Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Re: Giving up (http://www.velocityreviews.com/forums/t305756-re-giving-up.html)

David H. Lipman 08-22-2004 04:47 PM

Re: Giving up
 
What is this crap ?

This post plus the below....

"Behgjet Frisch" <Behgjet57@konnectcorp.com> wrote in message
news:4128bbf8@news01.argolink.net...
| New comer to this newsgroup.
|
| Good luck
| Behgjet Frisch
| Tel. +1 802 560 9860
| Behgjet@shangool.com
| Behgjet@biogenesys.com

From: Bahadir-Cem Bourdo <Bahadir-Cem43@paramail.com>
Newsgroups: comp.protocols.tcp-ip.ibmpc
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: Giving up
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <41270759@news01.argolink.net>
Date: 21 Aug 2004 03:27:05 -0500
X-Trace: news01.argolink.net 1093076825 64.180.111.134 (21 Aug 2004 03:27:05 -0500)
Lines: 7
Path:
nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!peer01.cox.net!cox.net!newshosting.com!nx02.iad0 1.newshosting.com!newsfeeds.sol.net!newspu
mp.sol.net!64.8.96.12.MISMATCH!news01.argolink.net !not-for-mail
Xref: cyclone1.gnilink.net comp.protocols.tcp-ip.ibmpc:1603
X-Received-Date: Sat, 21 Aug 2004 04:31:54 EDT (nwrdny03.gnilink.net)

Interesting newsgroup!


Bahadir-Cem Bourdo
Tel. +1 746 933 8112
Bahadir-Cem@zanbegir.com
Bahadir-Cem@konnectcorp.com

~~~~~~~~~~~~~~~~~~~~~~~
From: Badaridasa Mushawick <Badaridasa31@etunnels.net>
Newsgroups: comp.dcom.modems.cable
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: Giving up
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <4127204c@news01.argolink.net>
Date: 21 Aug 2004 05:13:32 -0500
X-Trace: news01.argolink.net 1093083212 64.180.111.134 (21 Aug 2004 05:13:32 -0500)
Lines: 7
Path:
nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!bigfeed2.bellsouth.net!news.bellsouth.net!elnk-atl-nf1!newsfeed.earthlink.net!newshosting.
com!nx02.iad01.newshosting.com!newsfeeds.sol.net!n ewspump.sol.net!64.8.96.12.MISMATCH!news01
..argolink.net!not-for-mail
Xref: cyclone1.gnilink.net comp.dcom.modems.cable:59008
X-Received-Date: Sat, 21 Aug 2004 06:12:58 EDT (nwrdny03.gnilink.net)

Can't help you there?!


Badaridasa Mushawick
Tel. +1 832 730 8195
Badaridasa@biographycentral.com
Badaridasa@biographycentral.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Balakrishanan Truckmann <Balakrishanan34@pinreg.com>
Newsgroups: alt.photography
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: New comer
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <41289e9e@news01.argolink.net>
Date: 22 Aug 2004 08:24:46 -0500
X-Trace: news01.argolink.net 1093181086 64.180.111.134 (22 Aug 2004 08:24:46 -0500)
Lines: 7
Path:
nwrdny01.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!in.100proofnews.com!in.100proofnews.com!news-out.visi.com!news-out.octanews.net!petbe.visi
..com!newsfeeds.sol.net!64.8.96.12.MISMATCH!news01 .argolink.net!not-for-mail
Xref: cyclone1.gnilink.net alt.photography:31137
X-Received-Date: Sun, 22 Aug 2004 09:24:08 EDT (nwrdny01.gnilink.net)

Interesting newsgroup!


Balakrishanan Truckmann
Tel. +1 984 958 1390
Balakrishanan@shangool.com
Balakrishanan@saveoncall.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: Babel Sagalov <Babel21@soheilroohani.com>
Newsgroups: alt.comp.virus
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: New comer
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <4128a372$2@news01.argolink.net>
Date: 22 Aug 2004 08:45:22 -0500
X-Trace: news01.argolink.net 1093182322 64.180.111.134 (22 Aug 2004 08:45:22 -0500)
Lines: 7
Path:
nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!peer01.cox.net!cox.net!newsfeeds.sol.net!64.8.96 .12.MISMATCH!news01.argolink.net!not-for-m
ail
Xref: cyclone1.gnilink.net alt.comp.virus:101814
X-Received-Date: Sun, 22 Aug 2004 09:44:46 EDT (nwrdny03.gnilink.net)

Interesting newsgroup!


Babel Sagalov
Tel. +1 628 274 6662
Babel@saveoncall.net
Babel@norouzbaskets.com




David H. Lipman 08-22-2004 05:20 PM

Re: Giving up
 
Blind Carbon Copy (BCC)

It won't show for privacy issues. That's why its sued. Like when you send a message to a
coworker but also send a BCC to his boss. This way the coworker has no way of knowing his
boss knows.

I may be mistaken but, it may have originated from a AT&T node.

Dave




"Kleeb" <kleeb@kleeb.kleeb> wrote in message
news:lakhi09kvo826ore8vc475gfv4c8qk5ec8@4ax.com...
| On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> schrieb:
|
| >What is this crap ?
|
| I wonder if you could shed some light on the following headers from a mail
| I've just received. I'm finding it difficult with my current knowledge (not
| much) to understand just exactly how this mail made it to my ISP's mailbox.
|
| Nowhere is there any mention of my email address, or even my routers' IP
| address. How is this acheivable ?
|
| <begin headers>
|
| Return-Path: <bvdiwjboch@dcemail.com>
| Received: from localhost (localhost.localdomain [127.0.0.1])
| by localhost.localdomain (8.12.8/8.12.8) with ESMTP id
| i7MGRYhc010915
| for <me@localhost>; Sun, 22 Aug 2004 17:27:35 +0100
| Received: from pop.ntlworld.com [62.253.162.50]
| by localhost with POP3 (fetchmail-6.2.0)
| for me@localhost (single-drop); Sun, 22 Aug 2004 17:27:35 +0100
| (BST)
| Received: from h000c6e55013e.ne.client2.attbi.com ([24.91.167.49])
| by mta04-svc.ntlworld.com
| (InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
| id
| <20040822162051.JCGX17972.mta04-svc.ntlworld.com@h000c6e55013e.ne.client2.attbi.co m>;
| Sun, 22 Aug 2004 17:20:51 +0100
| X-Message-Info: TJHN+ap52+ewf+E+81/433818234603741
| Received: (qmail 44595 invoked by uid 910); Sun, 22 Aug 2004 22:14:15 +0500
| Date: Sun, 22 Aug 2004 23:22:15 +0600
| Message-Id: <686876125.50504@bvdiwjboch@dcemail.com>
| From: Tanya Klinko <bvdiwjboch@dcemail.com>
| To: "Wt.thomas77" <wt.thomas77@ntlworld.com>
| Subject: New Dating Site
| MIME-Version: 1.0 (produced by ameslandictum 3.7)
| Content-Type: multipart/alternative;
| boundary="--467192766424474342"
| X-Spam-Status: No, hits=4.1 required=5.0
| tests=INVALID_MSGID,PORN_4,RCVD_IN_ORBS,SPAM_PHRAS E_00_01,
| TO_LOCALPART_EQ_REAL
| version=2.44
| X-Spam-Level: ****
| Status:
|
| <end headers>
|
| From what I've read on the subject, the 'Received:' that is the lowest down
| the headers is most likely the sender. And any more than 3 or 4 'Received:'
| lines means the mail has definitely been forged. Does this sound right ?
|
| Thanks for any info you might have.
|
| Cordially,
|
| Kleeb.
|



Bit Twister 08-22-2004 05:41 PM

Re: Giving up
 
On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
> What is this crap ?


An infected machine withthe Hackarmy Trojan horse controlled
by a zombie master. Now the machine is up for renting ads spammed into
Usenet groups.

report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to abuse@telus.com
with brief reason followed the full headers and at least one full post
of message.

If everyone does it, the abuse dept will shut them down just to keep
their inbox from filling up.

Kleeb 08-22-2004 06:06 PM

Re: Giving up
 
On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> schrieb:

>What is this crap ?


I wonder if you could shed some light on the following headers from a mail
I've just received. I'm finding it difficult with my current knowledge (not
much) to understand just exactly how this mail made it to my ISP's mailbox.

Nowhere is there any mention of my email address, or even my routers' IP
address. How is this acheivable ?

<begin headers>

Return-Path: <bvdiwjboch@dcemail.com>
Received: from localhost (localhost.localdomain [127.0.0.1])
by localhost.localdomain (8.12.8/8.12.8) with ESMTP id
i7MGRYhc010915
for <me@localhost>; Sun, 22 Aug 2004 17:27:35 +0100
Received: from pop.ntlworld.com [62.253.162.50]
by localhost with POP3 (fetchmail-6.2.0)
for me@localhost (single-drop); Sun, 22 Aug 2004 17:27:35 +0100
(BST)
Received: from h000c6e55013e.ne.client2.attbi.com ([24.91.167.49])
by mta04-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
id
<20040822162051.JCGX17972.mta04-svc.ntlworld.com@h000c6e55013e.ne.client2.attbi.co m>;
Sun, 22 Aug 2004 17:20:51 +0100
X-Message-Info: TJHN+ap52+ewf+E+81/433818234603741
Received: (qmail 44595 invoked by uid 910); Sun, 22 Aug 2004 22:14:15 +0500
Date: Sun, 22 Aug 2004 23:22:15 +0600
Message-Id: <686876125.50504@bvdiwjboch@dcemail.com>
From: Tanya Klinko <bvdiwjboch@dcemail.com>
To: "Wt.thomas77" <wt.thomas77@ntlworld.com>
Subject: New Dating Site
MIME-Version: 1.0 (produced by ameslandictum 3.7)
Content-Type: multipart/alternative;
boundary="--467192766424474342"
X-Spam-Status: No, hits=4.1 required=5.0
tests=INVALID_MSGID,PORN_4,RCVD_IN_ORBS,SPAM_PHRAS E_00_01,
TO_LOCALPART_EQ_REAL
version=2.44
X-Spam-Level: ****
Status:

<end headers>

From what I've read on the subject, the 'Received:' that is the lowest down
the headers is most likely the sender. And any more than 3 or 4 'Received:'
lines means the mail has definitely been forged. Does this sound right ?

Thanks for any info you might have.

Cordially,

Kleeb.


David H. Lipman 08-22-2004 06:41 PM

Re: Giving up
 
I was beginning to think it was a NNTP spam zombie.

So what do you think the purpose is ?

Are the phone numbers high cost toll numbers ?

Dave



"Bit Twister" <BitTwister@localhost.localdomain> wrote in message
news:slrncihmlf.km7.BitTwister@wb.home.invalid...
| On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
| > What is this crap ?
|
| An infected machine withthe Hackarmy Trojan horse controlled
| by a zombie master. Now the machine is up for renting ads spammed into
| Usenet groups.
|
| report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to abuse@telus.com
| with brief reason followed the full headers and at least one full post
| of message.
|
| If everyone does it, the abuse dept will shut them down just to keep
| their inbox from filling up.



Bit Twister 08-22-2004 07:39 PM

Re: Giving up
 
On Sun, 22 Aug 2004 18:41:16 GMT, David H. Lipman wrote:
> I was beginning to think it was a NNTP spam zombie.
>
> So what do you think the purpose is ?
>
> Are the phone numbers high cost toll numbers ?


No idea. You could try the web page and phone number for us. :-)

Could be a page to expooit your Microsoft Outlook Express
6.00.2800.1437 browser, Snarf email address from browser, bump his ad
counter for more money, ...

Does not matter to me, I never visit a spam post, do not use a browser
to read a text news group, and have fake email addy in my browser, and
use a serate login account for browsing and reading mail.

Browser account deletes all files and loads pristine copy on logout.

Kleeb 08-22-2004 07:53 PM

Re: Giving up
 
On Sun, 22 Aug 2004 17:20:10 GMT, David H. Lipman <DLipman~nospam~@Verizon.Net> schrieb :
> Blind Carbon Copy (BCC)
>
> It won't show for privacy issues. That's why its sued. Like when you send a message to a
> coworker but also send a BCC to his boss. This way the coworker has no way of knowing his
> boss knows.
>
> I may be mistaken but, it may have originated from a AT&T node.
>
> Dave


Thanks Dave. I was looking for a complicated answer, and didn't think of
that.

Cordially,

Kleeb.

Hairy One Kenobi 08-23-2004 03:55 PM

Re: Giving up
 
"Kleeb" <kleeb@kleeb.kleeb> wrote in message
news:lakhi09kvo826ore8vc475gfv4c8qk5ec8@4ax.com...
> On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> schrieb:
>
> >What is this crap ?

>
> I wonder if you could shed some light on the following headers from a mail
> I've just received. I'm finding it difficult with my current knowledge

(not
> much) to understand just exactly how this mail made it to my ISP's

mailbox.

Further to David's answer.. in SMTP (the thing that is used to send email),
there is no hard link between the message addressee and the content - SMTP
is a fairly trusting protocol.

(i.e. it doesn't take a Rocket Scientist to tell the server "RCPT TO:
spamvictim@nowhere.invalid", but with a different addressee in the message
headers. (Which, incidentally, are fairly easy to read:
http://www.codecutters.org/spam/smtpheaders.html for details)

BCC is simply a human-friendly way of doing this automatically.

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!




Kleeb 08-23-2004 10:15 PM

Re: Giving up
 
On 2004-08-23, Hairy One Kenobi <abuse@[> schrieb :

> (i.e. it doesn't take a Rocket Scientist to tell the server "RCPT TO:
> spamvictim@nowhere.invalid", but with a different addressee in the message
> headers. (Which, incidentally, are fairly easy to read:
> http://www.codecutters.org/spam/smtpheaders.html for details)
>
> BCC is simply a human-friendly way of doing this automatically.


Thanks for the link. Seems a bit clearer now. I think actually I've read
something like this before, but having had a second look, I understand the
parts about the invalid 'Received:' lines now.

Cordially,

Kleeb.

Karen in MN 08-25-2004 06:24 PM

Re: Giving up
 

"Bit Twister" <BitTwister@localhost.localdomain> wrote in message
news:slrncihmlf.km7.BitTwister@wb.home.invalid...
> On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
> > What is this crap ?

>
> An infected machine withthe Hackarmy Trojan horse controlled
> by a zombie master. Now the machine is up for renting ads spammed into
> Usenet groups.
>
> report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to

abuse@telus.com
> with brief reason followed the full headers and at least one full post
> of message.
>
> If everyone does it, the abuse dept will shut them down just to keep
> their inbox from filling up.


Doesn't seem to be working - but then telus doesn't seem to have too good a
reputation when it comes to dealing with spam. All the spams, with all the
different email addresses, all point to the same company / address in
Vancouver, British Columbia. My guess is we'll see a huge spam run from
them soon with the addresses they collect from people complaining.







All times are GMT. The time now is 05:47 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.