healeys
[Top] [All Lists]

RE: Notice: **Last Warning** ((POSSOBLE VIRUS))

To: "Rohan Marr" <rohanmarr@mac.com>,
Subject: RE: Notice: **Last Warning** ((POSSOBLE VIRUS))
From: "Joe Farley" <joe@farley.net>
Date: Thu, 9 Jun 2005 15:10:48 -0700
-----Original Message-----
From: owner-healeys@autox.team.net
[mailto:owner-healeys@autox.team.net]On Behalf Of Rohan Marr
Sent: Thursday, June 09, 2005 10:25 AM
To: Austin Healey List List
Subject: Re: Notice: **Last Warning** ((POSSOBLE VIRUS))


> My concern here is that everyone on the list has been sent this,
> which means the list of members has been accessed.

[ The "Entire List" has not received it.  I have two subscriptions
and only one received the email.  Interestingly it is the account
that I use to post to the list.  The other is my google mail account
which I use just to archive list emails and never post from.

This tells me the server has probably not been hacked (at least not
the subscriber list).

OTOH....  A it is a fairly trivial task to search thru the archives
for the list and collect email addresses from the archived posts.
And that approach would yield a list of everyone that has ever
"Posted" to the list.

Also the email that was sent with the ./zip file attached did not
originate from the list server per se.  The source and reply addresses
in the header have been spoofed  (e.g. forged) ]


> What I would like to hear from the admin is if he has been hacked since
this person
> clearly has access to the list of email addresses of all members. OR
> more likely, the listserver has been hacked and they have bypassed
> the setting to delete attachments.

[ Not likely ]


This is probably the culprit by looking at the headers:
(c-24-12-147-227.hsd1.il.comcast.net [24.12.147.227])

Received: from autox.team.net
(c-24-12-147-227.hsd1.il.comcast.net [24.12.147.227])
     by autox.team.net (8.13.3/8.13.3) with ESMTP id
j59DFXQL003338    for
<healeys-qwerty@autox.team.net>; Thu, 09 Jun 2005 07:15:33 -0600

So if you wanted to ID the person you need to send a complaint to
OrgAbuseName:   Network Abuse and Policy Observance
   OrgAbusePhone:  1-856-317-7272
   OrgAbuseEmail:  abuse@comcast.net

They can match the timestamp with their records - if they can be
bothered. We need to hear from the admin if that IP is a registered
user or has legitimate access to the machine.

[ (c-24-12-147-227.hsd1.il.comcast.net [24.12.147.227]) is just a
mail server for comcast in Chicago  Not the Originator of the email.

In fact it may not even be the first email server that was used to
forward the message.

Joe ]



*******************************
Rohan Marr




<Prev in Thread] Current Thread [Next in Thread>