possible spam source clue

Woody Woods woody.woods at umb.edu
Tue Sep 23 12:06:01 EDT 2003


I ran this by Ron before sending to the leps lists. Please excuse the
cross-posting, but I thought it should go to all.

I received two emails that appear at best legitimate and at worst harmless;
they list the other recipients of virus/worm-bearing emails I have received.
Maybe you got 'em too, but I'm writing in case you didn't.

I suggest that you look at the email addresses and see whether ALL of them
in either message are in your address book. If so, possibly your computer
has been infected. So far, mine (a Mac, helpfully) has been clean.

Rather than risk forwarding the messages to you all, just in case, I have
simply copied the text content, including the recipients' addresses
(including mine!) below.

By the way, I have removed the list email addresses from my address book--
heck, if I don't know them by now I never will...

Woody

First message:

Attention: woody.woods at umb.edu

[A message has been sent to the originator, stating there is a virus
in the Email they just sent to you. No further action is required on
your part.]

A virus was found in an Email message sent to you.
This Email scanner intercepted it and stopped the entire message
before it reached you. No further action is required on your part.

The virus was reported to be:

virus WORM_SWEN.A

Please contact your I.T support personnel with any queries regarding this
policy.

The message sent to you had the following envelope:

MAIL FROM: manager at taiwan-peggycompany.com
RCPT TO:   
ctaylor at worldnet.att.net,kline_at_pine at yahoo.com,jbizarro at uol.com.br,kennk at i
x.netcom.com,pinteareed at madbbs.com,aa6g at aa6g.org,patfoley at csus.edu,cwgan at pac
ific.net.sg,woody.woods at umb.edu,marven at shaw.ca,rob at whiterabbits.com

... and with the following headers:

---
MAILFROM: manager at taiwan-peggycompany.com
Received: from unknown (HELO kkwa) ([218.13.213.193]) (envelope-sender
<manager at taiwan-peggycompany.com>)
         by msa.url.com.tw (qmail-ldap-1.03) with SMTP
         for <ctaylor at worldnet.att.net>; 23 Sep 2003 10:38:44 -0000
FROM: "Public Assistance" <kpnsdtbvuw at support.net>
TO: "Microsoft Customer" <sctsnyv at support.net>
SUBJECT: Internet Patch
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ukhrdqrvtasuje"


--and here's the second message:


Attention: woody.woods at umb.edu

[A message has been sent to the originator, stating there is a virus
in the Email they just sent to you. No further action is required on
your part.]

A virus was found in an Email message sent to you.
This Email scanner intercepted it and stopped the entire message
before it reached you. No further action is required on your part.

The virus was reported to be:

virus WORM_SWEN.A

Please contact your I.T support personnel with any queries regarding this
policy.

The message sent to you had the following envelope:

MAIL FROM: manager at taiwan-peggycompany.com
RCPT TO:   
rob at whiterabbits.com,marven at shaw.ca,woody.woods at umb.edu,cwgan at pacific.net.sg
,patfoley at csus.edu,aa6g at aa6g.org,pinteareed at madbbs.com,kennk at ix.netcom.com,j
bizarro at uol.com.br,kline_at_pine at yahoo.com,ctaylor at worldnet.att.net,michael_
ann at mindspring.com,mikayak3 at comcast.net,cmtp592 at concentric.net,viceroy at gate.
net,neil at nwjones.demon.co.uk,jjjjjjjjen at aol.com,ax057 at chebucto.ns.ca,fnkwp at a
urora.alaska.edu,ewilliam at hamilton.edu,rworth at oda.state.or.us,gochfeld at eohsi
.rutgers.edu,birdcr at concentric.net,drdn at mail.utexas.edu,mwalker at gensym.com,m
ike.quinn at tpwd.state.tx.us,stan_gorodenski at asualumni.org,jbwalsh at u.arizona.e
du,gomesg at bmts.com,glaucus at earthlink.net,sebrez at webtv.net,fnjjk1 at uaf.edu,adm
in at dildodildo.ca,murp194 at bellsouth.net,xwmonarch at hotmail.com,gatrelle at tils-t
tr.org,xiwang at sprint.ca,neck at bigfoot.com,melpchar at aol.com,jhimmel at comcast.ne
t,r_seaman at hotmail.com,wtherman at cornhusker.net,lynnscott at heiconsulting.com,a
ustinjosa at usa.net,manager at asia-insect-shop.com,crespifranco1 at tin.it,mallybro
ok at yahoo.co.uk,mplant at pcpros.net,hbrodkin at earthlink.net,mhg3 at cornell.edu,mon
arch at saber.net,jshuey at tnc.org,mexicodoug at aol.com,dtbwlg at optonline.net,fhnvjl
@optonline.net,obfcrk at h555.net

... and with the following headers:

---
MAILFROM: manager at taiwan-peggycompany.com
Received: from unknown (HELO gtdfd) ([218.13.213.193]) (envelope-sender
<manager at taiwan-peggycompany.com>)
         by msa.url.com.tw (qmail-ldap-1.03) with SMTP
         for <rob at whiterabbits.com>; 23 Sep 2003 10:39:03 -0000
FROM: "internet mail storage service" <mailerroutine at puremail.com>
TO: "Net User" <user at mxserver.com>
SUBJECT: Advice
Mime-Version: 1.0
Content-Type: multipart/alternative;
   boundary="vwzagyipstlx"


---




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.yale.edu/mailman/private/leps-l/attachments/20030923/c4f65976/attachment.html 


More information about the Leps-l mailing list