[FPSPACE] (resending) enough with the freakin' attachments already

Robert G Kennedy III robot at ultimax.com
Fri Oct 29 20:56:33 EDT 2004


[for those of you who got a blank message from me today, or saw a blank
message on the archive. Funny how this crappy listserver screws up when
it's being complained about. Almost as if the machine were aware ... (cue
theremin music)]

Appeal
------
Would whoever is administering this list please change the listserver's
settings to ban attachments? 4 out of 5 attachments in the last month,
IIRC, have been viruses, worms, or other malware. That's 80%, folks, a
figure which satifies the Zipf-Pareto law of significance. Although my
system is pretty much immune the way I have set it up, it is annoying all
the same to deal with this crap. I am sure that other readers, especially
those using unsecured Windows machines, have actually been harmed by this
incessant malware.

So let's simply ban attachments, OK? which would cut off one major route of
propagation. Crackers and script kiddies love to exploit mailing lists.
Lists amplify their reach and damage they do. So let's deny them that
opportunity. Virtually everyone has access to the Web now, so there is no
need to directly send attached images, etc.

Analysis of today's posts
-------------------------
One of the today's posts forged DDAY's name (I know, because it used an
obsolete address for him, "Wayneday" (wayneday at gwu.edu)). The post from the
other person (jessie at friends-partners.org) I don't know, but it is probably
a forgery as well. Mail viruses tend to simplistically assume that the
characters before the at-sign equal the user's name, which provides another
handy way to spot forgeries. See the quoted header below. My first name is
not "robot" and DDAY's first name is "Dwayne" not "wayne". A third way to
spot forgeries is generic subject lines like Hi!, Hello!, Hey! etc.

Also, offline this morning, I received a message from a server in Finland
which forged Rand Simberg's surname. (I believe Mr. Simberg lurks here @
FPS.) Again the payload was executable code. This is definitely a forgery,
as I confirmed by comparing the first two lines of the header. See quoted
message below. Note that the first two domains I highlighted do not equal
each other. I cannot do as detailed an analysis on the forgeries which came
over the listserver instead of direct to me, because the listserver
application truncates the full message headers.

But I am sure this is all the same event. Since four out of five of the
forged or recipient addresses today involve known space geeks (Mr. Simberg,
Dwayne Day, To: fpspace at friends-partners.org, and To: me) I suspect the
compromised computer from which the addresses were stolen belongs to
someone we all know.

>Return-Path: <simberg at interglobal.org>
                       ^^^^^^^^^^^^^^^
>Received: from XP-LVITAUU11.net (pc225.lahivakuutus.fi [194.211.186.225])
                                  ^^^^^^^^^^^^^^^^^^^^^
>	by alpha.esper.com (8.12.11/8.12.11) with SMTP id i9TAmtpT003588
>	for <robot at ultimax.com>; Fri, 29 Oct 2004 06:48:56 -0400
>Date: Fri, 29 Oct 2004 13:48:47 +0200
>To: "Robot" <robot at ultimax.com>
>From: "Simberg" <simberg at interglobal.org>
>Subject: Re: Thank you!
>Message-ID: <zxmllmdenaywggpmncd at ultimax.com>
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>        boundary="--------fbrvchxeizhlylaammxy"
>X-Spam-Flag: NO
>X-Scanned-By: milter-spamc/0.17.257 (alpha [216.111.16.40]); Fri, 29 Oct
>2004 06:49:26 -0400
>X-Spam-Status: NO, hits=1.90 required=5.00
>X-Spam-Level: x
>Status: RO
>
><html><html><body>
>:)
>
><br>
></body></html>
>
></html>Content-Type: application/octet-stream; name="Price.exe"
>Content-Disposition: attachment; filename="Price.exe"


--
Robert Kennedy, PE
http://www.ultimax.com




More information about the FPSPACE mailing list