From owner-freebsd-current@FreeBSD.ORG Wed Aug 20 01:57:10 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECED616A4BF for ; Wed, 20 Aug 2003 01:57:10 -0700 (PDT) Received: from puffin.mail.pas.earthlink.net (puffin.mail.pas.earthlink.net [207.217.120.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64A7C43FBF for ; Wed, 20 Aug 2003 01:57:10 -0700 (PDT) (envelope-from tlambert2@mindspring.com) Received: from user-38lc1fj.dialup.mindspring.com ([209.86.5.243] helo=mindspring.com) by puffin.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 19pOmB-0006lI-00; Wed, 20 Aug 2003 01:57:08 -0700 Message-ID: <3F4337AD.DEA12687@mindspring.com> Date: Wed, 20 Aug 2003 01:56:13 -0700 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Bill Moran References: <3F429EC2.1080406@potentialtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a4c9d9bb55a3bd62997d6c4687f348cbc8548b785378294e88350badd9bab72f9c350badd9bab72f9c cc: current@freebsd.org Subject: Re: Regarding recent spam on the list X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2003 08:57:11 -0000 Bill Moran wrote: > Just curious if anyone knows the origin of all these auto-responses, etc. > > I'm seeing a lot of these on every list I'm subscribed to (not all of them > FreeBSD related) so I was wondering if some Windows trojan is running rampant > and using these list addresses as return addys? > > Anyone know? Yes. There are a number of machines in the texas.gov domain that are infected with the SoBIG worm because the morons running them are too dumb to install Windows patches from 6 months ago, and to split their inbound and outbound mail servers and filter out outbound mail from forged "from" addresses with an IP address that happens to be in their netblock, but with a source domain that is not one of the domains under their immediate control. One of these machines is 204.65.42.107, which is in the netblock subdelegated to access.texas.gov. There are about 4 others. but that one in particular has someone who is subscribed to the FreeBSD mailing lists. Be warned that if you post to these mailing lists at all, the user on that machine subscribed to the list will end up using *your* email address will be used to forge outbound email to other people by the worm. Most people who build out email infrastructure have no idea of what they are doing. On the plus side, whoever is running that frigging machine is liable under California law for a fine of $10,000 and up to 3 years in jail, since forging a "from" address belonging to someone else is now a felony in California. -- Terry