All the Perl that's Practical to Extract and Report

I swear, Mr. Net.Officer, it wasn't me

rjray on 2002-06-07T23:33:25

This is bad.

When I dialed-in to my ISP this afternoon and ran fetchmail among the incoming messages were three notices of message delivery failures. One was addressed to my svsm.org address, the other two were addressed to my tsoft.com address. And all three were referencing messages I never sent. Here's why:

  • I never send from svsm.org. That's a domain I use to host a website for my scale modeling club (SVSM stands for Silicon Valley Scale Modelers), and I have the e-mail address as a link at the bottom of each page, for feedback purposes. I get mail at that address, but any and all replies, like all my outgoing mail, comes from blackperl.com.
  • Likewise, I no longer send from tsoft.com. Even if I'm reading my mail from a simple shell-login to my ISP, my configuration of my mail-reader (mutt, if you're curious) sets all header to the blackperl address. TSOFT was the original name of my ISP (they've since changed), and while the address still works, I prefer blackperl because I'll keep that even if I should change providers.
  • The send-dates on all the returned messages fall on or around 1:00 to 1:30, PM, local time this afternoon. I use dial-up access, and what's more since I've been laid-off and working on my book full-time, I've slipped into a weird work-schedule in which I tend to write until 5:30-6:00 AM, then sleep until 2 or 3 in the afternoon. So today, I awoke at 3:00, started up the ISP connection, then hit the shower while fetchmail and spamassassin played their delicate duet over my incoming mail. I wasn't even connected when these messages were sent.

Now, I've been getting tons of these virus mailings, most of which don't match on spamassassin's rulesets because they're all slightly different, depending on which Klez flavor infects which acquaintence of mine. I'm used to deleting them, as well at taking a smug sense of superiority over the fact that my mail-program doesn't do silly things like executing attachments through MS Word if/when I open them.

This means that someone is just using my e-mail addresses to try and start an infection of on of these virii.

And that means it could be any of us whose e-mail addresses are already mined by spammers, who get "used" next.

--rjray

Example is the school of mankind, and they will learn at no other. -- Edmund Burke

Klez

vsergu on 2002-06-08T00:08:13

This has been going on for at least several weeks. Klez (or at least some Klez variants) uses addresses it finds on the infected computer for the "From:" lines on the e-mail it sends out. So your address could have been in someone's address book or even just in the messages or cached Web pages on an infected computer. Here's what Symantec says:

Because this worm uses a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else.

It also may send fake postmaster bounce messages.

Re:Klez

pudge on 2002-06-09T02:15:36

Yeah, I have received Klez messages "sent by" Larry Wall, Tom Christiansen, Matthias Neeracher, Mark-Jason Dominus, Lincoln Stein, Michael Schwern, Ilya Zakharevich, and more.