spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: unknown

2004-03-28 13:08:16
from [wayne] [Permanent Link] 
In 
<20040328194754(_dot_)GA17198(_at_)nsx(_dot_)internal(_dot_)hewgill(_dot_)net> 
Greg Hewgill <greg(_at_)hewgill(_dot_)com> writes:


On Sun, Mar 28, 2004 at 01:32:15PM -0600, wayne wrote:

In <20040328190715(_dot_)41155DEA7(_at_)portent(_dot_)listbox(_dot_)com> 
mengwong(_at_)dumbo(_dot_)pobox(_dot_)com writes:

[attached zip file deleted]


Uh, I'm unable to deal with the data in the zip file because I don't
have any software that deals with .pif files on my linux box.  (What
are .pif files anyway?)


This really is an email worm (probably some variant of mydoom or netsky).
Apparently some infected machine somewhere forged a message from Meng's 
address
to the list posting address, which dutifully forwarded it on to all the
subscribers.

[explanation about what a .pif file is and related email worm stuff
snipped]


Well, initially, I suspected that it was a worm, but a quick check of
the headers made it look like it came from v2.listbox.com.  Combined
with knowing that Meng is quite involved with that box, along with the
fact that Meng uses postfix, the subject of 'unknown' makes a lot of
sense for this list and the fact that he has been doing a lot of talks
lately caused me to keep looking.  It wasn't until I saw the .pif
extention that I started to think it was a worm again.


Here are the headers of the worm as I receieved them:

: Received: from portent.listbox.com ([208.58.1.195])
:       by backbone.midwestcs.com with esmtp (Exim 4.30)
:       id 1B7fdV-0005Ta-Hi
:       for wayne(_at_)midwestcs(_dot_)com; Sun, 28 Mar 2004 13:07:57 -0600
: Received: from localhost.localdomain (localhost [127.0.0.1])
:       by portent.listbox.com (Postfix) with ESMTP id DFFD7F194
:       for <wayne(_at_)midwestcs(_dot_)com>; Sun, 28 Mar 2004 14:07:55 -0500 
(EST)
: Received: from v2.listbox.com (unknown [213.233.93.173])
:       by portent.listbox.com (Postfix) with SMTP id 41155DEA7
:       for <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>; Sun, 28 Mar 2004 
14:07:15 -0500 (EST)


Now, v2.listbox.com has SPF records, but 213.233.93.173 isn't a
a permitted sender for that domain.  So, either listbox.com isn't
checking SPF records at all, it isn't checking the HELO domain and
rejecting spoofs there, or didn't reject it because currently
listbox.com uses softfail.


*sigh*


-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: unknown, Meng Weng Wong
Next by Date:  Re: IPv6 in SPF (was: ANNOUNCE libspf-alt version 0.3), Aredridel
Previous by Thread:  Re: unknown, Meng Weng Wong
Next by Thread:  Re: unknown, Nico Kadel-Garcia
Indexes:  [Date] [Thread] [Top] [All Lists]