[FoRK] Beberg and viruses

Kragen Sitaker kragen at pobox.com
Wed Jul 14 08:37:06 PDT 2004

Rob Harley writes:
> >[FoRK] Fax Message Received
> >[FoRK] Re: Thanks :)
> >[FoRK] Re: Thank you!
> >[FoRK] Re: Yahoo!
> >[FoRK] Re: Incoming Message
> Ueber-geek, cure thyself!

I'm no Beberg fan, but note that the virus mails all say things like

Received: from s29.com (unknown [])
        by xent.com (Postfix) with SMTP id A5D6215DC4BA
        for <fork at xent.com>; Sun, 11 Jul 2004 00:01:44 -0700 (PDT)

Sometimes they say s29.org or s29.net.

While actual Beberg mails say things like this:

Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [])
        by xent.com (Postfix) with ESMTP id 4DBE215DC5B1
        for <fork at xent.com>; Fri,  9 Jul 2004 01:08:24 -0700 (PDT)
Received: from [] (unknown [])
        (using TLSv1 with cipher RC4-SHA (128/128 bits))
        (No client certificate requested)
        by conn.mc.mpls.visi.com (Postfix) with ESMTP id 0C05A8BCD
        for <fork at xent.com>; Fri,  9 Jul 2004 03:08:32 -0500 (CDT)

So there is no reason to believe Beberg is infected with the virus
that keeps spamming the list in his name.  It's the fault of the virus
author, the xent-janITors and/or the list recipients that we keep
receiving the mail.

Full-text-mailbox-search-fu tells me that this same IP address has
forged virus mail from JoeBar to me directly.  Sadly I do not have any
legitimate email on hand containing that IP address (I only have mail
back to April 12 with me at the moment --- that's 150MB), so I cannot
identify the actual culprit.  Maybe I should check my caughtspam

A really clever virus might use existing sender-recipient pairs to
propagate itself, then take note of which particular pairs were most
effective at propagation.  Sadly, it appears that we are now
contending with Really Clever Viruses in the real world.  Witty was
pretty scary, and it's only going to get worse from here.

More information about the FoRK mailing list