Jeff Garland wrote:
On Wed, 11 Feb 2004 23:38:49 -0500, Dan W. wrote
Yeah, never mind... 129.79.245.244 below is in the IP range of the University of Indiana; and the fact that it says it received the email from local host (127.0.0.1) either means that IU.edu's SMTP server is hacked, or that there's another machine in their campus that's hacked and pretending to be local host; or else that local host is hacked, or that my ISP is hacked, or that the server here at work is hacked, or...
...or that I'm hacked... :(
Actually I believe one of the boosters at University of Indiana has been hacked. I've been receiving MyDoom infected email with sender names that coorespond to the user names of at least one of the boosters there and appear to be from there. And I'm certain that my machines haven't been hacked. As for me being hacked, that's less clear ;-)
MyDoom is a From: spoofer. The relevant header is: Received: from curbralan.com ([202.103.247.70]) by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0Wq529796 for <boost@lists.boost.org>; Wed, 11 Feb 2004 19:32:53 -0500 where "curbralan.com" is forged. The IP address is assigned to: inetnum: 202.103.192.0 - 202.103.255.255 netname: CHINANET-GX descr: CHINANET Guangxi province network descr: Data Communication Division descr: China Telecom country: CN Kevlin will now receive tens of "You are infected" autoreplies, I'm sure he'll be honored.