Ping IP number 213.84.28.220 (xs4all.nl)

[Gabriele Neukam]

To the owner of the broadband connected computer of said IP number
213.84.28.220:

Obviously, you are reading this newsgroup. Since September 1st, I have
been receiving worm mails and bounces (when your has forged my address
into the from: field), by now more than half a hundred infected mails.

Please clean your machine from this NetSky.P

I can prove that you are reading this group. One of the mails today
forged the mail address of Art Kopp, who gives others advice about how
to get rid of viruses; he himself never has something like this. But the
worm put his address into the From: field.


This is the header of the infected mail:

----- Header -----
Return-Path: <[email protected]>
Received: from t-online.de ([213.84.28.220]) by mailin00.sul.t-online.de

with esmtp id 1C7dpf-1D3Weu0; Wed, 15 Sep 2004 19:44:39 +0200
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Re: Secure delivery
Date: Wed, 15 Sep 2004 19:44:53 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-TOI-SPAM: u;0;2004-09-15T17:44:50Z
X-TOI-MSGID: e1f718f6-9668-4671-9d5d-a119b44d1f70
X-Seen: true
X-Mailer: T-Online eMail 4.111
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
----- End of Header -----

And this is the rest:

This is a multi-part message in MIME format.

------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit


Partial message is available.



------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: application/octet-stream;
name="msg.txt
..scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="msg.txt
..scr"


And then the worm begins.


DO SOMETHING ABOUT IT!


Gabriele Neukam

(e-mail address removed)

 

[Theo]

DO SOMETHING ABOUT IT!

The address could have been harvested. Mine was when swen was released, and
I got emails and bounces both. I have a voodoo doll all ready for its
creator. I just need something personal of his.

 

[Gabriele Neukam]

On that special day, Theo, ([email protected]) said...

The address could have been harvested. Mine was when swen was released, and
I got emails and bounces both. I have a voodoo doll all ready for its
creator. I just need something personal of his.

Believe me, the mails are *coming* from this IP, I *can* read the
headers correctly. It isn't the HELO what I am talking about, but the
thingy in square brackets. Look at the header that I quoted.


Other examples:

Return-Path: <[email protected]>
Received: from t-online.de ([213.84.28.220]) by mailin01.sul.t-online.de

with esmtp id 1C8EKP-04Ro3M0; Fri, 17 Sep 2004 10:42:49 +0200
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Mail Delivery (failure (e-mail address removed))

Date: Fri, 17 Sep 2004 10:43:13 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-TOI-SPAM: u;0;2004-09-17T08:42:54Z
X-TOI-MSGID: 90785fbb-b64a-4f6b-9f36-723af618fcea
X-Seen: true
X-Mailer: T-Online eMail 4.111
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
-----
Return-Path: <[email protected]>
Received: from t-online.de ([213.84.28.220]) by mailin01.sul.t-online.de

with esmtp id 1C8EKa-05h4nQ0; Fri, 17 Sep 2004 10:43:00 +0200
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Re: Protected Mail System
Date: Fri, 17 Sep 2004 10:43:24 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-TOI-SPAM: u;0;2004-09-17T08:43:15Z
X-TOI-MSGID: 113e94c3-afb0-4a11-9172-fdaa76597def
X-Seen: true
X-Mailer: T-Online eMail 4.111
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
-----
Return-Path: <[email protected]>
Received: from t-online.de ([213.84.28.220]) by mailin06.sul.t-online.de

with esmtp id 1C827W-1nMFxw0; Thu, 16 Sep 2004 21:40:42 +0200
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Mail Delivery (failure (e-mail address removed))

Date: Thu, 16 Sep 2004 21:41:04 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-TOI-SPAM: u;0;2004-09-16T19:41:28Z
X-TOI-MSGID: 3f9bfc7c-973f-40e1-b369-2d5e564a14b6
X-Seen: true
X-Mailer: T-Online eMail 4.111
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
-----
Return-Path: <[email protected]>
Received: from t-online.de ([213.84.28.220]) by mailin00.sul.t-online.de

with esmtp id 1C826N-1BzFs80; Thu, 16 Sep 2004 21:39:31 +0200
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Re: Failure
Date: Thu, 16 Sep 2004 21:39:54 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-TOI-SPAM: u;0;2004-09-16T19:40:11Z
X-TOI-MSGID: 82c0bfa4-fef3-466c-8196-953d82f914d5
X-Seen: true
X-Mailer: T-Online eMail 4.111
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
-----


And this same IP has been sending NetSky.P since September first, which
means: The owner of this machine is connected to a broadband service
with a static IP.

As you can see, today I found four more NetSkies in my mailbox, plus one
bounce where my address had been forged into the "from:" line of the
header.

And XS4ALL does NOTHING.


Gabriele Neukam

(e-mail address removed)

 

[MickityMizack]

On that special day, Theo, ([email protected]) said...

The address could have been harvested. Mine was when swen was released, and
I got emails and bounces both. I have a voodoo doll all ready for its
creator. I just need something personal of his.

Believe me, the mails are *coming* from this IP, I *can* read the
headers correctly. It isn't the HELO what I am talking about, but the
thingy in square brackets. Look at the header that I quoted.


Other examples:

Return-Path: <[email protected]>
Received: from t-online.de ([213.84.28.220]) by mailin01.sul.t-online.de

with esmtp id 1C8EKP-04Ro3M0; Fri, 17 Sep 2004 10:42:49 +0200
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Mail Delivery (failure (e-mail address removed))

Date: Fri, 17 Sep 2004 10:43:13 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-TOI-SPAM: u;0;2004-09-17T08:42:54Z
X-TOI-MSGID: 90785fbb-b64a-4f6b-9f36-723af618fcea
X-Seen: true
X-Mailer: T-Online eMail 4.111
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
-----
Return-Path: <[email protected]>
Received: from t-online.de ([213.84.28.220]) by mailin01.sul.t-online.de

with esmtp id 1C8EKa-05h4nQ0; Fri, 17 Sep 2004 10:43:00 +0200
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Re: Protected Mail System
Date: Fri, 17 Sep 2004 10:43:24 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-TOI-SPAM: u;0;2004-09-17T08:43:15Z
X-TOI-MSGID: 113e94c3-afb0-4a11-9172-fdaa76597def
X-Seen: true
X-Mailer: T-Online eMail 4.111
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
-----
Return-Path: <[email protected]>
Received: from t-online.de ([213.84.28.220]) by mailin06.sul.t-online.de

with esmtp id 1C827W-1nMFxw0; Thu, 16 Sep 2004 21:40:42 +0200
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Mail Delivery (failure (e-mail address removed))

Date: Thu, 16 Sep 2004 21:41:04 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-TOI-SPAM: u;0;2004-09-16T19:41:28Z
X-TOI-MSGID: 3f9bfc7c-973f-40e1-b369-2d5e564a14b6
X-Seen: true
X-Mailer: T-Online eMail 4.111
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
-----
Return-Path: <[email protected]>
Received: from t-online.de ([213.84.28.220]) by mailin00.sul.t-online.de

with esmtp id 1C826N-1BzFs80; Thu, 16 Sep 2004 21:39:31 +0200
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Re: Failure
Date: Thu, 16 Sep 2004 21:39:54 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-TOI-SPAM: u;0;2004-09-16T19:40:11Z
X-TOI-MSGID: 82c0bfa4-fef3-466c-8196-953d82f914d5
X-Seen: true
X-Mailer: T-Online eMail 4.111
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
-----


And this same IP has been sending NetSky.P since September first, which
means: The owner of this machine is connected to a broadband service
with a static IP.

As you can see, today I found four more NetSkies in my mailbox, plus one
bounce where my address had been forged into the "from:" line of the
header.

And XS4ALL does NOTHING.


Gabriele Neukam

(e-mail address removed)

 

[Peter Seiler]

MickityMizack - 19.09.2004 04:57 :

[120! unnecessary quoting line snipped]

please, what is the meaning/contribution/substance of your posting?

 

[Gabriele Neukam]

On that special day, Peter Seiler, ([email protected]) said...

MickityMizack - 19.09.2004 04:57 :

[120! unnecessary quoting line snipped]

please, what is the meaning/contribution/substance of your posting?

(sigh) he probably had wanted to try his newsreader, without knowing how
to handle it. I've seen such things happen more often in the last two
weeks, especially in the Microsoft Windows related newsgroups.


Gabriele Neukam

(e-mail address removed)