Peter Dimov wrote:
MyDoom is a From: spoofer. The relevant header is:
Received: from curbralan.com ([202.103.247.70]) by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0Wq529796 for <boost@lists.boost.org>; Wed, 11 Feb 2004 19:32:53 -0500
where "curbralan.com" is forged. The IP address is assigned to:
inetnum: 202.103.192.0 - 202.103.255.255 netname: CHINANET-GX descr: CHINANET Guangxi province network descr: Data Communication Division descr: China Telecom country: CN
Kevlin will now receive tens of "You are infected" autoreplies, I'm sure he'll be honored.
What I find fascintating is that the infected email I got was not automatically generated like other similar emails. (Got MyDoom infected spams several times before.) This one appears hand-crafted. In fact, the email was the 6th issue for yesterdays' boost-request digests, and the last posting in it, allegedly from kevlin, appears before the notices and links at the end of such digests. And I did not receive a repeat of issue # 6. It's as if the email had been grabbed in flight, carefully altered, then sent along. Unless, that is, it was actually sent to the mailing list, and the digest producing software itself included it, but if that's the case, I'm not sure why the bogus message doesn't show in the news reader as well. And yet, a spade analysis of the header of a normal boost request digest email reads pretty much the same... ------------------------------------------------------ 02/12/04 10:01:20 Spade Log 02/12/04 10:02:05 Input The Received: headers are the important ones to read My comments are just hints, and should be considered only an opinion. I may have guessed wrong, or things may have changed since I was written Return-Path: <boost-bounces@lists.boost.org> Delivered-To: raytron-controls.com-danw@raytron-controls.com Received: (qmail 3143 invoked by uid 417); 12 Feb 2004 01:56:58 -0000 This received header was added by your mailserver Just a qmail status line Received: from unknown (HELO heart-of-gold.osl.iu.edu) (129.79.245.244) by 192.168.0.39 with SMTP; 12 Feb 2004 01:56:58 -0000 192.168.0.39 received this from someone claiming to be unknown (192.168.0.39 doesn't record the senders IP address in any way I recognise, so it's impossible to be sure. All received headers after this one should be treated with suspicion) Received: from heart-of-gold.osl.iu.edu (localhost.localdomain [127.0.0.1]) by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0b0529863; Wed, 11 Feb 2004 19:37:00 -0500 heart-of-gold.osl.iu.edu received this from someone claiming to be heart-of-gold.osl.iu.edu but really from 127.0.0.1(No rDNS) All headers below may be forged Date: Wed, 11 Feb 2004 19:37:00 -0500 Message-Id: <200402120037.i1C0b0529863@heart-of-gold.osl.iu.edu> From: boost-request@lists.boost.org Subject: Boost Digest, Vol 639, Issue 6 To: boost@lists.boost.org X-BeenThere: boost@lists.boost.org X-Mailman-Version: 2.1.4 Precedence: list List-Id: Boost mailing list <boost.lists.boost.org> Hmmm list-id: isn't a header I recognise ------------------------------------------------------ It looks as if my normal boost digest emails come through indiana university, in fact. So, my first guess was probably right as well, that the SMTP server for the boost mailing list doesn't scan outgoing emails for viruses --if it isn't altogether hacked... And now that I remember, I'd had this email address for a whole year and hadn't received any spam until I joined the mailing list. About an hour later I got my first 3 spams, and it's been downhill since. Cheers!