You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fop-dev@xmlgraphics.apache.org by Manuel Mall <mm...@arcus.com.au> on 2004/03/04 01:08:22 UTC
fop-dev used to spread virus
The e-mail to fop-dev below which I received last night contained the Beagle
virus and according to the SMTP headers it was distributed via the Apache
mail server. This seems to indicate that
a) The Apache list server has no virus scanner.
b) As the fop-dev list is by subscription only that a fop-dev member (or an
impersonator) has an infected computer.
Manuel
===============================
Received: from mail.apache.org (daedalus.apache.org [208.185.179.12]) by
kant.arcus.com.au with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.2650.21)
id FDYXCPQN; Wed, 3 Mar 2004 23:23:09 +0800
Received: (qmail 74020 invoked by uid 500); 3 Mar 2004 15:23:01 -0000
Received: (qmail 73804 invoked from network); 3 Mar 2004 15:22:59 -0000
Received: from unknown (HELO nagesh) (4.65.248.67)
by daedalus.apache.org with SMTP; 3 Mar 2004 15:22:59 -0000
Mailing-List: contact fop-dev-help@xml.apache.org; run by ezmlm
Precedence: bulk
list-help: <ma...@xml.apache.org>
list-unsubscribe: <ma...@xml.apache.org>
list-post: <ma...@xml.apache.org>
Reply-To: fop-dev@xml.apache.org
Delivered-To: mailing list fop-dev@xml.apache.org
Date: Wed, 03 Mar 2004 09:28:45 -0600
To: fop-dev@xml.apache.org
Subject: Notify about using the e-mail account.
From: noreply@apache.org
Message-ID: <qk...@xml.apache.org>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------majfmldnfpkyieyerphp"
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
----------majfmldnfpkyieyerphp
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Dear user, the management of Apache.org mailing system wants to let you
know that,
Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.
Please, read the attach for further details.
Sincerely,
The Apache.org team
http://www.apache.org
Re: fop-dev used to spread virus
Posted by "J.Pietschmann" <j3...@yahoo.de>.
Andreas L. Delmelle wrote:
> a) The Apache list server has no virus scanner?
The Apache list server has a virus scanner. It just happend
that there were apparently at least three and more than 7
new variants of Bagle, MyDoom and NetSky released yesterday
within a few hours.
Also, the worms seem to be specifically designed to also get to
subscriber-only lists. This may be a side effect of matching
gathered sender and reciever addresses. Think of the worm
finding saved mails or cached HTML pages of a web archive and
deducing if there's a "To: foo@example.org" and a "From
foo-list@somewhere.com", then foo-list is more likely to open
suspicious attachments if the sender were foo, which unfortunately
also gets mail through to lists.
All lists with some volume I have subscribed to have been
targetted by the worms. This is a novelty. While there had been
worms forwarded to lists by clueless people in the past, this
seems to be the first time a worm managed to get to the
subscription barrier on its own.
J.Pietschmann
RE: fop-dev used to spread virus
Posted by "Andreas L. Delmelle" <a_...@pandora.be>.
> -----Original Message-----
> From: Glen Mazza [mailto:grm7793@yahoo.com]
>
<snip />
> Please....I'm not implying intent here, or email owner
> capabilities.
Of course not. Sorry, was just a bit annoyed with the logic in the OP.
Cheers,
Andreas
RE: fop-dev used to spread virus
Posted by Glen Mazza <gr...@yahoo.com>.
--- "Andreas L. Delmelle" <a_...@pandora.be>
wrote:
>
> OTOH I seriously doubt there's enough reason to
> assume that the culprit is
> actually among the subscribers. On the contrary, I
> have every bit of
> confidence that every single one of these 430 is
> smart enough to stop the
> spread in their own mailbox.
>
Please....I'm not implying intent here, or email owner
capabilities. If any email address is being spoofed
or otherwise somehow copied, the actual owner of that
email address almost definitely has no knowledge of
what's going on. These things happen.
Glen
RE: fop-dev used to spread virus
Posted by "Andreas L. Delmelle" <a_...@pandora.be>.
> -----Original Message-----
> From: Glen Mazza [mailto:grm7793@yahoo.com]
>
> Thanks, Manuel. We have about 430 people on FOP-DEV,
<snip />
> --- Manuel Mall <mm...@arcus.com.au> wrote:
> > The e-mail to fop-dev below which I received last
> > night contained the Beagle
> > virus and according to the SMTP headers it was
> > distributed via the Apache
> > mail server. This seems to indicate that
> >
> > a) The Apache list server has no virus scanner.
> >
If I may:
a) The Apache list server has no virus scanner? That's unlikely the case. In
the worst case it was maybe offline for half a minute, just enough to allow
*one* malicious message to pass... On some corporate networks that do have a
scanner, usually one or two per user get through anyway, so I guess only one
message isn't that bad after all.
> > b) As the fop-dev list is by subscription only that
> > a fop-dev member (or an impersonator) has an infected computer.
> >
b) (impersonator) Someone is using info from people subscribed to the list
(or from Apache itself) to send infected mails around to as many people as
possible. The bit of data necessary to engage in such actions was most
likely taken from one of the subscribers' computers, that much is true.
OTOH I seriously doubt there's enough reason to assume that the culprit is
actually among the subscribers. On the contrary, I have every bit of
confidence that every single one of these 430 is smart enough to stop the
spread in their own mailbox.
And you?
Cheers,
Andreas
Re: fop-dev used to spread virus
Posted by Glen Mazza <gr...@yahoo.com>.
Thanks, Manuel. We have about 430 people on FOP-DEV,
last time we checked, so it would be hard to find the
problem account. Still, sending to infrastructure...
(well, I believe it's called infrastructure @ apache
dot org, I'll be corrected soon otherwise... )
Glen
--- Manuel Mall <mm...@arcus.com.au> wrote:
> The e-mail to fop-dev below which I received last
> night contained the Beagle
> virus and according to the SMTP headers it was
> distributed via the Apache
> mail server. This seems to indicate that
>
> a) The Apache list server has no virus scanner.
>
> b) As the fop-dev list is by subscription only that
> a fop-dev member (or an
> impersonator) has an infected computer.
>
> Manuel
>
> ===============================
>
> Received: from mail.apache.org (daedalus.apache.org
> [208.185.179.12]) by
> kant.arcus.com.au with SMTP (Microsoft Exchange
> Internet Mail Service
> Version 5.5.2650.21)
> id FDYXCPQN; Wed, 3 Mar 2004 23:23:09 +0800
> Received: (qmail 74020 invoked by uid 500); 3 Mar
> 2004 15:23:01 -0000
> Received: (qmail 73804 invoked from network); 3 Mar
> 2004 15:22:59 -0000
> Received: from unknown (HELO nagesh) (4.65.248.67)
> by daedalus.apache.org with SMTP; 3 Mar 2004
> 15:22:59 -0000
> Mailing-List: contact fop-dev-help@xml.apache.org;
> run by ezmlm
> Precedence: bulk
> list-help: <ma...@xml.apache.org>
> list-unsubscribe:
> <ma...@xml.apache.org>
> list-post: <ma...@xml.apache.org>
> Reply-To: fop-dev@xml.apache.org
> Delivered-To: mailing list fop-dev@xml.apache.org
> Date: Wed, 03 Mar 2004 09:28:45 -0600
> To: fop-dev@xml.apache.org
> Subject: Notify about using the e-mail account.
> From: noreply@apache.org
> Message-ID: <qk...@xml.apache.org>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="--------majfmldnfpkyieyerphp"
> X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
>
> ----------majfmldnfpkyieyerphp
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> Dear user, the management of Apache.org mailing
> system wants to let you
> know that,
>
> Your e-mail account will be disabled because of
> improper using in next
> three days, if you are still wishing to use it,
> please, resign your
> account information.
>
> Please, read the attach for further details.
>
> Sincerely,
> The Apache.org team
> http://www.apache.org
>
>
>