[TheForge] Re: Some infected blacksmith
Mike
[email protected]
Tue Mar 23 00:45:00 2004
Ted Jones wrote:
> I think it is more than that...
> ...
> I think that this is a spoofing virus... spoofing an email virus
> as the source from an address book.
Yes, exactly. $VICTIM has infected machine. Virus on $VICTIM's
machine looks in the Windows "address book" or practically anywhere
else on $VICTIM's HD and finds addresses. It takes those addresses
two at a time, sends an infected email mssg to one of them, forged to
appear to have come from the other. Neither of those two addresses
was involved in sending the infected email.
What I received was a *bounce*. Mail forged to appear as if it had
come from me was sent to Frosty. Frosty's ISP identified it as an
infected mssg and (rather stupidly) bounced it to me because I was the
apparent sender. Another message was reported to me by the
elderhostel.org mailer daemon as having been sent by me. The report
said I had sent an infected message but didn't say to whom and didn't
copy to me the contents of the message I was supposed (wrongly) to
have sent.
It's a reasonable inference that someone who has my email address and
Frosty's address available on the HD for the virus to exploit is
likely (but not certainly) to be someone on this list.
I did a bit more digital sleuthing and it seems likely that the
infected machine was:
24.156.242.138
(cpe0007e9e0b453-cm014180004981.cpe.net.cable.rogers.com)
Whoever was using that address as of 22 Mar 2004 23:05:16 -0000 is
probably the infected party.
- Mike
--
Michael Spencer Nova Scotia, Canada .~.
/V\
[email protected] /( )\
http://home.tallships.ca/mspencer/ ^^-^^
--