on Sat, May 15, 2004 at 12:13:23AM +0100, Pigeon (jah.pigeon@ukonline.co.uk) wrote: > I have received an email from the > progressivemusicforum@yahoogroups.com mailing list, to which I am > subscribed. The originator of the email has sent it to a large number > of recipients, as shown in the To: header - legitimately, not as spam, > but there are two spurious entries in the list: > > Chipster@schnellbox.pigeonloft > Robert@schnellbox.pigeonloft > > "schnellbox.pigeonloft" is an internal hostname of mine, obviously not > routable from "the outside". It is the box from which I post to the > progressivemusicforum list. I don't have users named "Chipster" or > "Robert". There is nothing in my exim logs relating to "Chipster" or > "Robert" and chkrootkit says nothing untoward is on any of my machines. > > I am guessing that the guy who sent out the email in question may be > infected with some kind of virus which has found > "@schnellbox.pigeonloft" in the Message-Id: headers of my posts to > progressivemusicforum and added spurious user names to them which have > somehow found their way into the sender's list of recipients for the > email. Unqualified senders are often qualified as they go through MTAs. Is schnellbox your mailserver, by chance? Looks it, per headers. > Googling for chipster robert virus doesn't throw up anything about a > virus that uses these fake names; does anyone on here recognise this > as possible viral behaviour? I've warned the sender just in case. The > full email is attached. > > From sentto-11332485-2524-1084495284-bjh=pigeon.dyndns.org@returns.groups.yahoo.com Fri May 14 01:42:39 2004 > Return-path: <sentto-11332485-2524-1084495284-bjh=pigeon.dyndns.org@returns.groups.yahoo.com> > Envelope-to: pigeon@schnellbox.pigeonloft > Received: from pigeon by schnellbox.pigeonloft with local (Exim 3.35 #1 (Debian)) > id 1BOQmd-0003dB-00 > for <pigeon@schnellbox.pigeonloft>; Fri, 14 May 2004 01:42:39 +0100 Probably rewritten here. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Kerry '04 http://www.johnkerry.com/
Attachment:
signature.asc
Description: Digital signature