Re:

From: Marko Mäkelä (marko.makela_at_hut.fi)
Date: 2004-10-27 11:16:05

On Tue, Oct 26, 2004 at 06:52:59PM -0500, David Wood wrote:
> 
> It's very important that everyone realizes that Ruud most likely did not
> send this file.  If you recieve an attachment, do not open it.

Yep, it's obvious if you look at the Received: headers:

Received: from gizmo-inc.org ([213.25.211.60])
 by bouncer.ling.gu.se (SAVSMTP 3.0.0.44) with SMTP id M2004102700202322423 for
 <cbm-hackers@cling.gu.se>; Wed, 27 Oct 2004 00:20:24 +0200

The message was sent from pe60.warszawa.sdi.tpnet.pl (213.25.211.60) posing
as gizmo-inc.org (64.202.167.192) using the SMTP HELO or EHLO command.
I don't think that Ruud is behind this message.

My theory is that the message was sent in behalf of some Microsoft Windows
user in Poland who has the Ruud's and the list's addresses on the computer.
Most worms and viruses pick both the From: and To: addresses from the local
system.

MagerValp, would it be possible to reject messages sent with a forged HELO
or EHLO address?

	Marko

       Message was sent through the cbm-hackers mailing list

Archive generated by hypermail pre-2.1.8.