[aclug-L] Re: WeatherLab virus

[Clint Brubakken <cabrubak@xxxxxxx>]

You sure? Then how comes your email come showing up as spam :) (It
actually looks like a bad mime implementation from outlook express and
the fact your mail host is in the RBL)



On Thu, 2002-11-14 at 13:07, David Carmichael wrote:
> Jonathan -
> 
> Some where my statement is being taken out of context.
> 
> What I said was ""..... .. since most everybody that I use to
> email  .....""
> 
> I did not say ""..... "most everyone" .....""
> 
> Since "I" personally did not send email to 22,000 of their customers.
> 
> --David
> 
> 
> ----- Original Message -----
> From: "Jonathan Hall" <flimzy@xxxxxxxxxx>
> To: <discussion@xxxxxxxxx>
> Sent: Thursday, November 14, 2002 12:22 PM
> Subject: [aclug-L] Re: WeatherLab virus
> 
> 
> >
> > When you have 22,000+ customers to begin with, "most everyone" leaving
> still
> > leaves the possibility for several thousand people to continue using their
> > southwind.net addresses.
> >
> > Even so, I'm not sure how accurate it is to say that "most everyone" has
> > left.  Most geeks probably have... but most SouthWind customers aren't
> > geeks, and don't really care where their bill comes from.  If they can
> still
> > get online and check their mail, most are happy (enough) to stay with
> > SouthWind/OneMain/Earthlink.
> >
> > -- Jonathan
> >
> >
> > ----- Original Message -----
> > From: "David Carmichael" <dec2955@xxxxxxxxxx>
> > To: <discussion@xxxxxxxxx>
> > Sent: Thursday, November 14, 2002 10:56 AM
> > Subject: [aclug-L] Re: WeatherLab virus
> >
> >
> > >
> > > Arnold -
> > >
> > > Thanks for the input.. as I did not know that the "Southwind.net" email
> > > address was still a good address.. since most everybody that I use to
> > email
> > > at "Southwind.net" has changed ISP's over the years.
> > >
> > > From a follow up email from K. White.. they [WeatherLab] got close to
> 100
> > > virus emails last night alone.
> > >
> > > FYI-1: following [at the end of the reply] is the emails header that had
> > the
> > > virus and maybe with your knowledge you can help track down the infected
> > > machine?!?
> > >
> > > FYI-2: If you really use email address of: "abcjr@xxxxxxxxx" you are in
> my
> > > spamers filter due to the fact that about four weeks ago somebody tried
> to
> > > send me a virus with your email address as the from!?!  My filter is set
> > to
> > > allow 'TO' or FROM' "@ACLUG.ORG" to pass through and gets storted to its
> > own
> > > email inbox. I thought that it was a MADE UP email address due to what
> > > seemed like random letters.
> > >
> > > FYI-3: DEC2955 = December 29th, 1955.. my birthdate..
> > >
> > > --David
> > >
> > > ----- Original Message -----
> > > From: "Arnold Cavazos Jr." <abcjr@xxxxxxxxx>
> > > To: <discussion@xxxxxxxxx>
> > > Sent: Thursday, November 14, 2002 10:18 AM
> > > Subject: [aclug-L] Re: WeatherLab virus
> > >
> > >
> > > >
> > > > David,
> > > >
> > > > You _are_ wrong,  "southwind.net" is still a valid e-mail domain:
> > > >
> > > > ***
> > > > abcjr@corp:~<--% host -t mx southwind.net
> > > > southwind.net mail is handled by 5 onemain-mx.earthlink.net.
> > > > ***
> > > >
> > > > ELNK is just not creating any more "southwind.net" e-mail accounts.
> > > >
> > > > --
> > > > Arnold B. Cavazos, Jr.                           Voice:  (316)858-3000
> > > > Director of Operations                             Fax:  (316)858-3001
> > > > Hubris Communications                        Toll-Free:  (866)267-INET
> > > > abcjr@xxxxxxxxxx   http://www.iwichita.com    http://www.dslkansas.net
> > > >
> > > >
> > > > On Thu, Nov 14, 2002 at 10:04:25AM -0600, David Carmichael wrote:
> > > > >
> > > > > Kevin -
> > > > >
> > > > > While I did not see the "Southwind" header.. I was mainly trying to
> > let
> > > you
> > > > > know that somebody was sending out / spoofing emails with WeatherLab
> > as
> > > the
> > > > > FROM.
> > > > >
> > > > > This way you are informed and might be able to help track down and
> or
> > > alert
> > > > > others of the fake emails.
> > > > >
> > > > > What is strange is.. maybe I am wrong here... but I did not even
> know
> > > that
> > > > > "Southwind" was still a good email address due to the number of
> > mergers
> > > with
> > > > > other companies over the past few years?
> > > > >
> > > > > --David
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Kevin White" <kevin@xxxxxxx>
> > > > > To: <dec2955@xxxxxxxxxx>
> > > > > Sent: Thursday, November 14, 2002 9:43 AM
> > > > > Subject: WeatherLab virus
> > > > >
> > > > >
> > > > > Hi David,
> > > > >
> > > > > I got your fax about the virus you received from the KSN WeatherLab.
> > I
> > > see
> > > > > by the headers that you didn't really receive it from the
> WeatherLab,
> > > > > however.  It came from a Southwind dial-up account in Hutchinson.
> You
> > > can
> > > > > tell by looking at the first "Received:" line (they go in order from
> > the
> > > > > "From:" up.  The first received line listed is the last place the
> > email
> > > > > routed through.
> > > > >
> > > > > This is caused by the fact that some user with Southwind received
> the
> > > virus
> > > > > through their Outlook email software.  This virus then sends the
> virus
> > > out
> > > > > AS everyone listed in their address book.  Therefore, it claims to
> > come
> > > from
> > > > > the weatherlab, but it's only using an email address it found in the
> > > > > infected users address book.
> > > > >
> > > > > Unfortunately, there is absolutely nothing we can do about it
> because
> > it
> > > > > doesn't come from or through any of our machines.  It claims that it
> > > does,
> > > > > but it doesn't.  The headers always tell the story.
> > > > >
> > > > > Kevin White
> > > > > KSN New Media Manager
> > > > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > > > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> > > --
> > > > Arnold B. Cavazos, Jr.                           Voice:  (316)858-3000
> > > > Director of Sales & Marketing                      Fax:  (316)858-3001
> > > > Hubris Communications                        Toll-Free:  (866)267-INET
> > > > abcjr@xxxxxxxxxx   http://www.iwichita.com    http://www.dslkansas.net
> > > >
> > >
> > >  Received: from vmj-ext.prodigy.net by vmj with SMTP; Wed, 13 Nov 2002
> > > 21:48:52 -0500
> > > X-Originating-IP: [64.113.192.74]
> > > Received: from ewxmail.itworks.com (te-64-113-192-74.transedge.com
> > > [64.113.192.74])
> > >  by vmj-ext.prodigy.net (8.12.3 da nor stuldap/8.12.3) with ESMTP id
> > > gAE2mdud186010;
> > >  Wed, 13 Nov 2002 21:48:40 -0500
> > > Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net
> > > [207.217.120.22]) by ewxmail.itworks.com
> > >  (Rockliffe SMTPRA 4.5.6) with ESMTP id
> <B0000558786@xxxxxxxxxxxxxxxxxxx>
> > > for <ksnewxmail@xxxxxxxxxxxxxxxx>;
> > >  Wed, 13 Nov 2002 18:15:57 -0800
> > > Received: from dialup-10-hutchinson1.southwind.net ([209.134.89.10]
> > > helo=Qxin)
> > >  by hawk.mail.pas.earthlink.net with smtp (Exim 3.33 #1)
> > >  id 18C9YO-0003sa-00
> > >  for ksnewxmail@xxxxxxxxxxxxxxxx; Wed, 13 Nov 2002 18:16:24 -0800
> > > From: weatherlab <weatherlab@xxxxxxx>
> > > To: ksnewxmail@xxxxxxxxxxxxxxxx
> > > Subject: Japanese lass' sexy pictures
> > > MIME-Version: 1.0
> > > Content-Type: multipart/alternative;
> > >  boundary=H1K34LUTR8zZyF2W64z63T
> > > Message-Id: <E18C9YO-0003sa-00@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
> > > Date: Wed, 13 Nov 2002 18:16:24 -0800
> > > Sender: ksnewxmail-request@xxxxxxxxxxxxxxxx
> > >
> > > --H1K34LUTR8zZyF2W64z63T
> > > Content-Type: text/html;
> > > Content-Transfer-Encoding: quoted-printable
> > >
> > > <HTML><HEAD></HEAD><BODY>
> > > <iframe src=3Dcid:Z99oxu0lK51N6FA height=3D0 width=3D0>
> > > </iframe>
> > > <FONT></FONT></BODY></HTML>
> > >
> > > --H1K34LUTR8zZyF2W64z63T
> > > Content-Type: plain/text;
> > >  name="Norton AntiVirus Deleted1.txt"
> > > Content-Transfer-Encoding: base64
> > > Content-ID: <Z99oxu0lK51N6FA>
> > >
> > > Tm9ydG9uIEFudGlWaXJ1cyByZW1
> > >
> > >
> > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> > >
> > >
> >
> > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >
> >
> 
> 
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
-- 
Clint Brubakken <cabrubak@xxxxxxx>

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi