[aclug-L] Re: WeatherLab virus

["Jonathan Hall" <flimzy@xxxxxxxxxx>]

When you have 22,000+ customers to begin with, "most everyone" leaving still
leaves the possibility for several thousand people to continue using their
southwind.net addresses.

Even so, I'm not sure how accurate it is to say that "most everyone" has
left.  Most geeks probably have... but most SouthWind customers aren't
geeks, and don't really care where their bill comes from.  If they can still
get online and check their mail, most are happy (enough) to stay with
SouthWind/OneMain/Earthlink.

-- Jonathan


----- Original Message -----
From: "David Carmichael" <dec2955@xxxxxxxxxx>
To: <discussion@xxxxxxxxx>
Sent: Thursday, November 14, 2002 10:56 AM
Subject: [aclug-L] Re: WeatherLab virus


>
> Arnold -
>
> Thanks for the input.. as I did not know that the "Southwind.net" email
> address was still a good address.. since most everybody that I use to
email
> at "Southwind.net" has changed ISP's over the years.
>
> From a follow up email from K. White.. they [WeatherLab] got close to 100
> virus emails last night alone.
>
> FYI-1: following [at the end of the reply] is the emails header that had
the
> virus and maybe with your knowledge you can help track down the infected
> machine?!?
>
> FYI-2: If you really use email address of: "abcjr@xxxxxxxxx" you are in my
> spamers filter due to the fact that about four weeks ago somebody tried to
> send me a virus with your email address as the from!?!  My filter is set
to
> allow 'TO' or FROM' "@ACLUG.ORG" to pass through and gets storted to its
own
> email inbox. I thought that it was a MADE UP email address due to what
> seemed like random letters.
>
> FYI-3: DEC2955 = December 29th, 1955.. my birthdate..
>
> --David
>
> ----- Original Message -----
> From: "Arnold Cavazos Jr." <abcjr@xxxxxxxxx>
> To: <discussion@xxxxxxxxx>
> Sent: Thursday, November 14, 2002 10:18 AM
> Subject: [aclug-L] Re: WeatherLab virus
>
>
> >
> > David,
> >
> > You _are_ wrong,  "southwind.net" is still a valid e-mail domain:
> >
> > ***
> > abcjr@corp:~<--% host -t mx southwind.net
> > southwind.net mail is handled by 5 onemain-mx.earthlink.net.
> > ***
> >
> > ELNK is just not creating any more "southwind.net" e-mail accounts.
> >
> > --
> > Arnold B. Cavazos, Jr.                           Voice:  (316)858-3000
> > Director of Operations                             Fax:  (316)858-3001
> > Hubris Communications                        Toll-Free:  (866)267-INET
> > abcjr@xxxxxxxxxx   http://www.iwichita.com    http://www.dslkansas.net
> >
> >
> > On Thu, Nov 14, 2002 at 10:04:25AM -0600, David Carmichael wrote:
> > >
> > > Kevin -
> > >
> > > While I did not see the "Southwind" header.. I was mainly trying to
let
> you
> > > know that somebody was sending out / spoofing emails with WeatherLab
as
> the
> > > FROM.
> > >
> > > This way you are informed and might be able to help track down and or
> alert
> > > others of the fake emails.
> > >
> > > What is strange is.. maybe I am wrong here... but I did not even know
> that
> > > "Southwind" was still a good email address due to the number of
mergers
> with
> > > other companies over the past few years?
> > >
> > > --David
> > >
> > > ----- Original Message -----
> > > From: "Kevin White" <kevin@xxxxxxx>
> > > To: <dec2955@xxxxxxxxxx>
> > > Sent: Thursday, November 14, 2002 9:43 AM
> > > Subject: WeatherLab virus
> > >
> > >
> > > Hi David,
> > >
> > > I got your fax about the virus you received from the KSN WeatherLab.
I
> see
> > > by the headers that you didn't really receive it from the WeatherLab,
> > > however.  It came from a Southwind dial-up account in Hutchinson.  You
> can
> > > tell by looking at the first "Received:" line (they go in order from
the
> > > "From:" up.  The first received line listed is the last place the
email
> > > routed through.
> > >
> > > This is caused by the fact that some user with Southwind received the
> virus
> > > through their Outlook email software.  This virus then sends the virus
> out
> > > AS everyone listed in their address book.  Therefore, it claims to
come
> from
> > > the weatherlab, but it's only using an email address it found in the
> > > infected users address book.
> > >
> > > Unfortunately, there is absolutely nothing we can do about it because
it
> > > doesn't come from or through any of our machines.  It claims that it
> does,
> > > but it doesn't.  The headers always tell the story.
> > >
> > > Kevin White
> > > KSN New Media Manager
> > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> --
> > Arnold B. Cavazos, Jr.                           Voice:  (316)858-3000
> > Director of Sales & Marketing                      Fax:  (316)858-3001
> > Hubris Communications                        Toll-Free:  (866)267-INET
> > abcjr@xxxxxxxxxx   http://www.iwichita.com    http://www.dslkansas.net
> >
>
>  Received: from vmj-ext.prodigy.net by vmj with SMTP; Wed, 13 Nov 2002
> 21:48:52 -0500
> X-Originating-IP: [64.113.192.74]
> Received: from ewxmail.itworks.com (te-64-113-192-74.transedge.com
> [64.113.192.74])
>  by vmj-ext.prodigy.net (8.12.3 da nor stuldap/8.12.3) with ESMTP id
> gAE2mdud186010;
>  Wed, 13 Nov 2002 21:48:40 -0500
> Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net
> [207.217.120.22]) by ewxmail.itworks.com
>  (Rockliffe SMTPRA 4.5.6) with ESMTP id <B0000558786@xxxxxxxxxxxxxxxxxxx>
> for <ksnewxmail@xxxxxxxxxxxxxxxx>;
>  Wed, 13 Nov 2002 18:15:57 -0800
> Received: from dialup-10-hutchinson1.southwind.net ([209.134.89.10]
> helo=Qxin)
>  by hawk.mail.pas.earthlink.net with smtp (Exim 3.33 #1)
>  id 18C9YO-0003sa-00
>  for ksnewxmail@xxxxxxxxxxxxxxxx; Wed, 13 Nov 2002 18:16:24 -0800
> From: weatherlab <weatherlab@xxxxxxx>
> To: ksnewxmail@xxxxxxxxxxxxxxxx
> Subject: Japanese lass' sexy pictures
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>  boundary=H1K34LUTR8zZyF2W64z63T
> Message-Id: <E18C9YO-0003sa-00@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
> Date: Wed, 13 Nov 2002 18:16:24 -0800
> Sender: ksnewxmail-request@xxxxxxxxxxxxxxxx
>
> --H1K34LUTR8zZyF2W64z63T
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
>
> <HTML><HEAD></HEAD><BODY>
> <iframe src=3Dcid:Z99oxu0lK51N6FA height=3D0 width=3D0>
> </iframe>
> <FONT></FONT></BODY></HTML>
>
> --H1K34LUTR8zZyF2W64z63T
> Content-Type: plain/text;
>  name="Norton AntiVirus Deleted1.txt"
> Content-Transfer-Encoding: base64
> Content-ID: <Z99oxu0lK51N6FA>
>
> Tm9ydG9uIEFudGlWaXJ1cyByZW1
>
>
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>
>

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi