From owner-freebsd-questions@FreeBSD.ORG Wed Sep 10 01:43:37 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81B4816A4BF for ; Wed, 10 Sep 2003 01:43:37 -0700 (PDT) Received: from mail.rdstm.ro (mail.rdstm.ro [193.231.233.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F20843FDD for ; Wed, 10 Sep 2003 01:43:36 -0700 (PDT) (envelope-from aanton@reversedhell.net) Received: from reversedhell.net (casa_auto [81.196.32.25]) by mail.rdstm.ro (8.12.9/8.12.1) with ESMTP id h8A8hXri019959 for ; Wed, 10 Sep 2003 11:43:34 +0300 Message-ID: <3F5EE57D.8010409@reversedhell.net> Date: Wed, 10 Sep 2003 11:49:01 +0300 From: Alin-Adrian Anton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5b) Gecko/20030906 Thunderbird/0.2 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms050203000908010207000304" Subject: global lists virus spammer X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 08:43:37 -0000 This is a cryptographically signed message in MIME format. --------------ms050203000908010207000304 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit There is a lame virus (probably written in VB judging by the size of the file) who keeps hitting the smtp servers, and I noticed it in the freebsd lists. It has attachments like .pif and .scr. I also noticed it filled my e-mail box with 67.5 Mb in just 3-4 days. Now that was nice. It spreads using impersonated fake e-mail addresses but I noticed it is always being sent by the very same IP: "The original message was received on Tue, 09 Sep 2003 23:45:15 +0300 from KLAUS (pD9E8A85B.dip.t-dialin.net [217.232.168.91]" After more then 2 weeks, it still keeps pushing out junk smtp data, so I blocked any SMTP coming from that server (via ipfw hammer tool). I hope this message will be helpfull to all of us. Cheers. Alin. --------------ms050203000908010207000304 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJATCC AtswggJEoAMCAQICAwqocjANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDMwOTAxMjI1NzE3WhcNMDQwODMxMjI1NzE3 WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSYwJAYJKoZIhvcNAQkBFhdh YW50b25AcmV2ZXJzZWRoZWxsLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AOFQIPsz6GsCqBulxVsYpJ2I0jfIBLPuNsNpkK4qh1TxzVVJ3dOd3giojIFX2Vnhm7s1RdTm 0bPJ720UVqdsxuLtQ0hIBbg+oK492I8Vd8rAH7ByDE++L8dRaAP6IcUGZQh2/7GnjCdrnmta vFJ02oya/5RMqcvUIe3ggFlzpSw0nDuRbTOKfRJAUP4wI56SY63E9gUQL0IBqzEKzcJQTAnk G0/C8MKTMpFBZ89pwNvFaOuPXLCIPIiPPy/luxEOgjYz9mwEzDShznISwDg327swWmNXEcDF ZRnpnQya41RPAGJiw8e6xirvPpn3Evd07UVEovGsP2CHoPfA/JvdK3UCAwEAAaM0MDIwIgYD VR0RBBswGYEXYWFudG9uQHJldmVyc2VkaGVsbC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG 9w0BAQQFAAOBgQAsf0Fs94uUNfAA2GC/CXQaccTiQJm7rRwhe+ttblOD0PH9jSUauQAKP7sh BNBEhJ+j5JU8GlTEi/ZKCBGqFTJm2pvbvy7QdQUe2J3VQwmCGYiJTu/m1iAVwhhRVtzZVC/u 1EnXDzel2vnkJ5wOP5en2N8wd1wpAii1A1K3ck7q0TCCAtswggJEoAMCAQICAwqocjANBgkq hkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcg KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg Q0EwHhcNMDMwOTAxMjI1NzE3WhcNMDQwODMxMjI1NzE3WjBJMR8wHQYDVQQDExZUaGF3dGUg RnJlZW1haWwgTWVtYmVyMSYwJAYJKoZIhvcNAQkBFhdhYW50b25AcmV2ZXJzZWRoZWxsLm5l dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOFQIPsz6GsCqBulxVsYpJ2I0jfI BLPuNsNpkK4qh1TxzVVJ3dOd3giojIFX2Vnhm7s1RdTm0bPJ720UVqdsxuLtQ0hIBbg+oK49 2I8Vd8rAH7ByDE++L8dRaAP6IcUGZQh2/7GnjCdrnmtavFJ02oya/5RMqcvUIe3ggFlzpSw0 nDuRbTOKfRJAUP4wI56SY63E9gUQL0IBqzEKzcJQTAnkG0/C8MKTMpFBZ89pwNvFaOuPXLCI PIiPPy/luxEOgjYz9mwEzDShznISwDg327swWmNXEcDFZRnpnQya41RPAGJiw8e6xirvPpn3 Evd07UVEovGsP2CHoPfA/JvdK3UCAwEAAaM0MDIwIgYDVR0RBBswGYEXYWFudG9uQHJldmVy c2VkaGVsbC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQAsf0Fs94uUNfAA 2GC/CXQaccTiQJm7rRwhe+ttblOD0PH9jSUauQAKP7shBNBEhJ+j5JU8GlTEi/ZKCBGqFTJm 2pvbvy7QdQUe2J3VQwmCGYiJTu/m1iAVwhhRVtzZVC/u1EnXDzel2vnkJ5wOP5en2N8wd1wp Aii1A1K3ck7q0TCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYT AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UE ChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBa Fw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs dGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRw nd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn 8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJg t/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0 dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1Ud DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJ KoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A 9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH 1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggM7MIIDNwIBATBpMGIxCzAJ BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDCqhyMAkGBSsOAwIa BQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAzMDkx MDA4NDkwMVowIwYJKoZIhvcNAQkEMRYEFIRxp7XjNvY6ypHUC9xHsLJp/yp0MFIGCSqGSIb3 DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG BSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0 ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMKqHIwegYLKoZIhvcNAQkQAgsxa6Bp MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDCqhyMA0G CSqGSIb3DQEBAQUABIIBAKg0oGz4GFJGxkgUi8BhCRJ9I0WSEVn1sbFyQQo0WJvCeoSHY38w igFtUnUc7OCc8TAo0STFzsbpmgufH70w6I+e/5i2kqcF+5iR8iqLMWf1QmEAqdYxm1zy34Yq wMPqjsqdo5RHJaA1ijoHPIYWTYOTRClElHXh/PtRU/ZEFkSfHgp7QV3o/YRyGNJ9PnO7ZCyV BIMNRUPPf9z/P9vUKiz+UhrzK5NqWdeSTkSU94HBo1c/RnuE9eo4I+eq6vzRv/oL2av9fOGd XQ4Tj/nht21Cuu7+1z4XYJKQvbv7ncOzetGYV/i69bVodzVkOoBf2biPjncxfxPoQsS/oUbB bDYAAAAAAAA= --------------ms050203000908010207000304--