Great Circle Associates List-Managers
(August 2004)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Automated attack on list managers?
From: Tom Neff <tneff @ grassyhill . net>
Date: Sun, 22 Aug 2004 09:31:10 -0400
To: list-managers @ greatcircle . com
In-reply-to: <a06110408bd4e3a918193 @ [62 . 195 . 90 . 214]>
References: <a06110408bd4e3a918193 @ [62 . 195 . 90 . 214]>

--On Sunday, August 22, 2004 2:11 PM +0200 Loek Jehee <loekjehe @
xs4all .
nl> wrote:
I am the moderator of a Buddhist list of over 1200 subscribers. I
frequently receive warnings that my computer is infected with some
kind of virus or worm etc. You will understand that - as an owner of
a Mac OS X computer - it is highly (!) unlikely that my computer indeed
is infected :-) There is a far bigger chance that one or more of the
computers of the subscribers is infected and generates messages out
of his/her address book that contain virus or spam or worms or
whatever.

It is even more likely that most of the "warning messages" you are seeing have nothing to do with your duties as Norbunet moderator, but are simply worm payloads masquerading as virus warnings. In cases where you can authenticate the origin of the warning message, it's indeed most likely that a listmember's computer is infected.

This is a very annoying problem and I wonder if you guys also have
troubles with this. Today the problem even got worse: I noticed a
port scan attack on my computer (my SNORT system started to fire)
which persisted for over an hour. Upon sending a message to the abuse
and amin addresses of the server hosting the malignant attacker, I
received the following interesting (quick and polite) reply from the
admin of that host (Yandex.ru): ...
So, it seems that they nowadays have automatic scripts (more or
less violently) attacking any IP address mentioned in spam or virus
containing messages that they receive! (I consider port scanning as
an intrusion attempt on my system and as an abusive attack).
This doesn't promise much good for us as mailing list admins....!!

The problem with what you are saying is that spoofed virus/worm envelopes include fake From: addresses, but (in my experience) not spoofed IP addresses. There is no easy way for the IP address for webmail.dzogchen.ru (a/k/a mail.dzogchen.ru, a/k/a byak.sinp.msu.ru) to appear in a Received: header of a message received at mx1.yandex.ru unless it was actually involved in transmitting the message.

Other possibilities are that you have recently approved a listmember (on Norbunet or any of your other lists) who receives mail through yandex.ru (thus causing their mailservers to see your IP address legitimately); or that their IP verification methodology is not quite what they describe.


Follow-Ups:
References:
Indexed By Date Previous: Automated attack on list managers?
From: Loek Jehee <loekjehe @ xs4all . nl>
Next: Re: Automated attack on list managers?
From: John Levine <johnl @ iecc . com>
Indexed By Thread Previous: Automated attack on list managers?
From: Loek Jehee <loekjehe @ xs4all . nl>
Next: Re: Automated attack on list managers?
From: John Levine <johnl @ iecc . com>

Google
 
Search Internet Search www.greatcircle.com