Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Re: Giving up

Reply
Thread Tools

Re: Giving up

 
 
David H. Lipman
Guest
Posts: n/a
 
      08-22-2004
What is this crap ?

This post plus the below....

"Behgjet Frisch" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
| New comer to this newsgroup.
|
| Good luck
| Behgjet Frisch
| Tel. +1 802 560 9860
| http://www.velocityreviews.com/forums/(E-Mail Removed)
| (E-Mail Removed)

From: Bahadir-Cem Bourdo <(E-Mail Removed)>
Newsgroups: comp.protocols.tcp-ip.ibmpc
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: Giving up
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <(E-Mail Removed)>
Date: 21 Aug 2004 03:27:05 -0500
X-Trace: news01.argolink.net 1093076825 64.180.111.134 (21 Aug 2004 03:27:05 -0500)
Lines: 7
Path:
nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!peer01.cox.net!cox.net!newshosting.com!nx02.iad0 1.newshosting.com!newsfeeds.sol.net!newspu
mp.sol.net!64.8.96.12.MISMATCH!news01.argolink.net !not-for-mail
Xref: cyclone1.gnilink.net comp.protocols.tcp-ip.ibmpc:1603
X-Received-Date: Sat, 21 Aug 2004 04:31:54 EDT (nwrdny03.gnilink.net)

Interesting newsgroup!


Bahadir-Cem Bourdo
Tel. +1 746 933 8112
(E-Mail Removed)
(E-Mail Removed)

~~~~~~~~~~~~~~~~~~~~~~~
From: Badaridasa Mushawick <(E-Mail Removed)>
Newsgroups: comp.dcom.modems.cable
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: Giving up
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <(E-Mail Removed)>
Date: 21 Aug 2004 05:13:32 -0500
X-Trace: news01.argolink.net 1093083212 64.180.111.134 (21 Aug 2004 05:13:32 -0500)
Lines: 7
Path:
nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!bigfeed2.bellsouth.net!news.bellsouth.net!elnk-atl-nf1!newsfeed.earthlink.net!newshosting.
com!nx02.iad01.newshosting.com!newsfeeds.sol.net!n ewspump.sol.net!64.8.96.12.MISMATCH!news01
..argolink.net!not-for-mail
Xref: cyclone1.gnilink.net comp.dcom.modems.cable:59008
X-Received-Date: Sat, 21 Aug 2004 06:12:58 EDT (nwrdny03.gnilink.net)

Can't help you there?!


Badaridasa Mushawick
Tel. +1 832 730 8195
(E-Mail Removed)
(E-Mail Removed)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Balakrishanan Truckmann <(E-Mail Removed)>
Newsgroups: alt.photography
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: New comer
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <(E-Mail Removed)>
Date: 22 Aug 2004 08:24:46 -0500
X-Trace: news01.argolink.net 1093181086 64.180.111.134 (22 Aug 2004 08:24:46 -0500)
Lines: 7
Path:
nwrdny01.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!in.100proofnews.com!in.100proofnews.com!news-out.visi.com!news-out.octanews.net!petbe.visi
..com!newsfeeds.sol.net!64.8.96.12.MISMATCH!news01 .argolink.net!not-for-mail
Xref: cyclone1.gnilink.net alt.photography:31137
X-Received-Date: Sun, 22 Aug 2004 09:24:08 EDT (nwrdny01.gnilink.net)

Interesting newsgroup!


Balakrishanan Truckmann
Tel. +1 984 958 1390
(E-Mail Removed)
(E-Mail Removed)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: Babel Sagalov <(E-Mail Removed)>
Newsgroups: alt.comp.virus
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: New comer
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <4128a372$(E-Mail Removed)>
Date: 22 Aug 2004 08:45:22 -0500
X-Trace: news01.argolink.net 1093182322 64.180.111.134 (22 Aug 2004 08:45:22 -0500)
Lines: 7
Path:
nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!peer01.cox.net!cox.net!newsfeeds.sol.net!64.8.96 .12.MISMATCH!news01.argolink.net!not-for-m
ail
Xref: cyclone1.gnilink.net alt.comp.virus:101814
X-Received-Date: Sun, 22 Aug 2004 09:44:46 EDT (nwrdny03.gnilink.net)

Interesting newsgroup!


Babel Sagalov
Tel. +1 628 274 6662
(E-Mail Removed)
(E-Mail Removed)



 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a
 
      08-22-2004
Blind Carbon Copy (BCC)

It won't show for privacy issues. That's why its sued. Like when you send a message to a
coworker but also send a BCC to his boss. This way the coworker has no way of knowing his
boss knows.

I may be mistaken but, it may have originated from a AT&T node.

Dave




"Kleeb" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
| On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> schrieb:
|
| >What is this crap ?
|
| I wonder if you could shed some light on the following headers from a mail
| I've just received. I'm finding it difficult with my current knowledge (not
| much) to understand just exactly how this mail made it to my ISP's mailbox.
|
| Nowhere is there any mention of my email address, or even my routers' IP
| address. How is this acheivable ?
|
| <begin headers>
|
| Return-Path: <(E-Mail Removed)>
| Received: from localhost (localhost.localdomain [127.0.0.1])
| by localhost.localdomain (8.12.8/8.12. with ESMTP id
| i7MGRYhc010915
| for <me@localhost>; Sun, 22 Aug 2004 17:27:35 +0100
| Received: from pop.ntlworld.com [62.253.162.50]
| by localhost with POP3 (fetchmail-6.2.0)
| for me@localhost (single-drop); Sun, 22 Aug 2004 17:27:35 +0100
| (BST)
| Received: from h000c6e55013e.ne.client2.attbi.com ([24.91.167.49])
| by mta04-svc.ntlworld.com
| (InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
| id
| <(E-Mail Removed)2.attbi.co m>;
| Sun, 22 Aug 2004 17:20:51 +0100
| X-Message-Info: TJHN+ap52+ewf+E+81/433818234603741
| Received: (qmail 44595 invoked by uid 910); Sun, 22 Aug 2004 22:14:15 +0500
| Date: Sun, 22 Aug 2004 23:22:15 +0600
| Message-Id: <686876125.50504@(E-Mail Removed)>
| From: Tanya Klinko <(E-Mail Removed)>
| To: "Wt.thomas77" <(E-Mail Removed)>
| Subject: New Dating Site
| MIME-Version: 1.0 (produced by ameslandictum 3.7)
| Content-Type: multipart/alternative;
| boundary="--467192766424474342"
| X-Spam-Status: No, hits=4.1 required=5.0
| tests=INVALID_MSGID,PORN_4,RCVD_IN_ORBS,SPAM_PHRAS E_00_01,
| TO_LOCALPART_EQ_REAL
| version=2.44
| X-Spam-Level: ****
| Status:
|
| <end headers>
|
| From what I've read on the subject, the 'Received:' that is the lowest down
| the headers is most likely the sender. And any more than 3 or 4 'Received:'
| lines means the mail has definitely been forged. Does this sound right ?
|
| Thanks for any info you might have.
|
| Cordially,
|
| Kleeb.
|


 
Reply With Quote
 
 
 
 
Bit Twister
Guest
Posts: n/a
 
      08-22-2004
On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
> What is this crap ?


An infected machine withthe Hackarmy Trojan horse controlled
by a zombie master. Now the machine is up for renting ads spammed into
Usenet groups.

report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to (E-Mail Removed)
with brief reason followed the full headers and at least one full post
of message.

If everyone does it, the abuse dept will shut them down just to keep
their inbox from filling up.
 
Reply With Quote
 
Kleeb
Guest
Posts: n/a
 
      08-22-2004
On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> schrieb:

>What is this crap ?


I wonder if you could shed some light on the following headers from a mail
I've just received. I'm finding it difficult with my current knowledge (not
much) to understand just exactly how this mail made it to my ISP's mailbox.

Nowhere is there any mention of my email address, or even my routers' IP
address. How is this acheivable ?

<begin headers>

Return-Path: <(E-Mail Removed)>
Received: from localhost (localhost.localdomain [127.0.0.1])
by localhost.localdomain (8.12.8/8.12. with ESMTP id
i7MGRYhc010915
for <me@localhost>; Sun, 22 Aug 2004 17:27:35 +0100
Received: from pop.ntlworld.com [62.253.162.50]
by localhost with POP3 (fetchmail-6.2.0)
for me@localhost (single-drop); Sun, 22 Aug 2004 17:27:35 +0100
(BST)
Received: from h000c6e55013e.ne.client2.attbi.com ([24.91.167.49])
by mta04-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
id
<(E-Mail Removed)2.attbi.co m>;
Sun, 22 Aug 2004 17:20:51 +0100
X-Message-Info: TJHN+ap52+ewf+E+81/433818234603741
Received: (qmail 44595 invoked by uid 910); Sun, 22 Aug 2004 22:14:15 +0500
Date: Sun, 22 Aug 2004 23:22:15 +0600
Message-Id: <686876125.50504@(E-Mail Removed)>
From: Tanya Klinko <(E-Mail Removed)>
To: "Wt.thomas77" <(E-Mail Removed)>
Subject: New Dating Site
MIME-Version: 1.0 (produced by ameslandictum 3.7)
Content-Type: multipart/alternative;
boundary="--467192766424474342"
X-Spam-Status: No, hits=4.1 required=5.0
tests=INVALID_MSGID,PORN_4,RCVD_IN_ORBS,SPAM_PHRAS E_00_01,
TO_LOCALPART_EQ_REAL
version=2.44
X-Spam-Level: ****
Status:

<end headers>

From what I've read on the subject, the 'Received:' that is the lowest down
the headers is most likely the sender. And any more than 3 or 4 'Received:'
lines means the mail has definitely been forged. Does this sound right ?

Thanks for any info you might have.

Cordially,

Kleeb.

 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      08-22-2004
I was beginning to think it was a NNTP spam zombie.

So what do you think the purpose is ?

Are the phone numbers high cost toll numbers ?

Dave



"Bit Twister" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
| On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
| > What is this crap ?
|
| An infected machine withthe Hackarmy Trojan horse controlled
| by a zombie master. Now the machine is up for renting ads spammed into
| Usenet groups.
|
| report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to (E-Mail Removed)
| with brief reason followed the full headers and at least one full post
| of message.
|
| If everyone does it, the abuse dept will shut them down just to keep
| their inbox from filling up.


 
Reply With Quote
 
Bit Twister
Guest
Posts: n/a
 
      08-22-2004
On Sun, 22 Aug 2004 18:41:16 GMT, David H. Lipman wrote:
> I was beginning to think it was a NNTP spam zombie.
>
> So what do you think the purpose is ?
>
> Are the phone numbers high cost toll numbers ?


No idea. You could try the web page and phone number for us.

Could be a page to expooit your Microsoft Outlook Express
6.00.2800.1437 browser, Snarf email address from browser, bump his ad
counter for more money, ...

Does not matter to me, I never visit a spam post, do not use a browser
to read a text news group, and have fake email addy in my browser, and
use a serate login account for browsing and reading mail.

Browser account deletes all files and loads pristine copy on logout.
 
Reply With Quote
 
Kleeb
Guest
Posts: n/a
 
      08-22-2004
On Sun, 22 Aug 2004 17:20:10 GMT, David H. Lipman <DLipman~nospam~@Verizon.Net> schrieb :
> Blind Carbon Copy (BCC)
>
> It won't show for privacy issues. That's why its sued. Like when you send a message to a
> coworker but also send a BCC to his boss. This way the coworker has no way of knowing his
> boss knows.
>
> I may be mistaken but, it may have originated from a AT&T node.
>
> Dave


Thanks Dave. I was looking for a complicated answer, and didn't think of
that.

Cordially,

Kleeb.
 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      08-23-2004
"Kleeb" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> schrieb:
>
> >What is this crap ?

>
> I wonder if you could shed some light on the following headers from a mail
> I've just received. I'm finding it difficult with my current knowledge

(not
> much) to understand just exactly how this mail made it to my ISP's

mailbox.

Further to David's answer.. in SMTP (the thing that is used to send email),
there is no hard link between the message addressee and the content - SMTP
is a fairly trusting protocol.

(i.e. it doesn't take a Rocket Scientist to tell the server "RCPT TO:
(E-Mail Removed)lid", but with a different addressee in the message
headers. (Which, incidentally, are fairly easy to read:
http://www.codecutters.org/spam/smtpheaders.html for details)

BCC is simply a human-friendly way of doing this automatically.

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!



 
Reply With Quote
 
Kleeb
Guest
Posts: n/a
 
      08-23-2004
On 2004-08-23, Hairy One Kenobi <abuse@[> schrieb :

> (i.e. it doesn't take a Rocket Scientist to tell the server "RCPT TO:
> (E-Mail Removed)lid", but with a different addressee in the message
> headers. (Which, incidentally, are fairly easy to read:
> http://www.codecutters.org/spam/smtpheaders.html for details)
>
> BCC is simply a human-friendly way of doing this automatically.


Thanks for the link. Seems a bit clearer now. I think actually I've read
something like this before, but having had a second look, I understand the
parts about the invalid 'Received:' lines now.

Cordially,

Kleeb.
 
Reply With Quote
 
Karen in MN
Guest
Posts: n/a
 
      08-25-2004

"Bit Twister" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
> > What is this crap ?

>
> An infected machine withthe Hackarmy Trojan horse controlled
> by a zombie master. Now the machine is up for renting ads spammed into
> Usenet groups.
>
> report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to

(E-Mail Removed)
> with brief reason followed the full headers and at least one full post
> of message.
>
> If everyone does it, the abuse dept will shut them down just to keep
> their inbox from filling up.


Doesn't seem to be working - but then telus doesn't seem to have too good a
reputation when it comes to dealing with spam. All the spams, with all the
different email addresses, all point to the same company / address in
Vancouver, British Columbia. My guess is we'll see a huge spam run from
them soon with the addresses they collect from people complaining.





 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
The giving that keeps on giving sixteenmillion C Programming 0 11-19-2007 10:59 PM
Ctl3dCtlColorEx function giving trouble maol ASP .Net 0 12-08-2004 03:08 AM
PIX giving static ip's to PPTP clients John Smith Cisco 2 10-22-2004 05:54 AM
Giving Vonage voice packets priority with Cisco 1720 Albert Wiersch Cisco 0 05-14-2004 07:31 PM
Re: 'ThreadState' is giving problem ? Gaurav Khanna [.NET MVP] ASP .Net 0 07-25-2003 12:25 PM



Advertisments