On Tue, 02 Mar 2004 10:45:02 -0500 Gregory Fraser <Gregory.Fraser@xxxxxxxxxxx> wrote: > If you read the information at the MacAfee site you listed, it states that the worm propagates using email spoofing which means it likely did not come through RIT but used the RIT address as a return address. It came from one of the people on the list that just started using email yesterday and was not aware that they don't have to open each and every email that promises better sex, free crap, foreign money or has 'You gotta see this!' as a subject, that ends up in their inbox. > I got a copy from the list: here are the headers Return-Path: <owner-photoforum@xxxxxxxxxxxxxxxxxxxxxx> Received: from filer2.rit.edu ([129.21.2.226]) by mail.yomogi.or.jp (Post.Office MTA v3.8.3 release 20030729 ID# 9-212U6000L200S0V38B) with ESMTP id jp for <chandler@xxxxxxxxxxxx>; Tue, 2 Mar 2004 03:51:12 +0900 Return-path: <izzet@xxxxxxxx> Received: from host (filer2.rit.edu [129.21.2.226]) by osfmail.rit.edu (PMDF V6.1-1X6 #30661) id <0HTW00001UZ7ET@xxxxxxxxxxxxxxx> (original mail from owner-photoforum@xxxxxxxxxxxxxxxxxxxxxx) for chandler@xxxxxxxxxxxx; Mon, 01 Mar 2004 13:49:59 -0500 (EST) Received: from host (filer2.rit.edu [129.21.2.226]) by osfmail.rit.edu (PMDF V6.1-1X6 #30661) with SMTP id <0HTW00O0LUYUJT@xxxxxxxxxxxxxxx>; Mon, 01 Mar 2004 13:49:51 -0500 (EST) Received: from 7nk6901 (c-24-13-181-34.client.comcast.net [24.13.181.34]) by osfmail.rit.edu (PMDF V6.1-1X6 #30661) with SMTP id <0HTW00189UDQ8F@xxxxxxxxxxxxxxx> for photoforum@xxxxxxxxxxxxxxxx (ORCPT photoforum@xxxxxxxxxxxxxxxxxxxxxx); Mon, 01 Mar 2004 13:37:06 -0500 (EST) Date: Mon, 01 Mar 2004 12:37:23 -0600 From: izzet@xxxxxxxx Subject: Flayers among us Sender: owner-photoforum@xxxxxxxxxxxxxxxxxxxxxx To: List for Photo/Imaging Educators - Professionals - Students <photoforum@xxxxxxxxxxxxxxxxxxxxxx> Reply-to: photoforum@xxxxxxxxxxxxxxxxxxxxxx Message-id: <dctejottvmnuidcevfn@xxxxxxxx> MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_WThsgHDniqt0J22opGWCMg)" X-Listprocessor-Version: 8.2.10/991025/16:55 -- ListProc(tm) by CREN The attachment was called bbceeb.zip (probably random). I guess it came from the computer of someone on the list, who we can say with 99.99% certainty is using Mocroi$ft software which picked the "sender" (izzet) and the receiver from the victim's address book. Since the RIT list server doesn't remove attachments, here we are. Well, some of us, anyway. > Greg No, no, I'm Brian. Brian Chandler ---------------- Never flayed a newt in my life... http://imaginatorium.org/fun/anti.php <- ultimate open source imaginatorium@xxxxxxxxxxxxx
