Politech mailing list archives
FC: A nasty new trend in spamming: Forged Politech messages
From: Declan McCullagh <declan () well com>
Date: Tue, 22 Jul 2003 17:59:28 -0400
[I do not send HTML mail or attachments to Politech. If you receive such a message that appears to be from me, it is probably a forgery. Apparently this kind of address-scraping is happening to other popular lists like bugtraq as well. --Declan]
--- Date: Tue, 22 Jul 2003 17:12:44 -0400 From: "Christopher A. Petro" <petro () christopherpetro com> To: declan () well comSubject: [declan () xs4all nl: FC: Dick Armey, former House Maj. Leader, blasts Poindexter's TIA]
Looks like someone's mined the archives for email addresses and hand-
crafted an email with an attached win32 executable. I must admit that
I'm curious what someone that would put so much effort into such a
prank would attach. Anyone bored enough to disassemble it or run it on
a throwaway win32 machine? I ran strings against it and it didn't
find any human-readable text in it.
Odd that they didn't bother to forge the from and return-path headers
correctly, either. Relayed through Japan, blah blah blah. The usual.
Though the last received header is from what looks to be a PPP dialup,
so maybe it's actually the real sender's ip. Either that or someone
suffered through spamming through a dialed-up open relay.
=====
>From declan () xs4all nl Tue Jul 22 16:51:45 2003
Return-Path: <declan () xs4all nl>
Delivered-To: petro () boredom org
Received: from mail0-4.kcn.ne.jp (mail0-4.kcn.ne.jp [61.86.6.12])
by mail.boredom.org (Postfix) with ESMTP id 5E2CB15C0060
for <petro () christopherpetro com>; Tue, 22 Jul 2003 16:51:42 -0400 (EDT)
Received: from davepike (ppp001-041.kcn.ne.jp [61.86.12.41])
by mail0-4.kcn.ne.jp (8.11.6p2/3.7W-KCN001115) with SMTP id h6MKmSB10702;
Wed, 23 Jul 2003 05:48:29 +0900 (JST)
Date: Wed, 23 Jul 2003 05:48:29 +0900 (JST)
Message-Id: <200307222048.h6MKmSB10702 () mail0-4 kcn ne jp>
From: Declan McCullagh <declan () xs4all nl>
Subject: FC: Dick Armey, former House Maj. Leader, blasts Poindexter's TIA
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------EC1UN6A2RZNYEY"
To: undisclosed-recipients:;
------------EC1UN6A2RZNYEY
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
---
Date: Thu, 26 Jun 2003 15:57:35 -0500
To: declan () well com
Subject: CSE Calls for TIA Program Termination
From: bhapes () cse org
CSE News Alert for Declan McCullagh June 26, 2003
Dick Armey, co-Chair
-------------------
YOU CAN CHANGE THE N
------------EC1UN6A2RZNYEY
[snipped for length --Declan]
--
Christopher A. Petro .. petro () christopherpetro com .. 917-346-1536
---
Date: Sat, 19 Jul 2003 21:07:57 -0400
To: declan () well com
From: "Lawrence R. Ware" <larry () waywardhome com>
Subject: possible trouble for you
Declan, just a friendly "heads-up" if you have not already
heard: Some maroon in .jp IP space has a virus and it is using
>From: Declan McCullagh <declan () bbs thing net>
as the From and Return-Path fields.
Full headers below, the virus payload has been removed, it was named:
hjsplit.zip.exe
Hope you don't get too many complaints...
-larry
---
>Status: U
>Return-Path: <declan () bbs thing net>
>Received: from holt.mail.atl.earthlink.net ([207.69.200.187])
> by killdeer (EarthLink SMTP Server) with ESMTP id 19DYma4py3NZFlr0
> for <lrware () earthlink net>; Sat, 19 Jul 2003 13:31:02 -0700 (PDT)
>Received: from carus-z.mspring.net ([207.69.231.92] helo=carus.mspring.net)
> by holt.mail.atl.earthlink.net with smtp (Exim 3.33 #1)
> id 19dyMA-0006jU-00
> for lrware () earthlink net; Sat, 19 Jul 2003 16:31:02 -0400
>X-MindSpring-Loop: larry () waywardhome com
>Received: from mail0-2.kcn.ne.jp ([61.86.6.10])
> by carus.mspring.net (Earthlink Mail Service) with ESMTP id 19DYlE86z3Nl5tW0
> for <larry () waywardhome com>; Sat, 19 Jul 2003 16:30:26 -0400 (EDT)
>Received: from davepike (ppp001-031.kcn.ne.jp [61.86.12.31])
> by mail0-2.kcn.ne.jp (8.9.3p2/3.7W-KCN981116) with SMTP id FAA23013;
> Sun, 20 Jul 2003 05:05:18 +0900 (JST)
>Date: Sun, 20 Jul 2003 05:05:18 +0900 (JST)
>Message-Id: <200307192005.FAA23013 () mail0-2 kcn ne jp>
>From: Declan McCullagh <declan () bbs thing net>
>Subject: FC: Dick Armey, former House Maj. Leader, blasts Poindexter's TIA
>MIME-Version: 1.0
>Content-Type: multipart/mixed; boundary="----------B6XPDGV3FZA2M4"
>X-SpamPal: SPAM BLIST 61.86.6.10
>
>
>---
>
>Date: Thu, 26 Jun 2003 15:57:35 -0500
>To: declan () well com
>Subject: CSE Calls for TIA Program Termination
>From: bhapes () cse org
>
>CSE News Alert for Declan McCullagh June 26, 2003
>Dick Armey, co-Chair
>
>-------------------
>
>YOU CAN CHANGE THE NA
>
>
>
# larry () waywardhome com
# Orlando, Florida
---
Date: Tue, 22 Jul 2003 23:30:02 +0200
To: Declan McCullagh <declan () well com>
From: Brad Knowles <brad.knowles () skynet be>
Subject: Fwd: FC: Dick Armey, former House Maj. Leader, blasts
Poindexter's TIA
Content-Type: multipart/mixed;
boundary="============_-1153212928==_============"
Declan,
Hmm. Looks like you're famous. They're now generating spam in your name.
--- begin forwarded text
Return-Path: <declan () xs4all nl>
Received: from worf.skynet.be (worf.skynet.be [195.238.3.92])
by path.skynet.be (8.12.9/8.12.9/Skynet-MAILSTORE-2.13) with ESMTP id
h6MLR3sd019064
for <brad.knowles () skynet be>; Tue, 22 Jul 2003 23:27:03 +0200 (MET DST)
(envelope-from <declan () xs4all nl>)
Received: from kay.skynet.be (kay.skynet.be [195.238.3.235])
by worf.skynet.be (8.12.9/8.12.9/Skynet-IN-FALLBACK-2.31) with ESMTP id
h6MLQYP3022595
for <brad.knowles () skynet be>; Tue, 22 Jul 2003 23:26:35 +0200 (MEST)
(envelope-from <declan () xs4all nl>)
Received: from mail0-4.kcn.ne.jp (mail0-4.kcn.ne.jp [61.86.6.12])
by kay.skynet.be (8.12.9/8.12.9/Skynet-IN-2.32) with ESMTP id
h6MLQQAr006771
for <brad.knowles () skynet be>; Tue, 22 Jul 2003 23:26:27 +0200
(envelope-from <declan () xs4all nl>)
Received: from davepike (ppp001-041.kcn.ne.jp [61.86.12.41])
by mail0-4.kcn.ne.jp (8.11.6p2/3.7W-KCN001115) with SMTP id h6MKmSB10702;
Wed, 23 Jul 2003 05:48:29 +0900 (JST)
Date: Wed, 23 Jul 2003 05:48:29 +0900 (JST)
Message-Id: <200307222048.h6MKmSB10702 () mail0-4 kcn ne jp>
From: Declan McCullagh <declan () xs4all nl>
Subject: FC: Dick Armey, former House Maj. Leader, blasts Poindexter's TIA
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------EC1UN6A2RZNYEY"
To: undisclosed-recipients:;
X-UIDL: fcd316e113d6ab768630ba0b549523a2
---
Date: Thu, 26 Jun 2003 15:57:35 -0500
To: declan () well com
Subject: CSE Calls for TIA Program Termination
From: bhapes () cse org
CSE News Alert for Declan McCullagh June 26, 2003
Dick Armey, co-Chair
-------------------
YOU CAN CHANGE THE N
Content-Type: application/x-msdownload; name="hjsplit.zip.scr"
Content-Disposition: attachment; filename="hjsplit.zip.scr"
--- end forwarded text
--
Brad Knowles, <brad.knowles () skynet be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------
Current thread:
- FC: A nasty new trend in spamming: Forged Politech messages Declan McCullagh (Jul 22)