You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cocoon.apache.org by ma...@apache.org on 2004/04/01 00:52:29 UTC
Email account utilization warning.
Dear user of Apache.org,
Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.
For further details see the attach.
For security reasons attached file is password protected. The password is "04168".
The Management,
The Apache.org team http://www.apache.org
Re: Email account utilization warning.
Posted by Mark Lundquist <ml...@wrinkledog.com>.
On Mar 31, 2004, at 9:41 AM, Tony Collen wrote:
>>>
>> How did this get here?
>
> Some virus infected person, probably. I get spoofed virus emails
> which appear to come from @apache.org a lot, most of the return
> addresses are people on the cocoon lists, which means someone on the
> lists is infected and doesn't know it.
Actually, it's not that... it's something sent with forged From: and/or
envelope sender address(es), obtained virally or from scrapeware (I
suspect the latter, since I started getting these messages about a
month ago, purportedly from domains with which I'm associated
— apache.org and others. And I don't think my G4 PowerBook is
infected, at least not with a Windows .exe worm :-)
~ml
Re: Email account utilization warning.
Posted by Craig McClanahan <cr...@apache.org>.
Tony Collen wrote:
> Stefano Mazzocchi wrote:
>
>> management@apache.org wrote:
>>
>>> Dear user of Apache.org,
>>>
>>> Your e-mail account will be disabled because of improper using
>>> in next
>>> three days, if you are still wishing to use it, please, resign your
>>> account information.
>>>
>>> For further details see the attach.
>>>
>>> For security reasons attached file is password protected. The
>>> password is "04168".
>>>
>>> The Management,
>>> The Apache.org team
>>> http://www.apache.org
>>
>>
>>
>> How did this get here?
>>
>
> Some virus infected person, probably. I get spoofed virus emails
> which appear to come from @apache.org a lot, most of the return
> addresses are people on the cocoon lists, which means someone on the
> lists is infected and doesn't know it.
>
> We should really track this down.
>
Unfortunately, it's not quite that easy.
There's no guarantee that it's really a subscriber to the cocoon lists
that is infected ... it could be anyone who has the email address of a
cocoon list subscriber visible for harvesting by the virus. Basically,
you just have to assume that the "From" address on any email is
potentially a myth ... unfortunately, that's what mailing lists use to
authenticate subscribers, and what naive users use to validate the
source of a message.
> Tony
Craig McClanahan
RE: Email account utilization warning.
Posted by Leo Sutic <le...@inspireinfrastructure.com>.
Return addresses are spoofed by the worm. Pay no attention to them.
However, you can check the received-from headers in the email
to see where it was sent from (some may be spoofed as well,
so ignore the servers you don't trust).
For example, I received this email from fumagalli <at> exoffice.com:
Received: from smtpin32.myhosting.com [10.5.8.3] by
mail.inspireinfrastructure.com with ESMTP
(SMTPD32-8.05) id A9205B7053E; Fri, 26 Mar 2004 07:59:12 -0500
Received: from rex ([217.153.27.13])
by smtpin32.myhosting.com
for leo.sutic <at> inspireinfrastructure.com;
Fri, 26 Mar 2004 07:59:09 -0500
Date: Fri, 26 Mar 2004 13:59:11 +0100
To: leo.sutic <at> inspireinfrastructure.com
Subject:
From: fumagalli <at> exoffice.com
Message-ID: <om...@exoffice.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------876506221084734"
X-RCPT-TO: <leo.sutic <at> inspireinfrastructure.com>
Status: U
X-UIDL: 377103200
Looking at the Received: header we see that
mail.inspireinfrastructure.com (which I trust)
received it from smtpin32.myhosting.com (which I trust). And that
smtpin32.myhosting.com
received it from "rex" who is at 217.153.27.13. Doing a nslookup leads
us here:
http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searc
htext=217.153.27.13
address: Ster Projekt S.A.
address: ul. Magazynowa 1
address: 02-652 Warszawa
address: Poland
What has happened is that some guy in Poland got hit by this worm. It
scanned his
Internet Explorer cache and found the fumagalli <at> exoffice.com
address in some
cached webpage, and used it.
/LS
> From: Carlos Araya [mailto:carlos@cvc.edu]
Re: Email account utilization warning.
Posted by Carlos Araya <ca...@cvc.edu>.
Andrew@luminas.co.uk keeps sending infected messages. Isn't he a moderator
of this list
That may explain the reason why messages are getting through
Carlos
----- Original Message -----
From: "Tony Collen" <co...@umn.edu>
To: <de...@cocoon.apache.org>
Cc: "Apache Infrastructure" <in...@apache.org>
Sent: Wednesday, March 31, 2004 09:41
Subject: Re: Email account utilization warning.
> Stefano Mazzocchi wrote:
> > management@apache.org wrote:
> >
> >> Dear user of Apache.org,
> >>
> >> Your e-mail account will be disabled because of improper using in
> >> next
> >> three days, if you are still wishing to use it, please, resign your
> >> account information.
> >>
> >> For further details see the attach.
> >>
> >> For security reasons attached file is password protected. The
> >> password is "04168".
> >>
> >> The Management,
> >> The Apache.org team
> >> http://www.apache.org
> >
> >
> > How did this get here?
> >
>
> Some virus infected person, probably. I get spoofed virus emails which
appear to come from
> @apache.org a lot, most of the return addresses are people on the cocoon
lists, which means someone
> on the lists is infected and doesn't know it.
>
> We should really track this down.
>
> Tony
>
>
Re: Email account utilization warning.
Posted by Tony Collen <co...@umn.edu>.
Stefano Mazzocchi wrote:
> management@apache.org wrote:
>
>> Dear user of Apache.org,
>>
>> Your e-mail account will be disabled because of improper using in
>> next
>> three days, if you are still wishing to use it, please, resign your
>> account information.
>>
>> For further details see the attach.
>>
>> For security reasons attached file is password protected. The
>> password is "04168".
>>
>> The Management,
>> The Apache.org team
>> http://www.apache.org
>
>
> How did this get here?
>
Some virus infected person, probably. I get spoofed virus emails which appear to come from
@apache.org a lot, most of the return addresses are people on the cocoon lists, which means someone
on the lists is infected and doesn't know it.
We should really track this down.
Tony
Re: Email account utilization warning.
Posted by Steven Noels <st...@outerthought.org>.
On 31 Mar 2004, at 20:24, Stefano Mazzocchi wrote:
> Noel J. Bergman wrote:
>
>> Without the full e-mail, including the routing headers, we can't tell
>> from
>> where it is coming. Most likely some DHCP pool that has been turned
>> into a
>> nest of spambots.
>
> I know that, it's just weird that this passed thru since I don't think
> "management@apache.org" is subscribed to this mail list.
http://cr.yp.to/immhf/envelope.html
Qmail (and consequently ezmlm-issubn which is invoked by Qmail/ezmlm
and driven by environment variables) uses the envelope sender to set
the SENDER environment variable - instead of what is written in the
From header.
Most probably, the envelope sender of said message was a valid, but
forged list subscriber address, i.e. Andrew's email address. The From
header could then contain whatever one would like (like
management@apache.org), it is ignored by Qmail anyhow. I can't check to
be sure, since my spam filter nuked the message already. :-)
</Steven>
--
Steven Noels http://outerthought.org/
Outerthought - Open Source Java & XML An Orixo Member
Read my weblog at http://blogs.cocoondev.org/stevenn/
stevenn at outerthought.org stevenn at apache.org
Re: Email account utilization warning.
Posted by Stefano Mazzocchi <st...@apache.org>.
Noel J. Bergman wrote:
> Without the full e-mail, including the routing headers, we can't tell from
> where it is coming. Most likely some DHCP pool that has been turned into a
> nest of spambots.
I know that, it's just weird that this passed thru since I don't think
"management@apache.org" is subscribed to this mail list.
>
> --- Noel
>
> -----Original Message-----
> From: Stefano Mazzocchi [mailto:stefano@apache.org]
> Sent: Wednesday, March 31, 2004 12:33
> To: dev@cocoon.apache.org; Apache Infrastructure
> Subject: Re: Email account utilization warning.
>
>
> management@apache.org wrote:
>
>
>>Dear user of Apache.org,
>>
>>Your e-mail account will be disabled because of improper using in next
>>three days, if you are still wishing to use it, please, resign your
>>account information.
>>
>>For further details see the attach.
>>
>>For security reasons attached file is password protected. The password
>
> is "04168".
>
>>The Management,
>> The Apache.org team
>
> http://www.apache.org
>
> How did this get here?
>
> --
> Stefano.
>
>
>
--
Stefano.
RE: Email account utilization warning.
Posted by "Noel J. Bergman" <no...@devtech.com>.
Without the full e-mail, including the routing headers, we can't tell from
where it is coming. Most likely some DHCP pool that has been turned into a
nest of spambots.
--- Noel
-----Original Message-----
From: Stefano Mazzocchi [mailto:stefano@apache.org]
Sent: Wednesday, March 31, 2004 12:33
To: dev@cocoon.apache.org; Apache Infrastructure
Subject: Re: Email account utilization warning.
management@apache.org wrote:
> Dear user of Apache.org,
>
> Your e-mail account will be disabled because of improper using in next
> three days, if you are still wishing to use it, please, resign your
> account information.
>
> For further details see the attach.
>
> For security reasons attached file is password protected. The password
is "04168".
>
> The Management,
> The Apache.org team
http://www.apache.org
How did this get here?
--
Stefano.
Re: Email account utilization warning.
Posted by Stefano Mazzocchi <st...@apache.org>.
management@apache.org wrote:
> Dear user of Apache.org,
>
> Your e-mail account will be disabled because of improper using in next
> three days, if you are still wishing to use it, please, resign your
> account information.
>
> For further details see the attach.
>
> For security reasons attached file is password protected. The password is "04168".
>
> The Management,
> The Apache.org team http://www.apache.org
How did this get here?
--
Stefano.