Re: Fwd: [SLE] Warning about your e-mail account.
from lists.suse.com (lists.suse.com [195.135.221.131]) Except that 195.135.221.131 is lists.suse.com Hard to be forged. Dee
-----Original Message----- From: Steven T. Hatton [mailto:hattons@globalsymmetry.com] Sent: Monday, March 15, 2004 05:44 AM To: suse-linux-e@suse.com Subject: Re: Fwd: [SLE] Warning about your e-mail account.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Monday 15 March 2004 12:30 am, W.D.McKinney wrote:
Hello ???
Dee
X-MIME-Notice: attachments may have been removed from this message X-Mailinglist: suse-linux-e X-Message-Number-for-archive: 183607 Delivered-To: mailing list suse-linux-e@suse.com Received: (qmail 4289 invoked from network); 15 Mar 2004 04:51:28 -0000 Date: Sun, 14 Mar 2004 22:51:35 -0600 To: suse-linux-e@suse.com From: administration@suse.com Message-ID:
It's certainly some kind of trojan horse, but the headers don't tell much.
STH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFAVULTwX61+IL0QsMRAn17AJ0RxH4xYtgbywSq/qfHgzrO1aKPbQCfcOXy umvKhHoXb6s1ATb7rCh46yA= =8fg9 -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 15 March 2004 12:47 am, W.D.McKinney wrote:
from lists.suse.com (lists.suse.com [195.135.221.131])
Except that 195.135.221.131 is lists.suse.com Hard to be forged.
Oh, I agree. This is quite strange. But the message itsself is clearly a boiler-plate. I see no indication of anything unusual other than SA adding this: tests=BAYES_20,NO_REAL_NAME
Dee
STH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAVUZBwX61+IL0QsMRAgyQAJ498S2zu/k4oVhW+ZruDjZ7s8kssgCgmqP5 GJOtzm0lSmgSUWhNuV3L0x8= =sYv9 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 15 March 2004 01:02 am, Anders Johansson wrote:
On Monday 15 March 2004 06.59, Steven T. Hatton wrote:
Oh, I agree. This is quite strange.
All mail sent through suse-linux-e are sent to its final destination from lists.suse.com. What is so strange?
All indications are that it originated there. STH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAVUfAwX61+IL0QsMRAgYJAKC9XXZO46g7+hUUIYAFAUEreUbRZACeIKpI oduFfhcVtI7FZH+piSrWFhU= =yIsN -----END PGP SIGNATURE-----
On Monday 15 March 2004 07.05, Steven T. Hatton wrote:
On Monday 15 March 2004 01:02 am, Anders Johansson wrote:
On Monday 15 March 2004 06.59, Steven T. Hatton wrote:
Oh, I agree. This is quite strange.
All mail sent through suse-linux-e are sent to its final destination from lists.suse.com. What is so strange?
All indications are that it originated there.
And these indications are? I see no significant difference between that mail and any other list mail
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 15 March 2004 01:08 am, Anders Johansson wrote:
And these indications are? I see no significant difference between that mail and any other list mail
Look at the headers in the message I just received from you:
References:
<200403150702.16087.andjoh@rydsbo.net> <200403150105.55362.hattons@globalsymmetry.com> In-Reply-To: <200403150105.55362.hattons@globalsymmetry.com>
I don't see any similar info in the original message. STH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAVUm6wX61+IL0QsMRAqt1AJ9K/dCs62pC8BgDnZWmGsmv5rgMTACgrSCD LHxD1ZIoO+3uQLG+U2Hs+Vg= =C7Qh -----END PGP SIGNATURE-----
On Monday 15 March 2004 07.14, Steven T. Hatton wrote:
On Monday 15 March 2004 01:08 am, Anders Johansson wrote:
And these indications are? I see no significant difference between that mail and any other list mail
Look at the headers in the message I just received from you:
References:
<200403150702.16087.andjoh@rydsbo.net> <200403150105.55362.hattons@globalsymmetry.com> In-Reply-To: <200403150105.55362.hattons@globalsymmetry.com> I don't see any similar info in the original message.
"References" list the mail IDs of the previous mail in the thread. Was the virus in reply to another mail? Was mine? Compare the virus mail to any other mail on the list that is not in reply to something else. A few "optional" headers, such as X-Mailer and Reply-To are missing, but those are missing from loads of other mail too. As I said, no *significant* difference
There's a particularly nasty scam going around now that has hit a number of vendor sites, including Citibank and Barclays Bank. This message reminds me of the one I got purportedly from Citibank that was secretly redirected to the site c.best-news.ru, where they attempt to harvest bank information. No harm as far as I can see in visiting that site and attempting to dissect it as long as you don't give them any information. Paul Abrahams
participants (4)
-
Anders Johansson
-
Paul W. Abrahams
-
Steven T. Hatton
-
W.D.McKinney