Shock news - NANOG likely to carry less operational content
I *believe* (really hope) this SPAM impersonating a NANOG poster replying to a thread (traceroute doesn't go through pacrim.net). Op content: If so, be prepared for all sorts of being accused of sending all sorts of other exciting messages about lesbians, cookie recipes etc. etc. Alternative explanation: Kai your machine has a really nasty worm virus Alex Bligh GX Networks (formerly Xara Networks) Delivery-date: Fri Jan 14 07:37:50 2000 Return-path: <kai@pac-rim.net> Envelope-to: amb@sapphire.noc.gxn.net Delivery-date: Fri, 14 Jan 2000 07:37:50 +0000 Received: from brimstone.global.net.uk ([194.126.80.70] helo=brimstone.noc.gxn.net) by sapphire.noc.gxn.net with esmtp (Exim 2.05 #2) id 1291Is-0000Fa-00 for amb@sapphire.noc.gxn.net; Fri, 14 Jan 2000 07:37:50 +0000 Received: from [168.212.244.134] (helo=mail.gxn.net) by brimstone.noc.gxn.net with smtp (Exim 3.02 #3) id 1291Gi-0004Sb-00 for amb@gxn.net; Fri, 14 Jan 2000 07:35:36 +0000 Mime-version: 1.0 Content-type: multipart/mixed; boundary="----=_NextPart_000_0007_01AF0E92.A4E9CDO0" Message-id: <E1291Gi-0004Sb-00@brimstone.noc.gxn.net> From: Kai Schlichting <kai@pac-rim.net> To: amb@gxn.net Subject: Re: Eeek - .NU Domains using Ö, Ä, Å, Ü, Date: Fri, 14 Jan 2000 07:35:36 +0000 1. There are alternative views of the following: (Invoke menu with right button.) View HTML contents with Mosaic 2. Lesbians.exe ---->8--------->8-------->8--------->8-------->8--------->8-------->8-------
I've received several of these the past month, with valid operational subject lines, and all trying to get me to click and run an .exe. Good thing I read my email on a Mac! They are using the operational list persons as targets! Shall the operational folks get together and find them? Alex Bligh wrote:
I *believe* (really hope) this SPAM impersonating a NANOG poster replying to a thread (traceroute doesn't go through pacrim.net).
Op content:
If so, be prepared for all sorts of being accused of sending all sorts of other exciting messages about lesbians, cookie recipes etc. etc. ... Received: from [168.212.244.134] (helo=3Dmail.gxn.net) by brimstone.noc.gxn.net with smtp (Exim 3.02 #3) id 1291Gi-0004Sb-00 for amb@gxn.net; Fri, 14 Jan 2000 07:35:36 +0000 ... 2. Lesbians.exe
Mine were: Received: from [209.125.100.122] (HELO mail.greendragon.com) by watervalley.net (Stalker SMTP Server 1.7) with SMTP id S.0003055677 for wsimpson@greendragon.com; Thu, 16 Dec 1999 18:29:22 -0600 From: Nora Lavelle <nora@geocast.com> To: wsimpson@greendragon.com Subject: Re: ARIN whois panther.exe Received: from [152.160.253.2] (HELO mail.greendragon.com) by watervalley.net (Stalker SMTP Server 1.7) with SMTP id S.0003108551 for wsimpson@greendragon.com; Mon, 20 Dec 1999 01:37:37 -0600 From: Ivars Upatnieks <ivars@ic.net> To: wsimpson@greendragon.com Subject: Re: MCI/Worldcom fiber cut in NY? baby.exe Received: from [212.7.65.97] (HELO mail.greendragon.com) by watervalley.net (Stalker SMTP Server 1.7) with SMTP id S.0003149731 for wsimpson@greendragon.com; Wed, 22 Dec 1999 07:04:26 -0600 From: CORE <core@denic.de> To: wsimpson@greendragon.com Subject: Re: PAB after comments ? copier.exe WSimpson@UMich.edu Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
I never received any of those mailings. Never ever. Are specific people being targeted? A quick scan of the machine that sent this reveals what appears to be a MS Personal Webserver running on a Winblows machine: $ telnet 168.212.244.134 80 Trying 168.212.244.134... Connected to 168.212.244.134. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.0 200 OK Server: Microsoft-PWS-95/2.0 Date: Fri, 14 Jan 2000 18:09:01 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Sun, 22 Aug 1999 05:10:40 GMT Content-Length: 2117 [snip] Let me take a good guess about the security of this system, given that it seems to run a version of this server from 1997. Tanks are rolling. bye,Kai At Friday 11:34 AM 1/14/00 , William Allen Simpson wrote:
I've received several of these the past month, with valid operational subject lines, and all trying to get me to click and run an .exe. Good thing I read my email on a Mac!
They are using the operational list persons as targets! Shall the operational folks get together and find them?
Alex Bligh wrote:
I *believe* (really hope) this SPAM impersonating a NANOG poster replying to a thread (traceroute doesn't go through pacrim.net).
Op content:
If so, be prepared for all sorts of being accused of sending all sorts of other exciting messages about lesbians, cookie recipes etc. etc. ... Received: from [168.212.244.134] (helo=3Dmail.gxn.net) by brimstone.noc.gxn.net with smtp (Exim 3.02 #3) id 1291Gi-0004Sb-00 for amb@gxn.net; Fri, 14 Jan 2000 07:35:36 +0000 ... 2. Lesbians.exe
Mine were:
Received: from [209.125.100.122] (HELO mail.greendragon.com) by watervalley.net (Stalker SMTP Server 1.7) with SMTP id S.0003055677 for wsimpson@greendragon.com; Thu, 16 Dec 1999 18:29:22 -0600 From: Nora Lavelle <nora@geocast.com> To: wsimpson@greendragon.com Subject: Re: ARIN whois
panther.exe
Received: from [152.160.253.2] (HELO mail.greendragon.com) by watervalley.net (Stalker SMTP Server 1.7) with SMTP id S.0003108551 for wsimpson@greendragon.com; Mon, 20 Dec 1999 01:37:37 -0600 From: Ivars Upatnieks <ivars@ic.net> To: wsimpson@greendragon.com Subject: Re: MCI/Worldcom fiber cut in NY?
baby.exe
Received: from [212.7.65.97] (HELO mail.greendragon.com) by watervalley.net (Stalker SMTP Server 1.7) with SMTP id S.0003149731 for wsimpson@greendragon.com; Wed, 22 Dec 1999 07:04:26 -0600 From: CORE <core@denic.de> To: wsimpson@greendragon.com Subject: Re: PAB after comments ?
copier.exe
WSimpson@UMich.edu Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
I never received any of those mailings. Never ever. Are specific people being targeted?
Has anyone virus checked these for worms? I care not, reading email on UNIX, but I suspect that's the cause of it. Possibly some innocent(s) on NANOG has an infected Windows machine that is spewing using an address book built from mails it has received - & you see more than one source as some people have now run the program. Else I guess someone has decided as NANOG spends a large % of its bandwidth discussing spam, we should have some of the real thing. Ha ha very funny. -- Alex Bligh GX Networks (formerly Xara Networks)
On Fri, 14 Jan 2000, Alex Bligh wrote:
I never received any of those mailings. Never ever. Are specific people being targeted?
Has anyone virus checked these for worms? I care not, reading email on UNIX, but I suspect that's the cause of it. Possibly some innocent(s) on NANOG has an infected Windows machine that is spewing using an address book built from mails it has received - & you see more than one source as some people have now run the program.
FWIW, I received an email from a Windowz machine spread from a virus a while back. The behavior of the virus and the headers of the message suggested that for every message in the affected user's inbox, the virus would create a new message with the From: and To: headers transposed, and send it back to the originator. So, only people that posted to Nanog would get this from infected machines. -- _______________ Chris Josephes __/ MRNet/Onvoy \ chrisj@mr.net __/ www.onvoy.com / \________________/
participants (5)
-
Alex Bligh
-
Chris Josephes
-
Kai Schlichting
-
Randy Bush
-
William Allen Simpson