This morning's crop of spam contained one from


(contents: " Your important document, correction is finished!"
accompanied by the usual zip-file)

Is this the result of harvesting on the wreck or of infection?
PvR

In article , "P van Rijckevorsel" wrote:
This morning's crop of spam contained one from


(contents: " Your important document, correction is finished!"
accompanied by the usual zip-file)

Is this the result of harvesting on the wreck or of infection?

Infection. And probably *not* in Steve's computer, either. The most likely
source is some third person who has both you and Steve in his Outlook address
book, and is infected by a virus that forges From: headers.

--
Regards,
Doug Miller (alphageek-at-milmac-dot-com)

Get a copy of my NEW AND IMPROVED TrollFilter for NewsProxy/Nfilter
by sending email to autoresponder at filterinfo-at-milmac-dot-com
You must use your REAL email address to get a response.

On Sat, 4 Dec 2004 10:20:21 +0100, P van Rijckevorsel wrote:
This morning's crop of spam contained one from


(contents: " Your important document, correction is finished!"
accompanied by the usual zip-file)

Is this the result of harvesting on the wreck or of infection?

First thing to realize, is that it's not from Steve. Every outlook-enabled
virus in the last several years forges the From: on the email to look like
someone else.

So. Someone who reads this group, is running windows, who is probably
running Outlook as an email client, and who has Mr. Rijckevorsel and
Steve Knight in their address book, and who is behind in their virus
updates, needs to go fix that. If you're reading this and have that
uneasy feeling that it might be you, please take care of it.

By the way, there's a free antivirus program which is excellent, at
http://www.grisoft.com/ - it gets the same virus definitions that
the Norton/Macafee folks do, but for personal use it's free. If
you're going to choose to run windows, there's no excuse not to use
a good antivirus program.

Dave Hinz

On Sat, 04 Dec 2004 12:20:07 GMT, Doug Miller wrote:

Infection. And probably *not* in Steve's computer, either. The most likely
source is some third person who has both you and Steve in his Outlook address
book, and is infected by a virus that forges From: headers.

Note to self: before posting responses, check to see if anyone else has
written essentially the same thing. Again.

Dave Hinz wrote:

updates, needs to go fix that. If you're reading this and have that
uneasy feeling that it might be you, please take care of it.

Hrm.

KMail: 1.7
KNode: 0.8.0

I'm clean.

--
Michael McIntyre ---- Silvan
Linux fanatic, and certified Geek; registered Linux user #243621
http://www.geocities.com/Paris/Rue/5407/
http://rosegarden.sourceforge.net/tutorial/

On Sat, 04 Dec 2004 12:20:07 GMT, (Doug Miller)
wrote:

The most likely
source is some third person who has both you and Steve in his Outlook address
book, and is infected by a virus that forges From: headers.

And the second most likely source is something that posts spam with
to-from addresses based on threading from Useent .

"Doug Miller" wrote in message news:XXhsd.1828 Is
this the result of harvesting on the wreck or of infection?

Infection. And probably *not* in Steve's computer, either. The most likely
source is some third person who has both you and Steve in his Outlook
address
book, and is infected by a virus that forges From: headers.

This must be a difficult concept to grasp, as I have to have the above
conversation with certain clients over and over.

todd

On Sat, 04 Dec 2004 08:07:37 -0500, Silvan wrote:
Dave Hinz wrote:

updates, needs to go fix that. If you're reading this and have that
uneasy feeling that it might be you, please take care of it.

Hrm.
KMail: 1.7
KNode: 0.8.0

I knew it wasn't you, Silvan!

I'm clean.

Indeed. I'm more gnomish most weeks, but yeah, it's not either of us,
that much is clear.

Dave

On Sat, 4 Dec 2004 08:01:52 -0600, Todd Fatheree wrote:
"Doug Miller" wrote in message news:XXhsd.1828 Is
this the result of harvesting on the wreck or of infection?

Infection. And probably *not* in Steve's computer, either. The most likely
source is some third person who has both you and Steve in his Outlook
address
book, and is infected by a virus that forges From: headers.

This must be a difficult concept to grasp, as I have to have the above
conversation with certain clients over and over.

It apparently is. Our first-level helldesk people _still_ don't get it,
despite having been told this, over and over and over and over, for years.
"...then we scanned (Joe's) system and it had no virus, so we're confused
and escalating it to the virus team". Again. and again. and again.

The global statement "A virus is never from who it claims to be from"
is true enough that exceptions would be, well, exceptional.

Dave Hinz

Todd Fatheree wrote:

"Doug Miller" wrote in message news:XXhsd.1828 Is
this the result of harvesting on the wreck or of infection?

The most
likely source is some third person who has both you and Steve in his
Outlook address
book, and is infected by a virus that forges From: headers.

This must be a difficult concept to grasp, as I have to have the above
conversation with certain clients over and over.


I've got one I'm having difficulty with :-).

I recently switched ISPs to one where my email address is xxx.intergate.xxx.
I started getting spam almost immediately, most of it addressed to
xxx.qaccess.xxx. Turns out one is an alias of the other.

But the qaccess address has never been used anywhere. I didn't even know it
existed.

How did the spammers get it?

BTW, it's easy for me to filter out anything with qaccess in the headers, so
the problem is more one of curiosity.

--
Homo sapiens is a goal, not a description.

On Sat, 04 Dec 2004 12:20:07 GMT, Doug Miller wrote:
Infection. And probably *not* in Steve's computer, either. The most
likely source is some third person who has both you and Steve in his Outlook
address book, and is infected by a virus that forges From: headers.

Dave Hinz schreef
Note to self: before posting responses, check to see if anyone else has
written essentially the same thing. Again.

***
Thanks. Assuming that the virus makes random combinations it is quite
possible that Steve got one with my address? Just great.
PvR

"Larry Blanchard" wrote in message

I recently switched ISPs to one where my email address is
xxx.intergate.xxx.
I started getting spam almost immediately, most of it addressed to
xxx.qaccess.xxx. Turns out one is an alias of the other.

But the qaccess address has never been used anywhere. I didn't even know
it
existed.

How did the spammers get it?

Might want to go here and do some reading, particularly the section on
"envelope headers":

http://www.stopspam.org/email/headers.html

--
www.e-woodshop.net
Last update: 11/06/04

Infection. And probably *not* in Steve's computer, either. The most likely
source is some third person who has both you and Steve in his Outlook address
book, and is infected by a virus that forges From: headers.

nope not mine. between spamcop and not opening attachments and AVG I am pretty
secure. but since I don't mung my email I am all over (G)

--
Knight-Toolworks & Custom Planes
Custom made wooden planes at reasonable prices
See http://www.knight-toolworks.com For prices and ordering instructions.

Thanks. Assuming that the virus makes random combinations it is quite
possible that Steve got one with my address? Just great.
PvR

not yet anyway (G)

--
Knight-Toolworks & Custom Planes
Custom made wooden planes at reasonable prices
See http://www.knight-toolworks.com For prices and ordering instructions.

On 4 Dec 2004 12:48:54 GMT, Dave Hinz wrote:


By the way, there's a free antivirus program which is excellent, at
http://www.grisoft.com/ - it gets the same virus definitions that
the Norton/Macafee folks do, but for personal use it's free. If
you're going to choose to run windows, there's no excuse not to use
a good antivirus program.

good program I bought it and replaced norton.
hell I have so few addresses in outlook they would have limited ammo (G)

--
Knight-Toolworks & Custom Planes
Custom made wooden planes at reasonable prices
See http://www.knight-toolworks.com For prices and ordering instructions.

"Dave Hinz" wrote in message
...
On Sat, 4 Dec 2004 08:01:52 -0600, Todd Fatheree wrote:
"Doug Miller" wrote in message news:XXhsd.1828
Is
this the result of harvesting on the wreck or of infection?

Infection. And probably *not* in Steve's computer, either. The most
likely
source is some third person who has both you and Steve in his Outlook
address
book, and is infected by a virus that forges From: headers.

This must be a difficult concept to grasp, as I have to have the above
conversation with certain clients over and over.

It apparently is. Our first-level helldesk people _still_ don't get it,
despite having been told this, over and over and over and over, for years.
"...then we scanned (Joe's) system and it had no virus, so we're confused
and escalating it to the virus team". Again. and again. and again.

The global statement "A virus is never from who it claims to be from"
is true enough that exceptions would be, well, exceptional.

Dave Hinz

Add to the the dumba^H^H^H^H^Hfools who still configure their corporate
email virus scanners to send out the "you sent us an infected attachment"
replies. If everyone would just stop that, it would seriously limit the
number of times I have this conversation.

todd

Larry Blanchard wrote:

Todd Fatheree wrote:

"Doug Miller" wrote in message news:XXhsd.1828 Is
this the result of harvesting on the wreck or of infection?

The most
likely source is some third person who has both you and Steve in his
Outlook address
book, and is infected by a virus that forges From: headers.

This must be a difficult concept to grasp, as I have to have the above
conversation with certain clients over and over.


I've got one I'm having difficulty with :-).

I recently switched ISPs to one where my email address is
xxx.intergate.xxx. I started getting spam almost immediately, most of it
addressed to
xxx.qaccess.xxx. Turns out one is an alias of the other.

But the qaccess address has never been used anywhere. I didn't even know
it existed.

How did the spammers get it?

Random generation. Once in a while I get SPAM that is addressed to
, ,
, ,
, ,
. . .

Generally they'll prune the ones that bounce.

BTW, it's easy for me to filter out anything with qaccess in the headers,
so the problem is more one of curiosity.


--
--John
Reply to jclarke at ae tee tee global dot net
(was jclarke at eye bee em dot net)

On Sat, 04 Dec 2004 18:57:04 GMT, Steve Knight
wrote:

On 4 Dec 2004 12:48:54 GMT, Dave Hinz wrote:


By the way, there's a free antivirus program which is excellent, at
http://www.grisoft.com/ - it gets the same virus definitions that
the Norton/Macafee folks do, but for personal use it's free. If
you're going to choose to run windows, there's no excuse not to use
a good antivirus program.

good program I bought it and replaced norton.
hell I have so few addresses in outlook they would have limited ammo (G)


nuking outlook is high on the list of things I do in a windows
installation....

nuking outlook is high on the list of things I do in a windows
installation....

I am stuck with it. I used to use agent for email but I needed more. I had
outlook xp and it did what I needed. but I tried eudora and it never worked
right. though most of the time it could not import email from outlook like I
needed. I have three years worth of emails that would need to move.
outlook xp will not let you open several kinds of attachments. that's good for
virus control but bad of someone emails you a .exe file you need.

--
Knight-Toolworks & Custom Planes
Custom made wooden planes at reasonable prices
See http://www.knight-toolworks.com For prices and ordering instructions.

On Sun, 05 Dec 2004 01:41:00 GMT, Steve Knight
wrote:



nuking outlook is high on the list of things I do in a windows
installation....

I am stuck with it. I used to use agent for email but I needed more. I had
outlook xp and it did what I needed. but I tried eudora and it never worked
right. though most of the time it could not import email from outlook like I
needed. I have three years worth of emails that would need to move.
outlook xp will not let you open several kinds of attachments. that's good for
virus control but bad of someone emails you a .exe file you need.

Take another look at Eudora. I just set someone up on Eudora 6 to get
them away from a marginally functional OE setup. It imported all their
messages, mailboxes and addresses just fine. I won't guarantee it, but
the import function has gotten a lot better in the last release or
two.

Tim Douglass

http://www.DouglassClan.com

On Sat, 04 Dec 2004 21:45:33 -0800, Tim Douglass
wrote:


Take another look at Eudora. I just set someone up on Eudora 6 to get
them away from a marginally functional OE setup. It imported all their
messages, mailboxes and addresses just fine. I won't guarantee it, but
the import function has gotten a lot better in the last release or
two.

Most of my 170 staff were using Eudora but during the past 3-4 months
we have been slowly migrating to Thunderbird: it is a more up-to-date
interface. For example, it provides message threading.

Take another look at Eudora. I just set someone up on Eudora 6 to get
them away from a marginally functional OE setup. It imported all their
messages, mailboxes and addresses just fine. I won't guarantee it, but
the import function has gotten a lot better in the last release or
two.

I think I tried it and found a bug that really caused a hassle. it was one of
the boxes I wanted left blank and it would not let me. no matter what number I
entered it was not right even though I used the rule it said was right. and I
could not get it past that point. it was the same on my wife's computer and
mine.

--
Knight-Toolworks & Custom Planes
Custom made wooden planes at reasonable prices
See http://www.knight-toolworks.com For prices and ordering instructions.

look into thunderbird from Mozilla

Steve Knight wrote:


Take another look at Eudora. I just set someone up on Eudora 6 to get
them away from a marginally functional OE setup. It imported all their
messages, mailboxes and addresses just fine. I won't guarantee it, but
the import function has gotten a lot better in the last release or
two.

I think I tried it and found a bug that really caused a hassle. it was one
of the boxes I wanted left blank and it would not let me. no matter what
number I entered it was not right even though I used the rule it said was
right. and I could not get it past that point. it was the same on my
wife's computer and mine.

Andy Dingley wrote:
And the second most likely source is something that posts spam with
to-from addresses based on threading from Useent .

Wow. Do you know if they do that, yet? That's brilliant, if they do.

In article ,
Brett A. Thomas wrote:
Andy Dingley wrote:
And the second most likely source is something that posts spam with
to-from addresses based on threading from Useent .

Wow. Do you know if they do that, yet? That's brilliant, if they do.

*lots* of virus-type stuff grabs 'random' addresses from anywhere it can find
it on the HD of the local computer -- address-books, saved e-mail messages,
saved USENET articles, 'temporary' (cached) web-page copies, etc., etc.,
ad naseum. Literally -anything- that looks like : {foo}@{domain}.{standard-TLD}
is fair game.

There is a bunch of other stuff that specifically targetts addresses that have
been 'harvested' from USENET newsgroup postings. I see, literally, _doesns_
of attempts per day to the 'from' address on this posting. My psychic mail-
server, however, lets only those messages that are a 'reply' to the article
get through.

I havn't seen anything _to_ that address that had a forged sender that was
a real address, let alone a forged sender that was an 'in use' address for
postings to USENET.

Love the message threading but I'm missing the right click "open in new
tab" from Netscape. Any way to get that operational?

bob g.

GregP wrote:

On Sat, 04 Dec 2004 21:45:33 -0800, Tim Douglass
wrote:


Take another look at Eudora. I just set someone up on Eudora 6 to get
them away from a marginally functional OE setup. It imported all their
messages, mailboxes and addresses just fine. I won't guarantee it, but
the import function has gotten a lot better in the last release or
two.


Most of my 170 staff were using Eudora but during the past 3-4 months
we have been slowly migrating to Thunderbird: it is a more up-to-date
interface. For example, it provides message threading.

On Mon, 06 Dec 2004 10:02:28 -0800, "Brett A. Thomas"
wrote:

Do you know if they do that, yet?

Yes - I only talk about the well-known stuff, not the "exciting new
ideas in spam delivery" (as a recent flier flogging spam services put
it). There are ideas being offered for sale that the spammers aren't
even using yet.

Much of the really annoying spam these days comes from botnets of
0wn3d home-PCs, not from a few huge spamboilers in server bunkers.
Rather than the old way of large traded lists of target emails, many
of these bots are simply told "send some spam" and left to choose
their own targets - this is why you'll often receive many copies of
the same spam. Client-side spam targetting can be from a list the
'bot was given, or snooped from a local addressbook. If the client
runs OE for Usenet too, they're wide open for hosting a "thread
attack" like this.

--
Smert' spamionam