--On Sunday, August 22, 2004 2:11 PM +0200 Loek Jehee <loekjehe @
I am the moderator of a Buddhist list of over 1200 subscribers. I
frequently receive warnings that my computer is infected with some
kind of virus or worm etc. You will understand that - as an owner of
a Mac OS X computer - it is highly (!) unlikely that my computer indeed
is infected :-) There is a far bigger chance that one or more of the
computers of the subscribers is infected and generates messages out
of his/her address book that contain virus or spam or worms or
It is even more likely that most of the "warning messages" you are seeing
have nothing to do with your duties as Norbunet moderator, but are simply
worm payloads masquerading as virus warnings. In cases where you can
authenticate the origin of the warning message, it's indeed most likely
that a listmember's computer is infected.
This is a very annoying problem and I wonder if you guys also have
troubles with this. Today the problem even got worse: I noticed a
port scan attack on my computer (my SNORT system started to fire)
which persisted for over an hour. Upon sending a message to the abuse
and amin addresses of the server hosting the malignant attacker, I
received the following interesting (quick and polite) reply from the
admin of that host (Yandex.ru): ...
So, it seems that they nowadays have automatic scripts (more or
less violently) attacking any IP address mentioned in spam or virus
containing messages that they receive! (I consider port scanning as
an intrusion attempt on my system and as an abusive attack).
This doesn't promise much good for us as mailing list admins....!!
The problem with what you are saying is that spoofed virus/worm envelopes
include fake From: addresses, but (in my experience) not spoofed IP
addresses. There is no easy way for the IP address for webmail.dzogchen.ru
(a/k/a mail.dzogchen.ru, a/k/a byak.sinp.msu.ru) to appear in a Received:
header of a message received at mx1.yandex.ru unless it was actually
involved in transmitting the message.
Other possibilities are that you have recently approved a listmember (on
Norbunet or any of your other lists) who receives mail through yandex.ru
(thus causing their mailservers to see your IP address legitimately); or
that their IP verification methodology is not quite what they describe.