Re: Virus sent last Thursday - Anyone use RoadRunner?

To: pat_thaler@agilent.com
Subject: Re: Virus sent last Thursday - Anyone use RoadRunner?
From: Mark Bakke <mbakke@cisco.com>
Date: Tue, 27 Aug 2002 14:01:22 -0500
CC: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <1BEBA5E8600DD4119A50009027AF54A00DB9FCAB@axcs04.cos.agilent.com>
Sender: owner-ips@ece.cmu.edu

Pat-

Thanks.  Actually, nobody on the list complained about it; the
automated virus-scanners sent the responses.

I took Paul K's advise and forwarded the traceable response to
the service provider, so they can handle it.

Thanks,

--
Mark

pat_thaler@agilent.com wrote:
> 
> Mark,
> 
> This has come up on this list before. There are a group of viruses that
> use addresses that they find on the infected computer as the from
> address on the infected emails they send.
> 
> When people get an infected email, they should check to see where
> it really came from and not assume that it was really send by the
> person in the from line. To do this for outlook, one uses View
> Options which has a box containing the internet headers (not very
> intuitive).
> 
> Regards,
> Pat
> 
> -----Original Message-----
> From: Mark Bakke [mailto:mbakke@cisco.com]
> Sent: Tuesday, August 27, 2002 8:37 AM
> To: IPS
> Subject: Virus sent last Thursday - Anyone use RoadRunner?
> 
> Sorry this is a bit off-topic, but I want to clear this up.
> 
> Last Thursday I had received a lot of email responses from virus
> scanning software from recipients on the ips mailing list mentioning
> a virus that appeared to be sent by me.  Since I don't use Windows
> for email, it seemed odd that I could have sent anything.
> 
> It turns out I didn't send it, but I want to figure out where it
> came from.
> 
> Here's what happened.  The email to the ips list was sent from
> a machine at austin.rr.com (RoadRunner), with the From: line set
> to my address.  SMTP lets you do this; you can send an email that
> appears to be "From:" anyone you want.  Here are the recieve
> headers from the machines that sent to majordomo:
> 
> Received:
> from sm13.texas.rr.com (sm13.texas.rr.com [24.93.35.40]) by ece.cmu.edu (8.11.0/8.10.2)
> with ESMTP id g7N3Koo15994 for <ips@ece.cmu.edu>; Thu, 22 Aug 2002 23:20:51
> -0400 (EDT)
> 
> Received:
> from Cudhz (cs24243252-119.austin.rr.com [24.243.252.119]) by sm13.texas.rr.com
> (8.12.1/8.12.0.Beta16) with SMTP id g7N3OVDg010776 for <ips@ece.cmu.edu>; Thu, 22
> Aug 2002 22:24:32 -0500
> 
> Does anyone recognize the account or host named cs24243252-119?
> 
> Thanks,
> 
> --
> Mark A. Bakke
> Cisco Systems
> mbakke@cisco.com
> 763.398.1054

-- 
Mark A. Bakke
Cisco Systems
mbakke@cisco.com
763.398.1054

References:
- RE: Virus sent last Thursday - Anyone use RoadRunner?
  - From: pat_thaler@agilent.com

Prev by Date: RE: Virus sent last Thursday - Anyone use RoadRunner?
Next by Date: Re: Virus sent last Thursday - Anyone use RoadRunner?
Prev by thread: RE: Virus sent last Thursday - Anyone use RoadRunner?
Next by thread: iscsi: sequence timeout
Index(es):
- Date
- Thread

Home

Last updated: Tue Aug 27 16:18:58 2002
11691 messages in chronological order