2003-09-23 17:21:09

by Justin Piszcz

[permalink] [raw]
Subject: Spam/LKML

I noticed last week or so after I sent a message to LKML I got flooded
with Microsoft Spams.

However, I sent another email (ide-scsi) issue and I am being inundated
with Microsoft Spam (that virus).

Anyone else take notice of this?

PINE 4.58 MESSAGE INDEX Folder: INBOX Message 151 of 151 NEW

N 134 Sep 23 Security Departmen (160K) New Microsoft Pack
N 135 Sep 23 Security Assistanc (160K) new internet update
N 136 Microsoft Security (160K)
N 137 Sep 23 Administrator (147K) Undeliverable Mail: Returned To Sender
N 138 Sep 23 Program Security S (159K)
N 139 Sep 23 Microsoft (160K)
N 140 Sep 23 MS Network Message (147K) error message
N 141 Sep 23 Mail Service (147K) Bug Notice
N 142 Postmaster (147K) Advice
N 143 Sep 23 jhsrsydcs@updates. (160K) new microsoft critical update
N 144 Sep 23 net delivery servi (147K) Notice
N 145 MS Corporation Net (160K) Microsoft Critical Upgrade
N 146 [email protected] (147K) message
N 147 Sep 23 zcnxteljbrlib@upda (160K) current net upgrade
N 148 Sep 23 ms net email syste (147K) Message Returned To Sender
N 149 Sep 23 ms net message sys (147K) Abort Announcement
N 150 Sep 23 Microsoft Corporat (14K) Microsoft Critical Update
N 151 Sep 23 Microsoft Corporat (160K) Internet Pack

% ls -lh Mailbox -> 22M Sep 23 13:20 Mailbox

Pure spam.



2003-09-23 17:38:05

by joe briggs

[permalink] [raw]
Subject: Re: Spam/LKML

I am getting hammered with them, though I use a sendmail server. Is this a
manifestation or exploit of the buffer-overflow security issue out with
sendmail?

On Tuesday 23 September 2003 01:21 pm, Justin Piszcz wrote:
> with Microsoft Spam (that virus).

--
Joe Briggs
Briggs Media Systems
105 Burnsen Ave.
Manchester NH 01304 USA
TEL 603-232-3115 FAX 603-625-5809 MOBILE 603-493-2386
http://www.briggsmedia.com

2003-09-23 17:43:38

by Justin Piszcz

[permalink] [raw]
Subject: Re: Spam/LKML

I use qmail here.

It appears to be a manifestation at least at the surface, 90%+ are
140-160KB emails w/microsoft stuff only, I have not noticed any weird
things in the qmail logs recently.

One has to wonder though why such intense targetting happens, 10-15
e-mails to my address only two hours after I sent an e-mail to LKML.

The previous day, I only had received about 3-4 of them.

It would seem like it would be a lot of work for people to constantly hit
archives of LKML to get e-mail addresses to spam, I wonder if there are
malicious people on the list scurrying e-mail addresses for spam targets.


On Tue, 23 Sep 2003, joe briggs wrote:

> I am getting hammered with them, though I use a sendmail server. Is this a
> manifestation or exploit of the buffer-overflow security issue out with
> sendmail?
>
> On Tuesday 23 September 2003 01:21 pm, Justin Piszcz wrote:
> > with Microsoft Spam (that virus).
>
> --
> Joe Briggs
> Briggs Media Systems
> 105 Burnsen Ave.
> Manchester NH 01304 USA
> TEL 603-232-3115 FAX 603-625-5809 MOBILE 603-493-2386
> http://www.briggsmedia.com
>

2003-09-23 18:04:08

by David Miller

[permalink] [raw]
Subject: Re: Spam/LKML

On Tue, 23 Sep 2003 14:37:43 -0400
joe briggs <[email protected]> wrote:

> I am getting hammered with them, though I use a sendmail server. Is this a
> manifestation or exploit of the buffer-overflow security issue out with
> sendmail?

No.

Anyone in the world can receive linux-kernel postings, even if they
are not subscribed they can obtain such postings from various online
web archives.

Therefore someone harvesting emails for which to send spam can simply
take the sender address of linux-kernel postings.

This particular spam is happening to nearly everyone posting to just
about any list in the world the past few days, not just to here at
vger.kernel.org My wife, for example, does not making posting to the
lists at vger.kernel.org yet she is receiving the same spams everyone
else is.

So please stop these threads about this problem, what can been said
has been said and this issue is totally offtopic.

2003-09-23 18:08:06

by David Miller

[permalink] [raw]
Subject: Re: Spam/LKML


Please stop this thread, it is wholly offtopic.

2003-09-23 18:16:15

by Andre Tomt

[permalink] [raw]
Subject: Re: Spam/LKML

joe briggs wrote:
> I am getting hammered with them, though I use a sendmail server. Is this a
> manifestation or exploit of the buffer-overflow security issue out with
> sendmail?

It's just a Microsoft virus names Gibe-F/Swen/Automat.AHB that has
started spreading this past week or so. Same old, stupid users execute
an attachment or whatever that scans for email-addresses and spreads
through them.

The antivirus software on a mailserver I run has picked up 39567 of
Gibe-F the past 24 hours.

Quoting Sophos (.com):
"W32/Gibe-F is a worm which spreads by emailing itself via its own SMTP
engine to addresses extracted from various sources on the victim's
drives (e.g. MBX and DBX files). The worm also spreads using the KaZaA
peer-to-peer shared folders, via IRC channels and will copy itself to
the Startup folder of mapped
network drives. W32/Gibe-F may also attempt to spread via usenet
newsgroups (NNTP)."

--
Mvh,
Andr? Tomt
[email protected]

2003-09-23 18:20:19

by Andre Tomt

[permalink] [raw]
Subject: Re: Spam/LKML

Justin Piszcz wrote:

> I use qmail here.
>
> It appears to be a manifestation at least at the surface, 90%+ are
> 140-160KB emails w/microsoft stuff only, I have not noticed any weird
> things in the qmail logs recently.
>
> One has to wonder though why such intense targetting happens, 10-15
> e-mails to my address only two hours after I sent an e-mail to LKML.
>
> The previous day, I only had received about 3-4 of them.
>
> It would seem like it would be a lot of work for people to constantly hit
> archives of LKML to get e-mail addresses to spam, I wonder if there are
> malicious people on the list scurrying e-mail addresses for spam targets.

One obvious answer is Microsoft Windows users infected with
Swen/Gibe-F/Automat.AHB subscribed to this list. It's just one of those
mail worms, same old all over again.

--
Mvh,
Andr? Tomt
[email protected]

2003-09-23 18:25:00

by Markus Hästbacka

[permalink] [raw]
Subject: Re: Spam/LKML

I've noticed this too. I get around 100 mails/day of the new "security
update". And then I get 50 more which tell's me that some message could
not be delivered, which is of course a lie. None of the mail's contain
"To: ...snip..." and I think this happens because my mail adress is in
LKML.

Regards,
----
Markus H?stbacka <[email protected]>


Attachments:
signature.asc (189.00 B)
This is a digitally signed message part

2003-09-23 22:18:05

by Robert White

[permalink] [raw]
Subject: RE: Spam/LKML

It happens because someone on the list has the virus. The virus, among
other thing, harvests the email addresses to forge the From: header.

So they (probably multiples of them) run their unpatched and virus-infected
Outlook. Each of them both generates email to all the addresses they see
and each of those emails is "From" one of the other addresses they see.

So it harvests the current inbox, and does a splatter mailing. When the
mail servers see the email and bounce it, it is bounced to your address
instead of the real senders'.

Shame there are people that think they are smart enough to play in this
space (LKML) and dumb enough to open an email attachment that they don't
fully understand/appreciate.

Further stupidity is using the "preview pane". In Outlook, the preview pane
"opens" the email, even if you are doing a left-click delete. Since some of
the viruses (and almost all of the spam) will validate the email account as
interactively in use when you open it, they get hammered extra-hard.

"Frend's don't ask friends to open Microsoft Documents"

Rob White

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Markus H?stbacka
Sent: Tuesday, September 23, 2003 11:25 AM
To: Justin Piszcz
Cc: Kernel Mailinglist
Subject: Re: Spam/LKML

I've noticed this too. I get around 100 mails/day of the new "security
update". And then I get 50 more which tell's me that some message could
not be delivered, which is of course a lie. None of the mail's contain
"To: ...snip..." and I think this happens because my mail adress is in
LKML.

Regards,
----
Markus H?stbacka <[email protected]>


2003-09-26 01:12:18

by Kurt Wall

[permalink] [raw]
Subject: Re: Spam/LKML

Quoth Robert White:

[...]

> So they (probably multiples of them) run their unpatched and virus-infected
> Outlook. Each of them both generates email to all the addresses they see
> and each of those emails is "From" one of the other addresses they see.

[...]

Outlook, n.:
A virus delivery system with added email functionality.

K
--
Deliberation, n.:
The act of examining one's bread to determine which side it is
buttered on.
-- Ambrose Bierce, "The Devil's Dictionary"