ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Hi

2004-01-19 09:49:27
from [Valdis . Kletnieks] [Permanent Link] 
On Mon, 19 Jan 2004 10:53:18 EST, Noel Chiappa said:


This virus/worm is actually mildly interested in the way it operates. I'm
seeing lots of email from people with whom I would have corresponded long ago



From http://www.viruslist.com/eng/alert.html?id=783050:


The worm searches disk drives for files with the following extensions:

wab, txt, htm, html, r1

and scans them for email-like text strings, then sends infected messages to the
email addresses found. The worm uses its own SMTP engine to send infected
messages.


So it's probably mining web pages for old email, and using the addresses it
finds in the headers as source/dest pairs.


Old notebooks, but you're on the right track.


I wonder how long it will take before the spammers catch onto this trick.


They already have.  Somebody on the NANOG list is infected with something that
takes the RFC822 headers of incoming mail and glues them onto a spam.  I found
this when I got a "sensitive content" warning 8 minutes after I posted to NANOG.
The victim site's filter coughed up the from/to/subject - but by the time it had
gotten there, the body had mutated into an ad for a male enhancement pill.

The clever part here is that since it's using near-in-real-time headers from
actual discussions, there's a very good chance that the spam recipient will
open it, thinking it's the ongoing discussion....

Attachment: pgpK9zB410eAM.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Hi, jstracke
    • Re: Hi, Noel Chiappa
      • Re: Hi, Valdis . Kletnieks <=
      • Re: Hi, kent
    • Hi, Tomson_Eric
    • Hi, pbaker
Previous by Date:  Re: Hi, Noel Chiappa
Next by Date:  Re: Hi, kent
Previous by Thread:  Re: Hi, Noel Chiappa
Next by Thread:  Re: Hi, kent
Indexes:  [Date] [Thread] [Top] [All Lists]