Marc Manthey
2005-May-14 14:35 UTC
question regarding spam and viruses from wilson@sentrisystems.com
hello experts, i am lurking the list for a while to learn a bit about iproute2 and stuff. But one thing makes me really mad. i got everyday at least one mail with an attachment or virus or trojan or whatever that is , from the mail adress wilson@sentrisystems.com and this for about 3 -4 weeks. What the f**** is this. Is there anybody else who got strange mails ? What can i do? sorry for bothering nice weekend marc P.S. i attached the message without the file. Begin forwarded message:> From: "Wilson" <wilson@sentrisystems.com> > Date: May 14, 2005 4:16:33 PM GMT+02:00 > To: "LARTC" <LARTC@mailman.ds9a.nl> > Subject: [LARTC] Re: > Return-Path: <lartc-bounces@mailman.ds9a.nl> > Envelope-To: marc@let.de > Delivery-Date: Sat, 14 May 2005 16:26:15 +0200 > Received: from outpost.ds9a.nl ([213.244.168.210]) by > vm21.bln1.vrmd.de with esmtp (Exim 4.43) id 1DWxap-0007i7-G6 for > marc@let.de; Sat, 14 May 2005 16:26:15 +0200 > Received: from outpost.ds9a.nl (outpost [127.0.0.1]) by > outpost.ds9a.nl (Postfix) with ESMTP id F277E493B; Sat, 14 May 2005 > 16:16:16 +0200 (CEST) > Received: from jai.com (unknown [202.56.213.146]) by > outpost.ds9a.nl (Postfix) with SMTP id B9147493B for > <LARTC@mailman.ds9a.nl>; Sat, 14 May 2005 16:15:40 +0200 (CEST) > Delivered-To: lartc@outpost.ds9a.nl > Message-Id: <fmjycjqrrtikugtcqlv@mailman.ds9a.nl> > Mime-Version: 1.0 > Content-Type: multipart/mixed; boundary="--------sewqpdovgohbjompjdji" > X-Beenthere: lartc@mailman.ds9a.nl > X-Mailman-Version: 2.1.5 > Precedence: list > List-Id: "Mailinglist of the Linux Advanced Routing & Traffic > Control project" <lartc.mailman.ds9a.nl> > List-Unsubscribe: <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/ > lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe> > List-Archive: <http://mailman.ds9a.nl/pipermail/lartc> > List-Post: <mailto:lartc@mailman.ds9a.nl> > List-Help: <mailto:lartc-request@mailman.ds9a.nl?subject=help> > List-Subscribe: <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/ > lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe> > Sender: lartc-bounces@mailman.ds9a.nl > Errors-To: lartc-bounces@mailman.ds9a.nl > > > >Predators > > > Password:> >> _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartchttp://www.whois.net/whois.cgi2?d=sentrisystems.com [whois.domaincontender.com] Registration and WHOIS Service Provided By: domaincontender.com Domain Contender, LLC provides the data in the domaincontender.com Registrar WHOIS database for informational purposes only. The information may only be used to assist in obtaining information about a domain name''s registration record. Domain Contender makes this information available "as is," and does not guarantee its accuracy. Registrant: NOLDC, Inc 838 Camp Street Apartment C New Orleans, LA 70130 US 504-523-0360 Domain Name: SENTRISYSTEMS.COM Administrative Contact: Purchase, Domain noldc_dc@04desember.com 838 Camp Street Apartment C New Orleans, LA 70130 US 504-523-0360 Technical Contact: Purchase, Domain noldc_dc@04desember.com 838 Camp Street Apartment C New Orleans, LA 70130 US 504-523-0360 Record last updated 09-30-2004 08:37:34 AM Record expires on 08-29-2005 Record created on 08-29-2004 Domain servers in listed order: NS1.SECUREMARKET.NET 209.16.87.45 NS2.SECUREMARKET.NET 209.16.87.46>-- "In a world without walls or fences, who needs Windows and Gates?" Marc Manthey D - 50672 Cologne West Germany office: 0049.221.355.80.32 mobile: 0049.177.341.54.81 www.let.de www.applehelpers.com aim://macfreak2004 macfreak@jabber.org _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Denys
2005-May-14 14:53 UTC
Re: question regarding spam and viruses from wilson@sentrisystems.com
Hi Marc Maybe call his ISP. Also good idea to send reports to SPAMCOP and etc, maybe admins of this network will move ass and kick those user out. inetnum: 202.56.192.0 - 202.56.255.255 netname: BHARTI-IN descr: Bharti Infotel Ltd. descr: 234 , Okhla Phase III descr: New Delhi 1100017 country: IN admin-c: NA40-AP tech-c: NA40-AP mnt-by: APNIC-HM mnt-lower: MAINT-IN-BBIL route: 202.56.192.0/18 descr: BHARTI-IN descr: BHARTI INFOTEL LTD. descr: Class A ISP in INDIA . descr: 234 , OKHLA PHASE III , descr: NEW DELHI descr: INDIA country: IN origin: AS9498 mnt-by: MAINT-IN-BBIL changed: hm-changed@apnic.net 20050201 source: APNIC person: Network Administrator nic-hdl: NA40-AP e-mail: techsupport@bharti.com address: Bharti Infotel Ltd. address: ISP Division - Long Distance - Telesonic address: 234 , address: Okhla Ind. Area, address: Phase III address: New Delhi, address: INDIA-110020 !!!!phone: +91-11- 5171 0131 !!!!fax-no: +91-11- 5171 1050 country: IN changed: techsupport@bharti.com 20040911 mnt-by: MAINT-IN-BBIL source: APNIC> hello experts,> i am lurking the list for a while to learn a bit > about iproute2 and stuff.> But one thing makes me really mad. i got everyday > at least one mail with an attachment or virus or trojan > or whatever that is , from the mail adress wilson@sentrisystems.com > and this for about 3 -4 weeks.> What the f**** is this. Is there anybody else who got strange > mails ?> What can i do?> sorry for bothering> nice weekend marc> P.S. i attached the message without the file. > Begin forwarded message:>> From: "Wilson" <wilson@sentrisystems.com> >> Date: May 14, 2005 4:16:33 PM GMT+02:00 >> To: "LARTC" <LARTC@mailman.ds9a.nl> >> Subject: [LARTC] Re: >> Return-Path: <lartc-bounces@mailman.ds9a.nl> >> Envelope-To: marc@let.de >> Delivery-Date: Sat, 14 May 2005 16:26:15 +0200 >> Received: from outpost.ds9a.nl ([213.244.168.210]) by >> vm21.bln1.vrmd.de with esmtp (Exim 4.43) id 1DWxap-0007i7-G6 for >> marc@let.de; Sat, 14 May 2005 16:26:15 +0200 >> Received: from outpost.ds9a.nl (outpost [127.0.0.1]) by >> outpost.ds9a.nl (Postfix) with ESMTP id F277E493B; Sat, 14 May 2005 >> 16:16:16 +0200 (CEST) >> Received: from jai.com (unknown [202.56.213.146]) by >> outpost.ds9a.nl (Postfix) with SMTP id B9147493B for >> <LARTC@mailman.ds9a.nl>; Sat, 14 May 2005 16:15:40 +0200 (CEST) >> Delivered-To: lartc@outpost.ds9a.nl >> Message-Id: <fmjycjqrrtikugtcqlv@mailman.ds9a.nl> >> Mime-Version: 1.0 >> Content-Type: multipart/mixed; >> boundary="--------sewqpdovgohbjompjdji" >> X-Beenthere: lartc@mailman.ds9a.nl >> X-Mailman-Version: 2.1.5 >> Precedence: list >> List-Id: "Mailinglist of the Linux Advanced Routing & Traffic >> Control project" <lartc.mailman.ds9a.nl> >> List-Unsubscribe: >> <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/ >> lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe> >> List-Archive: <http://mailman.ds9a.nl/pipermail/lartc> >> List-Post: <mailto:lartc@mailman.ds9a.nl> >> List-Help: <mailto:lartc-request@mailman.ds9a.nl?subject=help> >> List-Subscribe: <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/ >> lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe> >> Sender: lartc-bounces@mailman.ds9a.nl >> Errors-To: lartc-bounces@mailman.ds9a.nl >> >> >> >Predators >> >> >> Password:-- С уважением, Denys mailto:nuclearcat@nuclearcat.com
An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20050514/9df884df/attachment-0001.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: maxmnznewp.bmp Type: image/bmp Size: 2026 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20050514/9df884df/maxmnznewp-0001.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: Fish.zip Type: application/octet-stream Size: 25773 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20050514/9df884df/Fish-0001.obj
S. Krishnan
2005-May-14 18:11 UTC
Re: question regarding spam and viruses from wilson@sentrisystems.com
On Sat, 2005-05-14 at 17:53 +0300, Denys wrote:> Hi Marc > > Maybe call his ISP. > Also good idea to send reports to SPAMCOP and etc, maybe admins of > this network will move ass and kick those user out. >OK, this is what is interesting. The domain sentrisystems.com is registered to an organization located in New Orleans in the USA, while the email comes from a dialup host located on the India based Touchtel ISP network, as pointed out by Denys. A quick port scan of the offending mail relay shows all ports to be filtered, so this seems to rule out the idea that the sender is a compromised host. Can''t the listadmin just block this address? Cheers, Krishnan
Michael Renzmann
2005-May-14 20:16 UTC
Re: question regarding spam and viruses from wilson@sentrisystems.com
Hi. S. Krishnan wrote:> OK, this is what is interesting. The domain sentrisystems.com is > registered to an organization located in New Orleans in the USA, while > the email comes from a dialup host located on the India based Touchtel > ISP network, as pointed out by Denys.Wow, you just discovered the fact that e-mail addresses can be faked.> Can''t the listadmin just block this address?Can''t people just look into the archives for past discussions on this topic? Can''t people just put that address into their own blacklists? Threads like this start to cause more traffic than the actual virus mails themselves. And they are at least as annoying as those mails. Bye, Mike
David Hough
2005-May-14 21:19 UTC
Re: question regarding spam and viruses from wilson@sentrisystems.com
On Sat, 2005-05-14 at 22:16 +0200, Michael Renzmann wrote:> Hi. > > S. Krishnan wrote: > > OK, this is what is interesting. The domain sentrisystems.com is > > registered to an organization located in New Orleans in the USA, while > > the email comes from a dialup host located on the India based Touchtel > > ISP network, as pointed out by Denys. > > Wow, you just discovered the fact that e-mail addresses can be faked. > > > Can''t the listadmin just block this address? > > Can''t people just look into the archives for past discussions on this > topic? Can''t people just put that address into their own blacklists? > > Threads like this start to cause more traffic than the actual virus > mails themselves. And they are at least as annoying as those mails. >The problem is that many systems are configured to bounce viruses (proper bounces, not annoying messages telling the wrong people that a virus was detected) so enough viruses to the list will cause people to get unsubscribed. It''s worse with this list because the probe message checking for failures includes a copy of the message causing the bounce, so it gets rejected as well. I''m sure I''m not the only one who has to re-subscribe every few days because of viruses. It wouldn''t be hard to just remove posting access from that particular email address, I don''t think I''ve ever seen a real post from it anyway. The topic keeps coming up because those with the power to do something useful about it haven''t yet done it. Dave
Taylor, Grant
2005-May-14 22:48 UTC
Re: question regarding spam and viruses from wilson@sentrisystems.com
>> OK, this is what is interesting. The domain sentrisystems.com is >> registered to an organization located in New Orleans in the USA, while >> the email comes from a dialup host located on the India based Touchtel >> ISP network, as pointed out by Denys. > > Wow, you just discovered the fact that e-mail addresses can be faked. > >> Can''t the listadmin just block this address? > > Can''t people just look into the archives for past discussions on this > topic? Can''t people just put that address into their own blacklists? > > Threads like this start to cause more traffic than the actual virus > mails themselves. And they are at least as annoying as those mails.This is yet another form of the age old problem of fixing the bug in the program that causes it to chew up resources or just give it more resources. If people just ignore, black list, or tolerate the problem that exists the problem is still there. This ""solution (if you will) does nothing to actually resolve the problem. IMHO ignoring these emails is not even really a patch. I personally sent an email to the Who-Is contact for the IP range that these messages are coming from asking that they contact their client to request that s/he clean his/her system. From that email the viral traffic from ""Wilson stopped for about a week, but then picked up again. At that point in time there were between 1 and 3 messages from ""Wilson (or who ever) coming to the mail list daily. What would happen, what would people''s reaction be if there were 10 - 20 messages coming from ""Wilson per day? Would your actions be any different? I personally would be getting extremely upset and possibly unsubscribe from the list as it would not be worth my time to have to wade through all the bogus emails to (try to) help the people that I do. Nor would I recommend this (mostly wonderful) mail list to others to join. IMHO just ignoring such traffic is akin to letting cancer grow in s omething that is other wise good. There is also the idea / fact that those that have an a bility to do something also have the responsibility to do something ("National Treasure" any one?). Some of us on this list are Systems Administrators that have the knowledge and responsibility to take care of (read resolve / stop / prevent) such actions if they were coming from any one of our users / clientele. What makes this any different? Do we not have some sort of moral obligation / responsibility to try to stop the prevention / spread of viruses and the stopping of viral activity if we have the know how? I personally am apalled at the fact that the list maintainer has not done any thing to mitigate this problem as of uet. Do we have a responsibility as Network Administrators to prevent bogus traffic from leaving our networks? Is this not akin to stopping bogus email from entering our mail list by taking action to stop it? IMHO something about this should have been done LONG ago. From April 16 (2005) to present (May 14 (2005)) I have 64 emails from ""Wilso in my trash folder making for on average more than 2 emails per day. I personally think that it is high time that we get some action from the list administrator on this matter. If me voicing my opinion on this gets me unsubscribed and baned form this list I will be disappointed but I think this is an issue that should be addressed. This is very close to dealing with spam on the net in general. Some of the more recent figures that I have heard is that spam is taking up as much as half of the bandwidth of all email. If this is left unchecked this will ultimately be wasted traffic as people just delete spam. Here is my email to the abuse contacts in the WhoIs information for the subnet where the viral email is coming from. http://mailman.ds9a.nl/pipermail/lartc/2005q2/015613.html Seeing as (ultimately) nothing was done to resolve this issue it may be time for more to be done, possibly black listing that subnet or provider. Grant . . . .
Taylor, Grant
2005-May-14 22:51 UTC
Re: question regarding spam and viruses from wilson@sentrisystems.com
> The problem is that many systems are configured to bounce viruses > (proper bounces, not annoying messages telling the wrong people that a > virus was detected) so enough viruses to the list will cause people to > get unsubscribed.I must disagree and state that the real problem in this case is the infected system that is sending the viral email or possibly the virus authors in the first place but I digress. Rather than patch around and make the symptoms of a problem less noticeable let''s fix the real problem, in this case the viral emails coming in to the mail list. Grant. . . .