid then they can advertise their product via spam that's sent from a wide variety of places that can't all be easily blocked. (Most of the developers I've talked to say that they know it's stupid, but that's the product requirements they have to work with). Cheers, Steve
On Thu, 2007-08-02 at 19:16 -0700, Hex Star wrote:
Why would someone in the ISP industry try to spread a virus? Ironically I suppose a ISP admin may have their own computer infected... :P
Look at all the anti-spam software that uses perl.... yet the cpan mirror ops lists is throwing out a dozen or more PDF attachments each day now. -Jim P.
On Thu, 2 Aug 2007, Hex Star wrote:
Why would someone in the ISP industry try to spread a virus? Ironically I suppose a ISP admin may have their own computer infected... :P
If you could read the header, the question you would have asked is, "What is Chris Adams doing in Korea sending virus mail to nanog?" :) It's a shame there's no test before people subscribe. For the humor impaired, obviously, some PC in Korea is infected with the latest virus and has both Chris's and the nanog list's addresses handy. I wasn't kidding about the test thing though :) ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Once upon a time, Jon Lewis <jlewis@lewis.org> said:
If you could read the header, the question you would have asked is, "What is Chris Adams doing in Korea sending virus mail to nanog?" :)
Especially as this particular Chris Adams is not well traveled and has never been west of the Mississippi! -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On Thu, 2 Aug 2007, Chris Adams wrote:
Once upon a time, Jon Lewis <jlewis@lewis.org> said:
If you could read the header, the question you would have asked is, "What is Chris Adams doing in Korea sending virus mail to nanog?" :)
Especially as this particular Chris Adams is not well traveled and has never been west of the Mississippi!
I think at this point, its fairly clear what happened (fake sender, reply that went to list etc) so continued discussion is rather fruitless. Lesson to be learned: You cannot protect from human factors. :( -alex (mlc chair)
On 8/2/07, Jon Lewis <jlewis@lewis.org> wrote:
If you could read the header, the question you would have asked is, "What is Chris Adams doing in Korea sending virus mail to nanog?" :)
It's a shame there's no test before people subscribe.
For the humor impaired, obviously, some PC in Korea is infected with the latest virus and has both Chris's and the nanog list's addresses handy. I wasn't kidding about the test thing though :)
Haha, good catch: Received: from BSLEE.net ([59.16.185.214]) by bach.merit.edu (MOS 3.8.2-GA) with SMTP id AEE75050; *inetnum*: 59.0.0.0 - 59.31.255.255 netname: KORNET descr: KOREA TELECOM descr: Network Management Center country: KR admin-c: IM76-AP <http://wq.apnic.net/apnic-bin/whois.pl?searchtext=IM76-AP&form_type=advanced> tech-c: IM76-AP <http://wq.apnic.net/apnic-bin/whois.pl?searchtext=IM76-AP&form_type=advanced> Thu, 2 Aug 2007 21:34:17 -0400 (EDT)
On Thu, 2007-08-02 at 22:53 -0400, Jon Lewis wrote:
On Thu, 2 Aug 2007, Hex Star wrote:
Why would someone in the ISP industry try to spread a virus? Ironically I suppose a ISP admin may have their own computer infected... :P
If you could read the header, the question you would have asked is, "What is Chris Adams doing in Korea sending virus mail to nanog?" :)
It's a shame there's no test before people subscribe.
For the humor impaired, obviously, some PC in Korea is infected with the latest virus and has both Chris's and the nanog list's addresses handy. I wasn't kidding about the test thing though :)
Are we sure it's Chris? I could have very easily sent this email as from Jon Lewis... and mail.merit.edu would accept it an send it on through. -Jim P.
participants (9)
-
Alex Pilosov -
Chris Adams -
Cmadams
-
Hex Star -
Jason J. W. Williams -
Jim Popovitch -
Jon Lewis -
Steve Atkins -
Valdis.Kletnieks@vt.edu