From: Marko Mäkelä (
Date: 2004-10-27 11:16:05

On Tue, Oct 26, 2004 at 06:52:59PM -0500, David Wood wrote:
> It's very important that everyone realizes that Ruud most likely did not
> send this file.  If you recieve an attachment, do not open it.

Yep, it's obvious if you look at the Received: headers:

Received: from ([])
 by (SAVSMTP with SMTP id M2004102700202322423 for
 <>; Wed, 27 Oct 2004 00:20:24 +0200

The message was sent from ( posing
as ( using the SMTP HELO or EHLO command.
I don't think that Ruud is behind this message.

My theory is that the message was sent in behalf of some Microsoft Windows
user in Poland who has the Ruud's and the list's addresses on the computer.
Most worms and viruses pick both the From: and To: addresses from the local

MagerValp, would it be possible to reject messages sent with a forged HELO
or EHLO address?


       Message was sent through the cbm-hackers mailing list

Archive generated by hypermail pre-2.1.8.