[Clipart] My sincere apologies

Greg Bulmash oneminuteinspirations at gmail.com
Mon Apr 19 15:49:37 PDT 2010


Remember that to hide their tracks, viruses often send mail to a
victim's address book as someone else from the victim's address book.
If it's not you, it could be anyone on this list, even someone who
just lurks and doesn't participate.

- Greg

On Mon, Apr 19, 2010 at 1:35 PM, chovynz <chovynz at gmail.com> wrote:
> Thanks man! You're a legend.
> I'll look into what I have to see if it really did come from me or if I've
> been spoofed.
>
> Cheers
> Chovynz
>
>
> On 20/04/2010 7:43 a.m., J. Alves wrote:
>
> Sorry I can't help you with the virus situation, since I've been using
> Linux for 10 years and have forgotten how the incantations go for
> these Windows problems... Until (if...) this OS gets more popular, I
> hope to be in blissful forgetfulness of such antics. :-)
>
> Looking at the full headers of the email tells you, hopefully, where
> the email came from -- if it wasn't spoofed in any way. Here's what I
> could get from them (an email that arrived on April 11 and I still had
> in the trash; I deleted permanently the one that arrived today or
> yesterday, so I can't compare):
>
> ============================================
> Delivered-To: alvesjmp at gmail.com
> Received: by 10.204.99.82 with SMTP id t18cs48388bkn;
>         Sun, 11 Apr 2010 15:17:03 -0700 (PDT)
> Received: by 10.141.91.3 with SMTP id t3mr2215769rvl.191.1271024221214;
>         Sun, 11 Apr 2010 15:17:01 -0700 (PDT)
> Return-Path: <clipart-bounces at lists.freedesktop.org>
> Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
>         by mx.google.com with ESMTP id
> 10si10541498pzk.24.2010.04.11.15.17.00;
>         Sun, 11 Apr 2010 15:17:01 -0700 (PDT)
> Received-SPF: pass (google.com: domain of
> clipart-bounces at lists.freedesktop.org designates 131.252.210.177 as
> permitted sender) client-ip=131.252.210.177;
> Authentication-Results: mx.google.com; spf=pass (google.com: domain of
> clipart-bounces at lists.freedesktop.org designates 131.252.210.177 as
> permitted sender) smtp.mail=clipart-bounces at lists.freedesktop.org
> Received: from gabe.freedesktop.org (localhost [127.0.0.1])
> 	by gabe.freedesktop.org (Postfix) with ESMTP id C4F1C9EB36;
> 	Sun, 11 Apr 2010 15:16:59 -0700 (PDT)
> X-Original-To: clipart at lists.freedesktop.org
> Delivered-To: clipart at lists.freedesktop.org
> X-Greylist: delayed 306 seconds by postgrey-1.31 at gabe;
> 	Sun, 11 Apr 2010 15:16:57 PDT
> Received: from localhost (unknown [113.169.33.57])
> 	by gabe.freedesktop.org (Postfix) with SMTP id 4BDC09EB22
> 	for <clipart at lists.freedesktop.org>;
> 	Sun, 11 Apr 2010 15:16:56 -0700 (PDT)
> From: � Pfizer Inc � 1965-2010 <clipart at lists.freedesktop.org>
> To: clipart at lists.freedesktop.org
> MIME-Version: 1.0
> Message-Id: <20100411221657.4BDC09EB22 at gabe.freedesktop.org>
> Date: Sun, 11 Apr 2010 15:16:56 -0700 (PDT)
> Subject: [Clipart] Dear clipart at lists.freedesktop.org April 66% 0FF
>
> ============================================
>
> The important lines here are the "Received:" ones, and the first one
> should be the originator, if everything is correct. In this case, it
> would be IP number 113.169.33.57, which according to whois locates to
> Vietnam:
>
> inetnum:      113.160.0.0 - 113.191.255.255
> netname:      VNPT-VNNIC-VN
> descr:        VietNam Post and Telecom Corporation
> descr:        23 Phan Chau Trinh, Hoan Kiem Dist, Ha Noi
> country:      VN
> ...
>
> So, the email seems to have done the following path:
> 113.169.33.57 -> gabe.freedesktop.org (131.252.210.177, which GMail
> approves of according to the SPF thing in the headers) ->
> mx.google.com (internal Google server, 10.204.99.82) -> my eyes
>
> I guess. :-)
>
> The email body itself is HTML, and asks for images (which I don't
> allow loading automatically, ever).
> It also points to a page with a Russian address:
> http://www.edgehole.ru (I wouldn't go there if I was you) :-)
>
> Again, these things in the headers can be faked, so don't take this as
> 100% certain. But at least the part after the freedesktop.org seems to
> be good, because of the SPF pass.
>
> Any other ideas?
>
> Cheers
> J
>
> On Mon, Apr 19, 2010 at 1:03 PM, chovynz <chovynz at gmail.com> wrote:
>
>
> Jon
>
> Is there anyway that the list owners could find those emails and see where
> they are coming from?
> Are you able to remove that subscriber if it is found to be some company not
> legitimate?
> I recommend looking for any Pfizer subscribers.
>
> Cheers
> Chovynz
>
> _______________________________________________
> clipart mailing list
> clipart at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/clipart
>
>
>
>
>
>
> _______________________________________________
> clipart mailing list
> clipart at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/clipart
>
>



More information about the clipart mailing list