Re: [OT] Might this be a symptom of a virus/worm?

To: debian-user@lists.debian.org
Subject: Re: [OT] Might this be a symptom of a virus/worm?
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Sun, 16 May 2004 18:52:57 -0700
Message-id: <[🔎] 20040517015257.GD31449@ix.netcom.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20040514231323.GM29306@schnellbox.pigeonloft>
References: <[🔎] 20040514231323.GM29306@schnellbox.pigeonloft>

on Sat, May 15, 2004 at 12:13:23AM +0100, Pigeon (jah.pigeon@ukonline.co.uk) wrote:
> I have received an email from the
> progressivemusicforum@yahoogroups.com mailing list, to which I am
> subscribed. The originator of the email has sent it to a large number
> of recipients, as shown in the To: header - legitimately, not as spam,
> but there are two spurious entries in the list:
> 
> Chipster@schnellbox.pigeonloft
> Robert@schnellbox.pigeonloft
> 
> "schnellbox.pigeonloft" is an internal hostname of mine, obviously not
> routable from "the outside". It is the box from which I post to the
> progressivemusicforum list. I don't have users named "Chipster" or
> "Robert". There is nothing in my exim logs relating to "Chipster" or
> "Robert" and chkrootkit says nothing untoward is on any of my machines.
> 
> I am guessing that the guy who sent out the email in question may be
> infected with some kind of virus which has found
> "@schnellbox.pigeonloft" in the Message-Id: headers of my posts to
> progressivemusicforum and added spurious user names to them which have
> somehow found their way into the sender's list of recipients for the
> email.

Unqualified senders are often qualified as they go through MTAs.  Is
schnellbox your mailserver, by chance?  Looks it, per headers.

> Googling for chipster robert virus doesn't throw up anything about a
> virus that uses these fake names; does anyone on here recognise this
> as possible viral behaviour? I've warned the sender just in case. The
> full email is attached.
> 

> From sentto-11332485-2524-1084495284-bjh=pigeon.dyndns.org@returns.groups.yahoo.com Fri May 14 01:42:39 2004
> Return-path: <sentto-11332485-2524-1084495284-bjh=pigeon.dyndns.org@returns.groups.yahoo.com>
> Envelope-to: pigeon@schnellbox.pigeonloft
> Received: from pigeon by schnellbox.pigeonloft with local (Exim 3.35 #1 (Debian))
> 	id 1BOQmd-0003dB-00
> 	for <pigeon@schnellbox.pigeonloft>; Fri, 14 May 2004 01:42:39 +0100

Probably rewritten here.



Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Kerry '04               http://www.johnkerry.com/

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [OT] Might this be a symptom of a virus/worm?
  - From: Pigeon <jah.pigeon@ukonline.co.uk>

References:
- [OT] Might this be a symptom of a virus/worm?
  - From: Pigeon <jah.pigeon@ukonline.co.uk>

Prev by Date: Re: Samba and network printing
Next by Date: Re: fax in linux
Previous by thread: RE: [OT] Might this be a symptom of a virus/worm?
Next by thread: Re: [OT] Might this be a symptom of a virus/worm?
Index(es):
- Date
- Thread