[aclug-L] Re: WeatherLab virus

[David Carmichael <dec2955@xxxxxxxxxx>]

Arnold -

Thanks for the input.. as I did not know that the "Southwind.net" email
address was still a good address.. since most everybody that I use to email
at "Southwind.net" has changed ISP's over the years.

From a follow up email from K. White.. they [WeatherLab] got close to 100
virus emails last night alone.

FYI-1: following [at the end of the reply] is the emails header that had the
virus and maybe with your knowledge you can help track down the infected
machine?!?

FYI-2: If you really use email address of: "abcjr@xxxxxxxxx" you are in my
spamers filter due to the fact that about four weeks ago somebody tried to
send me a virus with your email address as the from!?!  My filter is set to
allow 'TO' or FROM' "@ACLUG.ORG" to pass through and gets storted to its own
email inbox. I thought that it was a MADE UP email address due to what
seemed like random letters.

FYI-3: DEC2955 = December 29th, 1955.. my birthdate..

--David

----- Original Message -----
From: "Arnold Cavazos Jr." <abcjr@xxxxxxxxx>
To: <discussion@xxxxxxxxx>
Sent: Thursday, November 14, 2002 10:18 AM
Subject: [aclug-L] Re: WeatherLab virus


>
> David,
>
> You _are_ wrong,  "southwind.net" is still a valid e-mail domain:
>
> ***
> abcjr@corp:~<--% host -t mx southwind.net
> southwind.net mail is handled by 5 onemain-mx.earthlink.net.
> ***
>
> ELNK is just not creating any more "southwind.net" e-mail accounts.
>
> --
> Arnold B. Cavazos, Jr.                           Voice:  (316)858-3000
> Director of Operations                             Fax:  (316)858-3001
> Hubris Communications                        Toll-Free:  (866)267-INET
> abcjr@xxxxxxxxxx   http://www.iwichita.com    http://www.dslkansas.net
>
>
> On Thu, Nov 14, 2002 at 10:04:25AM -0600, David Carmichael wrote:
> >
> > Kevin -
> >
> > While I did not see the "Southwind" header.. I was mainly trying to let
you
> > know that somebody was sending out / spoofing emails with WeatherLab as
the
> > FROM.
> >
> > This way you are informed and might be able to help track down and or
alert
> > others of the fake emails.
> >
> > What is strange is.. maybe I am wrong here... but I did not even know
that
> > "Southwind" was still a good email address due to the number of mergers
with
> > other companies over the past few years?
> >
> > --David
> >
> > ----- Original Message -----
> > From: "Kevin White" <kevin@xxxxxxx>
> > To: <dec2955@xxxxxxxxxx>
> > Sent: Thursday, November 14, 2002 9:43 AM
> > Subject: WeatherLab virus
> >
> >
> > Hi David,
> >
> > I got your fax about the virus you received from the KSN WeatherLab.  I
see
> > by the headers that you didn't really receive it from the WeatherLab,
> > however.  It came from a Southwind dial-up account in Hutchinson.  You
can
> > tell by looking at the first "Received:" line (they go in order from the
> > "From:" up.  The first received line listed is the last place the email
> > routed through.
> >
> > This is caused by the fact that some user with Southwind received the
virus
> > through their Outlook email software.  This virus then sends the virus
out
> > AS everyone listed in their address book.  Therefore, it claims to come
from
> > the weatherlab, but it's only using an email address it found in the
> > infected users address book.
> >
> > Unfortunately, there is absolutely nothing we can do about it because it
> > doesn't come from or through any of our machines.  It claims that it
does,
> > but it doesn't.  The headers always tell the story.
> >
> > Kevin White
> > KSN New Media Manager
> > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
--
> Arnold B. Cavazos, Jr.                           Voice:  (316)858-3000
> Director of Sales & Marketing                      Fax:  (316)858-3001
> Hubris Communications                        Toll-Free:  (866)267-INET
> abcjr@xxxxxxxxxx   http://www.iwichita.com    http://www.dslkansas.net
>

 Received: from vmj-ext.prodigy.net by vmj with SMTP; Wed, 13 Nov 2002
21:48:52 -0500
X-Originating-IP: [64.113.192.74]
Received: from ewxmail.itworks.com (te-64-113-192-74.transedge.com
[64.113.192.74])
 by vmj-ext.prodigy.net (8.12.3 da nor stuldap/8.12.3) with ESMTP id
gAE2mdud186010;
 Wed, 13 Nov 2002 21:48:40 -0500
Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net
[207.217.120.22]) by ewxmail.itworks.com
 (Rockliffe SMTPRA 4.5.6) with ESMTP id <B0000558786@xxxxxxxxxxxxxxxxxxx>
for <ksnewxmail@xxxxxxxxxxxxxxxx>;
 Wed, 13 Nov 2002 18:15:57 -0800
Received: from dialup-10-hutchinson1.southwind.net ([209.134.89.10]
helo=Qxin)
 by hawk.mail.pas.earthlink.net with smtp (Exim 3.33 #1)
 id 18C9YO-0003sa-00
 for ksnewxmail@xxxxxxxxxxxxxxxx; Wed, 13 Nov 2002 18:16:24 -0800
From: weatherlab <weatherlab@xxxxxxx>
To: ksnewxmail@xxxxxxxxxxxxxxxx
Subject: Japanese lass' sexy pictures
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=H1K34LUTR8zZyF2W64z63T
Message-Id: <E18C9YO-0003sa-00@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 13 Nov 2002 18:16:24 -0800
Sender: ksnewxmail-request@xxxxxxxxxxxxxxxx

--H1K34LUTR8zZyF2W64z63T
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:Z99oxu0lK51N6FA height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>

--H1K34LUTR8zZyF2W64z63T
Content-Type: plain/text;
 name="Norton AntiVirus Deleted1.txt"
Content-Transfer-Encoding: base64
Content-ID: <Z99oxu0lK51N6FA>

Tm9ydG9uIEFudGlWaXJ1cyByZW1


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi