From: Patrycjusz R. £ogiewa (silverdr_at_inet.com.pl)
Date: 2004-10-27 16:31:37
On 27 pa¼ 2004, at 11:16, Marko Mäkelä wrote:
> On Tue, Oct 26, 2004 at 06:52:59PM -0500, David Wood wrote:
>>
>> It's very important that everyone realizes that Ruud most likely did
>> not
>> send this file. If you recieve an attachment, do not open it.
>
> Yep, it's obvious if you look at the Received: headers:
>
> Received: from gizmo-inc.org ([213.25.211.60])
> by bouncer.ling.gu.se (SAVSMTP 3.0.0.44) with SMTP id
> M2004102700202322423 for
> <cbm-hackers@cling.gu.se>; Wed, 27 Oct 2004 00:20:24 +0200
>
> The message was sent from pe60.warszawa.sdi.tpnet.pl (213.25.211.60)
> posing
> as gizmo-inc.org (64.202.167.192) using the SMTP HELO or EHLO command.
> I don't think that Ruud is behind this message.
>
> My theory is that the message was sent in behalf of some Microsoft
> Windows
> user in Poland who has the Ruud's and the list's addresses on the
> computer.
> Most worms and viruses pick both the From: and To: addresses from the
> local
> system.
>
Yup. Can be that the worm just grabbed somewhere a message from Ruud to
the list... It is quite common behaviour. I also recall - not so long
ago - people (and antivirus bots) complaining about /me sprading
Windows worms, which was of course pure bullshit since I dropped
Windows years ago... But for Ruud - prepare yourself also for becoming
one of the active spammers in the near future. :-) Not only the
harvested addresses are being used for worm replication but also for
having a good variety of VALID From: addresses for spam activities. I
have that experience too. One reason for that was the fact that one of
our company executive's laptop was running Windows and leaked the
addressbook out... The possibilities are endless :-) I suggest calming
down and not paying much attention to this. It's just everyday's
Windows reality :-)
--
Democracy, n.: The triumph of popularity over principle.
Message was sent through the cbm-hackers mailing list
Archive generated by hypermail pre-2.1.8.