Got a boost-request email with MyDoom in it...
My antivirus killed it so fast I can't remember if it was a, b or c variant. It was appended to the last message, which starts like, ------------------------------ Date: Thu, 12 Feb 2004 08:36:48 +0800 From: kevlin@curbralan.com To: boost@lists.boost.org Subject: [boost] Mail Transaction Failed Message-ID: <200402120032.i1C0Wq529796@heart-of-gold.osl.iu.edu> Content-Type: multipart/mixed; boundary="----=_NextPart_000_0006_642BC3B6.52190D69" MIME-Version: 1.0 Precedence: list Message: 10 This is a multi-part message in MIME format. ------=_NextPart_000_0006_642BC3B6.52190D69 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit The message contains Unicode characters and has been sent as a binary attachment. ------=_NextPart_000_0006_642BC3B6.52190D69 Content-Type: application/octet-stream; name="message.pif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="message.pif" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ........................ ------------------------------ I guess the SMTP server doesn't scan what it sends... Not that that I have much of an issue with the spirit of it... ;-) The microsoft server is kind of slow tonight, trying to get all those patches between the DOS cracks... Cheers!
Here's a Sam Spade analysis of the header: ------------------------------------------- 02/11/04 22:30:45 Spade Log 02/11/04 22:31:26 Input The Received: headers are the important ones to read My comments are just hints, and should be considered only an opinion. I may have guessed wrong, or things may have changed since I was written Return-Path: <boost-bounces@lists.boost.org> Delivered-To: raytron-controls.com-danw@raytron-controls.com Received: (qmail 3143 invoked by uid 417); 12 Feb 2004 01:56:58 -0000 This received header was added by your mailserver Just a qmail status line Received: from unknown (HELO heart-of-gold.osl.iu.edu) (129.79.245.244) by 192.168.0.39 with SMTP; 12 Feb 2004 01:56:58 -0000 192.168.0.39 received this from someone claiming to be unknown (192.168.0.39 doesn't record the senders IP address in any way I recognise, so it's impossible to be sure. All received headers after this one should be treated with suspicion) Received: from heart-of-gold.osl.iu.edu (localhost.localdomain [127.0.0.1]) by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0b0529863; Wed, 11 Feb 2004 19:37:00 -0500 heart-of-gold.osl.iu.edu received this from someone claiming to be heart-of-gold.osl.iu.edu but really from 127.0.0.1(No rDNS) All headers below may be forged Date: Wed, 11 Feb 2004 19:37:00 -0500 Message-Id: <200402120037.i1C0b0529863@heart-of-gold.osl.iu.edu> From: boost-request@lists.boost.org Subject: Boost Digest, Vol 639, Issue 6 To: boost@lists.boost.org X-BeenThere: boost@lists.boost.org X-Mailman-Version: 2.1.4 Precedence: list List-Id: Boost mailing list <boost.lists.boost.org> Hmmm list-id: isn't a header I recognise List-Help: <mailto:boost-request@lists.boost.org?subject=help> Hmmm list-help: isn't a header I recognise List-Post: <mailto:boost@lists.boost.org> Hmmm list-post: isn't a header I recognise List-Subscribe: <http://lists.boost.org/mailman/listinfo.cgi/boost>, <mailto:boost-request@lists.boost.org?subject=subscribe> Hmmm list-subscribe: isn't a header I recognise List-Archive: <http://lists.boost.org/MailArchives/boost> Hmmm list-archive: isn't a header I recognise List-Unsubscribe: <http://lists.boost.org/mailman/listinfo.cgi/boost>, <mailto:boost-request@lists.boost.org?subject=unsubscribe> Hmmm list-unsubscribe: isn't a header I recognise Sender: boost-bounces@lists.boost.org Errors-To: boost-bounces@lists.boost.org ------------------------------------------- Cheers!
Yeah, never mind... 129.79.245.244 below is in the IP range of the University of Indiana; and the fact that it says it received the email from local host (127.0.0.1) either means that IU.edu's SMTP server is hacked, or that there's another machine in their campus that's hacked and pretending to be local host; or else that local host is hacked, or that my ISP is hacked, or that the server here at work is hacked, or... ...or that I'm hacked... :(
Return-Path: <boost-bounces@lists.boost.org> Delivered-To: raytron-controls.com-danw@raytron-controls.com Received: (qmail 3143 invoked by uid 417); 12 Feb 2004 01:56:58 -0000 This received header was added by your mailserver Just a qmail status line
Received: from unknown (HELO heart-of-gold.osl.iu.edu) (129.79.245.244) by 192.168.0.39 with SMTP; 12 Feb 2004 01:56:58 -0000 192.168.0.39 received this from someone claiming to be unknown (192.168.0.39 doesn't record the senders IP address in any way I recognise, so it's impossible to be sure. All received headers after this one should be treated with suspicion)
Received: from heart-of-gold.osl.iu.edu (localhost.localdomain [127.0.0.1]) by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0b0529863; Wed, 11 Feb 2004 19:37:00 -0500 heart-of-gold.osl.iu.edu received this from someone claiming to be heart-of-gold.osl.iu.edu but really from 127.0.0.1(No rDNS)
All headers below may be forged
Date: Wed, 11 Feb 2004 19:37:00 -0500 Message-Id: <200402120037.i1C0b0529863@heart-of-gold.osl.iu.edu> From: boost-request@lists.boost.org Subject: Boost Digest, Vol 639, Issue 6 To: boost@lists.boost.org X-BeenThere: boost@lists.boost.org X-Mailman-Version: 2.1.4 Precedence: list List-Id: Boost mailing list <boost.lists.boost.org> Hmmm list-id: isn't a header I recognise List-Help: <mailto:boost-request@lists.boost.org?subject=help> Hmmm list-help: isn't a header I recognise List-Post: <mailto:boost@lists.boost.org> Hmmm list-post: isn't a header I recognise List-Subscribe: <http://lists.boost.org/mailman/listinfo.cgi/boost>, <mailto:boost-request@lists.boost.org?subject=subscribe> Hmmm list-subscribe: isn't a header I recognise List-Archive: <http://lists.boost.org/MailArchives/boost> Hmmm list-archive: isn't a header I recognise List-Unsubscribe: <http://lists.boost.org/mailman/listinfo.cgi/boost>, <mailto:boost-request@lists.boost.org?subject=unsubscribe> Hmmm list-unsubscribe: isn't a header I recognise Sender: boost-bounces@lists.boost.org Errors-To: boost-bounces@lists.boost.org -------------------------------------------
Cheers!
On Wed, 11 Feb 2004 23:38:49 -0500, Dan W. wrote
Yeah, never mind... 129.79.245.244 below is in the IP range of the University of Indiana; and the fact that it says it received the email from local host (127.0.0.1) either means that IU.edu's SMTP server is hacked, or that there's another machine in their campus that's hacked and pretending to be local host; or else that local host is hacked, or that my ISP is hacked, or that the server here at work is hacked, or...
...or that I'm hacked... :(
Actually I believe one of the boosters at University of Indiana has been hacked. I've been receiving MyDoom infected email with sender names that coorespond to the user names of at least one of the boosters there and appear to be from there. And I'm certain that my machines haven't been hacked. As for me being hacked, that's less clear ;-) Jeff
Jeff Garland wrote:
On Wed, 11 Feb 2004 23:38:49 -0500, Dan W. wrote
Yeah, never mind... 129.79.245.244 below is in the IP range of the University of Indiana; and the fact that it says it received the email from local host (127.0.0.1) either means that IU.edu's SMTP server is hacked, or that there's another machine in their campus that's hacked and pretending to be local host; or else that local host is hacked, or that my ISP is hacked, or that the server here at work is hacked, or...
...or that I'm hacked... :(
Actually I believe one of the boosters at University of Indiana has been hacked. I've been receiving MyDoom infected email with sender names that coorespond to the user names of at least one of the boosters there and appear to be from there. And I'm certain that my machines haven't been hacked. As for me being hacked, that's less clear ;-)
MyDoom is a From: spoofer. The relevant header is: Received: from curbralan.com ([202.103.247.70]) by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0Wq529796 for <boost@lists.boost.org>; Wed, 11 Feb 2004 19:32:53 -0500 where "curbralan.com" is forged. The IP address is assigned to: inetnum: 202.103.192.0 - 202.103.255.255 netname: CHINANET-GX descr: CHINANET Guangxi province network descr: Data Communication Division descr: China Telecom country: CN Kevlin will now receive tens of "You are infected" autoreplies, I'm sure he'll be honored.
Peter Dimov wrote:
MyDoom is a From: spoofer. The relevant header is:
Received: from curbralan.com ([202.103.247.70]) by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0Wq529796 for <boost@lists.boost.org>; Wed, 11 Feb 2004 19:32:53 -0500
where "curbralan.com" is forged. The IP address is assigned to:
inetnum: 202.103.192.0 - 202.103.255.255 netname: CHINANET-GX descr: CHINANET Guangxi province network descr: Data Communication Division descr: China Telecom country: CN
Kevlin will now receive tens of "You are infected" autoreplies, I'm sure he'll be honored.
What I find fascintating is that the infected email I got was not automatically generated like other similar emails. (Got MyDoom infected spams several times before.) This one appears hand-crafted. In fact, the email was the 6th issue for yesterdays' boost-request digests, and the last posting in it, allegedly from kevlin, appears before the notices and links at the end of such digests. And I did not receive a repeat of issue # 6. It's as if the email had been grabbed in flight, carefully altered, then sent along. Unless, that is, it was actually sent to the mailing list, and the digest producing software itself included it, but if that's the case, I'm not sure why the bogus message doesn't show in the news reader as well. And yet, a spade analysis of the header of a normal boost request digest email reads pretty much the same... ------------------------------------------------------ 02/12/04 10:01:20 Spade Log 02/12/04 10:02:05 Input The Received: headers are the important ones to read My comments are just hints, and should be considered only an opinion. I may have guessed wrong, or things may have changed since I was written Return-Path: <boost-bounces@lists.boost.org> Delivered-To: raytron-controls.com-danw@raytron-controls.com Received: (qmail 3143 invoked by uid 417); 12 Feb 2004 01:56:58 -0000 This received header was added by your mailserver Just a qmail status line Received: from unknown (HELO heart-of-gold.osl.iu.edu) (129.79.245.244) by 192.168.0.39 with SMTP; 12 Feb 2004 01:56:58 -0000 192.168.0.39 received this from someone claiming to be unknown (192.168.0.39 doesn't record the senders IP address in any way I recognise, so it's impossible to be sure. All received headers after this one should be treated with suspicion) Received: from heart-of-gold.osl.iu.edu (localhost.localdomain [127.0.0.1]) by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0b0529863; Wed, 11 Feb 2004 19:37:00 -0500 heart-of-gold.osl.iu.edu received this from someone claiming to be heart-of-gold.osl.iu.edu but really from 127.0.0.1(No rDNS) All headers below may be forged Date: Wed, 11 Feb 2004 19:37:00 -0500 Message-Id: <200402120037.i1C0b0529863@heart-of-gold.osl.iu.edu> From: boost-request@lists.boost.org Subject: Boost Digest, Vol 639, Issue 6 To: boost@lists.boost.org X-BeenThere: boost@lists.boost.org X-Mailman-Version: 2.1.4 Precedence: list List-Id: Boost mailing list <boost.lists.boost.org> Hmmm list-id: isn't a header I recognise ------------------------------------------------------ It looks as if my normal boost digest emails come through indiana university, in fact. So, my first guess was probably right as well, that the SMTP server for the boost mailing list doesn't scan outgoing emails for viruses --if it isn't altogether hacked... And now that I remember, I'd had this email address for a whole year and hadn't received any spam until I joined the mailing list. About an hour later I got my first 3 spams, and it's been downhill since. Cheers!
"Peter Dimov" <pdimov@mmltd.net> wrote...
Kevlin will now receive tens of "You are infected" autoreplies, I'm sure he'll be honored.
I have received several such mails lately, climing that I have sent infected mails from an Estonian server. :-)
Received: from gmb.dk (arneti-gw.online.ee [213.180.26.238]) .by fermi.nit.gwu.edu (8.12.10/8.12.10) with ESMTP id i1C4vJZv007732.for <john@gwu.edu>; Wed, 11 Feb 2004 23:57:20 -0500 (EST)
Makes one wonder if the original mails or the replies are the real fakes. Or both? Bo Persson
"Jeff Garland" <jeff@crystalclearsoftware.com> writes:
On Wed, 11 Feb 2004 23:38:49 -0500, Dan W. wrote
Yeah, never mind... 129.79.245.244 below is in the IP range of the University of Indiana; and the fact that it says it received the email from local host (127.0.0.1) either means that IU.edu's SMTP server is hacked, or that there's another machine in their campus that's hacked and pretending to be local host; or else that local host is hacked, or that my ISP is hacked, or that the server here at work is hacked, or...
...or that I'm hacked... :(
Actually I believe one of the boosters at University of Indiana has been hacked. I've been receiving MyDoom infected email with sender names that coorespond to the user names of at least one of the boosters there and appear to be from there. And I'm certain that my machines haven't been hacked. As for me being hacked, that's less clear ;-)
Here's what the IU sysadmin says: --- We looked into this, and here's a few results: 1. The mail was definitely sent through lists.boost.org (HOG); Larry looked in the logs and found the relevant entries. 2. As a best guess, this is simple forgery. This is fairly common activity for viruses these days; viruses send out to addresses that they find in your inbox and in your addressbook. They also masquerade who they came from, so we don't really know where it came from, other that the IP address (202.103.247.70, which doesn't resolve to a name).
It looks as if my normal boost digest emails come through indiana university, in fact.
Correct.
So, my first guess was probably right as well, that the SMTP server for the boost mailing list doesn't scan outgoing emails for viruses
Correct.
--if it isn't altogether hacked...
Not as far as we know.
And now that I remember, I'd had this email address for a whole year and hadn't received any spam until I joined the mailing list. About an hour later I got my first 3 spams, and it's been downhill since.
Sorry. Not the fault of hosting it at IU, though. -- Dave Abrahams Boost Consulting www.boost-consulting.com
David Abrahams wrote:
Here's what the IU sysadmin says:
We looked into this, and here's a few results:
1. The mail was definitely sent through lists.boost.org (HOG); Larry looked in the logs and found the relevant entries.
2. As a best guess, this is simple forgery. This is fairly common activity for viruses these days; viruses send out to addresses that they find in your inbox and in your addressbook. They also masquerade who they came from, so we don't really know where it came from, other that the IP address (202.103.247.70, which doesn't resolve to a name).
It looks as if my normal boost digest emails come through indiana university, in fact.
Correct.
So, my first guess was probably right as well, that the SMTP server for the boost mailing list doesn't scan outgoing emails for viruses
Correct.
--if it isn't altogether hacked...
Not as far as we know.
And now that I remember, I'd had this email address for a whole year and hadn't received any spam until I joined the mailing list. About an hour later I got my first 3 spams, and it's been downhill since.
Sorry. Not the fault of hosting it at IU, though.
Well, IU's admins could have set up the server to... A) Record the sender's IP (I appreciate the 202.103.247.70 revelation, now, but I'd appreciate it even more as part of the email header..), and not to do so is to invite spammers and hackers to route through it. B) Scan for viruses, at least a real-quick and dirty scan for the top hall of infamy top 10: Blaster, MyDoom, and 8 more picks.. ;-) Anyways, I wasn't intending to file a complaint, rather to help try and catch/punish the perpetrators. The sys admin there should download Spade. It's free, and very useful. (search for Sam Spade.) 202.103.247.70 is served from where bird flu viruses originate: ----------------------------------------------------------- 02/13/04 23:11:39 whois 202.103.247.70@whois.apnic.net whois -h whois.apnic.net 202.103.247.70 ... % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 202.103.192.0 - 202.103.255.255 netname: CHINANET-GX descr: CHINANET Guangxi province network descr: Data Communication Division descr: China Telecom country: CN admin-c: CH93-AP tech-c: CR766-AP mnt-by: MAINT-CHINANET mnt-lower: MAINT-CHINANET-GX changed: hostmaster@ns.chinanet.cn.net 20000101 status: ALLOCATED NON-PORTABLE source: APNIC role: CHINANET GUANGXI address: No.35,Minzhu Road,Nanning 530015 country: CN phone: +86-771-2815987 fax-no: +86-771-2839278 e-mail: hostmaster@gx163.net trouble: send spam reports to hostmaster@gx163.net trouble: send abuse reports to hostmaster@gx163.net trouble: times in GMT+8 admin-c: CR76-AP tech-c: BD37-AP nic-hdl: CR766-AP remarks: http://www.gx.cninfo.net notify: hostmaster@gx163.net mnt-by: MAINT-CHINANET-GX changed: hostmaster@gx163.net 20021024 source: APNIC person: Chinanet Hostmaster address: No.31 ,jingrong street,beijing address: 100032 country: CN phone: +86-10-66027112 fax-no: +86-10-58501144 e-mail: hostmaster@ns.chinanet.cn.net e-mail: anti-spam@ns.chinanet.cn.net nic-hdl: CH93-AP mnt-by: MAINT-CHINANET changed: hostmaster@ns.chinanet.cn.net 20021016 remarks: hostmaster is not for spam complaint,please send spam complaint to anti-spam@ns.chinanet.cn.net source: APNIC ----------------------------------------------------------- Not to be deceived by their anti-spam stance; --China is probably the biggest spam gateway, with India and Pakistan some way behind. The machine doesn't return ping, browsing to it times-out, and a traceroute looks like this: ----------------------------------------------------------- 02/13/04 22:03:53 Fast traceroute 202.103.247.70 Trace 202.103.247.70 ... 1 67.68.200.5 13ms 13ms 12ms TTL: 0 (Toronto-HSE-ppp3774662.sympatico.ca ok) 2 64.230.254.253 16ms 20ms 19ms TTL: 0 (No rDNS) 3 64.230.227.213 14ms 14ms 15ms TTL: 0 (dis3-montrealak-Vlan101.in.bellnexxia.net ok) 4 64.230.240.69 15ms 14ms 14ms TTL: 0 (No rDNS) 5 64.230.240.9 14ms 13ms 14ms TTL: 0 (No rDNS) 6 64.230.240.18 24ms 23ms 24ms TTL: 0 (No rDNS) 7 64.230.242.206 25ms 24ms 23ms TTL: 0 (No rDNS) 8 64.230.242.201 24ms 22ms 23ms TTL: 0 (No rDNS) 9 206.108.101.182 80ms 79ms 80ms TTL: 0 (core2-vancouver-pos10-2.in.bellnexxia.net ok) 10 206.108.102.209 84ms 85ms 83ms TTL: 0 (core2-seattle-pos12-0.in.bellnexxia.net ok) 11 206.108.108.150 122ms 120ms 121ms TTL: 0 (core1-paloalto01-pos1-0.in.bellnexxia.net ok) 12 206.108.102.250 122ms 121ms 120ms TTL: 0 (bx1-paloalto01-srp2-0.in.bellnexxia.net ok) 13 206.108.108.174 616ms 597ms 581ms TTL: 0 (No rDNS) 14 202.97.51.193 977ms 907ms 872ms TTL: 0 (No rDNS) 15 202.97.33.149 973ms 908ms 892ms TTL: 0 (p-15-0-r2-c-gdgz-1.cn.net bogus rDNS: host not found [authoritative]) 16 202.97.40.198 1095ms 1021ms 1028ms TTL: 0 (No rDNS) 17 202.97.21.158 1112ms 1056ms 1065ms TTL: 0 (No rDNS) 18 218.65.132.59 1110ms 1044ms 1063ms TTL: 0 (No rDNS) 19 No Response * * * 20 No Response * * * 21 No Response * * * 22 No Response * * * 23 No Response * * * 24 No Response * * * 25 No Response * * * 26 No Response * * * 27 No Response * * * 28 No Response * * * 29 No Response * * * ----------------------------------------------------------- The last IP, before the gas nebula begins, belongs to the same people: ----------------------------------------------------------- whois -h whois.apnic.net 218.65.132.59 ... % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 218.65.128.0 - 218.65.255.255 netname: CHINANET-GX descr: CHINANET Guangxi province network descr: China Telecom ................................ mnt-by: MAINT-CHINANET mnt-lower: MAINT-CHINANET-GX changed: hostmaster@ns.chinanet.cn.net 20010731 ................................ role: CHINANET GUANGXI address: No.35,Minzhu Road,Nanning 530015 country: CN phone: +86-771-2815987 fax-no: +86-771-2839278 e-mail: hostmaster@gx163.net ................................ ----------------------------------------------------------- And so are all four IP's before it, 202.97.xxx.xxx Which means that they make their dubious packets run in circles for a while, within the building, to try and look innocent... If I had a full url, I'd probably be able to verify that the machine at our IP address is used for hosting the types of shady biz that advertise via spam in the first place. 206.108.108.174 is in North America, BTW, part of the Bell system. Cheers!
participants (5)
-
Bo Persson -
Dan W. -
David Abrahams -
Jeff Garland -
Peter Dimov