Gwd: crypted document

Chris_Adams3 · August 3, 2007, 1:34am

Ok. See attach.

Hex_Star · August 3, 2007, 2:16am

Why would someone in the ISP industry try to spread a virus? Ironically I suppose a ISP admin may have their own computer infected…

Chris_Adams3 · August 3, 2007, 2:22am

Once upon a time, Hex Star <hexstar@gmail.com> said:

Why would someone in the ISP industry try to spread a virus? Ironically I
suppose a ISP admin may have their own computer infected...

Why would someone assume that the sender in a virus email is valid?

Also, I want to thank all those with auto-responders that respond to
list email for letting me know about this message to NANOG.

Jim_Popovitch4 · August 3, 2007, 2:47am

Look at all the anti-spam software that uses perl.... yet the cpan
mirror ops lists is throwing out a dozen or more PDF attachments each
day now.

-Jim P.

Jason_J_W_Williams · August 3, 2007, 2:51am

Hi Guys,

It seems to me a lot of virus scanners picked up this behavior in the
days of the "I Love You" and Melissa viruses, when virii tended to
infect documents rather than be self-propagating worms. We haven't lived
in a world where its likely a legitimate sender is unwittingly sending
infected documents for awhile. It'd be nice if the AV/MTA vendors would
take this feature out, or AV the message before they accept the DATA
section and leave it to the sending mail server to bounce it.

-J

Jon_Lewis1 · August 3, 2007, 2:53am

If you could read the header, the question you would have asked is, "What is Chris Adams doing in Korea sending virus mail to nanog?"

It's a shame there's no test before people subscribe.

For the humor impaired, obviously, some PC in Korea is infected with the latest virus and has both Chris's and the nanog list's addresses handy. I wasn't kidding about the test thing though

Chris_Adams3 · August 3, 2007, 3:17am

Once upon a time, Jon Lewis <jlewis@lewis.org> said:

If you could read the header, the question you would have asked is, "What
is Chris Adams doing in Korea sending virus mail to nanog?"

Especially as this particular Chris Adams is not well traveled and has
never been west of the Mississippi!

Valdis_Kletnieks · August 3, 2007, 3:25am

What? And lose the free opportunity to spam you and tell you how good it is
at finding viruses?

(Particularly annoying when their products usually don't do anything useful
on the platform that I actually send my mail from, but that's another rant)

Hex_Star · August 3, 2007, 3:40am

Haha, good catch:

Received: from BSLEE.net ([[59.16.185.214](http://59.16.185.214/)])
	by [
bach.merit.edu](http://bach.merit.edu/) (MOS 3.8.2-GA)
	with SMTP id AEE75050;

**inetnum**:      [59.0.0.0](http://59.0.0.0/) - [
59.31.255.255](http://59.31.255.255/)
netname:      KORNET
descr:        KOREA TELECOM
descr:        Network Management Center

country:      KR
admin-c:      [
IM76-AP](http://wq.apnic.net/apnic-bin/whois.pl?searchtext=IM76-AP&form_type=advanced)
tech-c:       
IM76-AP
	Thu, 2 Aug 2007 21:34:17 -0400 (EDT)

Jim_Popovitch4 · August 3, 2007, 3:43am

Are we sure it's Chris? I could have very easily sent this email as
from Jon Lewis... and mail.merit.edu would accept it an send it on
through.

-Jim P.

Alex_Pilosov · August 3, 2007, 3:57am

I think at this point, its fairly clear what happened (fake sender, reply
that went to list etc) so continued discussion is rather fruitless.

Lesson to be learned: You cannot protect from human factors.

-alex (mlc chair)

Steve_Atkins · August 3, 2007, 4:03am

A few, it's because the developers really are that stupid.

Mostly, though, it's that they think that if they pretend to be that stupid then they
can advertise their product via spam that's sent from a wide variety of places
that can't all be easily blocked. (Most of the developers I've talked to say that they
know it's stupid, but that's the product requirements they have to work with).

Cheers,
Steve