[Marxism] Genuine virus situation and a kind of identity theft

Hunter Gray hunterbadbear at earthlink.net
Mon Mar 1 11:03:49 MST 2004


Note by Hunter Bear:

I apologize for taking the time and space of people -- but this may well be
useful to others.

This is a one-time post, going to all lists with which I am affiliated.
Someone, possibly in California, is using my email address to send out a
porno message named "Price List."  Susan Glisson, who very capably manages
our SNCC list, has asked  Mr James True for advice.  Attached is his
response -- but before we get there, pleased be assured that I send no
attachments -- and certainly no viruses.  I open no attachments unless I am
certain of the Sender.  The several lists that I own and manage accept no
attachments:  Redbadbear, Marxist, SocUnity, and Lupus.  I, myself, have top
of the line Norton protection of every kind [including re outgoing e-mail].

This, now, from Mr True:

Susan, and you may post this if you think any others are interested,

A little forensics: Information, though possibly only a red herring, can be
gleaned by looking at the full message header of the "pricelist" message
sent with the attached file to the SNCC listserv. For any received message,
users can view the complete header of a message by using a button within a
received email, possibly labeled "blah, blah, blah" or "full header." Among
other things, this information shows the servers the message passed thru to
get to the recipient.

In the case of the "pricelist" message,  the header was:
______________

Status:  U
Return-Path: <sncc-admin at honors.olemiss.edu>
Received: from armadillo.honors.olemiss.edu ([130.74.178.22])
        by timothy.mail.atl.earthlink.net (EarthLink SMTP Server) with ESMTP
id 1aXC6KZq3Nl3pw0
        Sun, 29 Feb 2004 20:20:33 -0500 (EST)
Received: from armadillo.honors.olemiss.edu (IDENT:mailman at localhost
[127.0.0.1])
        by armadillo.honors.olemiss.edu (8.9.3/8.9.3) with ESMTP id
TAA04682;
        Sun, 29 Feb 2004 19:20:19 -0600
Received: from jordan (rrcs-central-24-123-68-37.biz.rr.com [24.123.68.37])
        by armadillo.honors.olemiss.edu (8.9.3/8.9.3) with SMTP id TAA04631
        for <sncc at honors.olemiss.edu>; Sun, 29 Feb 2004 19:18:47 -0600
From: hunterbadbear at earthlink.net
To: sncc at honors.olemiss.edu
Message-ID: <bgkyvbfymddeexqowjp at earthlink.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------epovvtlteofdsitqpjts"
Subject: [SNCC] Pricelist
...
___________

The first server IP address indicated in the message chain, the bottom one
("jordan"), is for a server at the IP (numerical) address 24.123.68.37.
Searching for information about this address at http://www.arin.net/whois/
will yield the following info (below). This shows only the passing server
the message came thru. However, just as Hunter Gray says, this is not from
him as the servers he typically uses are at addresses like 205.187.219.165,
from ICG NetAhead, Inc. in Colorado. If you had the original message from
whomever which came into the SNCC server, by looking at the full header of
that message it may be possible to track the virus sender back near to its
origin. Probably not worth the effort, as the nature of these viruses is to
spoof an address and send itself out, infect a new machine and repeat. Users
of the infected machine are not generally aware of anything going on--creepo
spammers, virus senders, and others, now regularly take over (unprotected)
machines and use them as servers, for spam, porn, viruses, etc. Firewalls
and antivirus programs are basic necessary protections users must have and
keep up to date; using anti-spyware/adware programs to check for such
"scumware" regularly is also necessary. I am relieved to see that you are
going to inhibit attachments finally. Now if you can only do something about
the senders who send 800KB e-mails to everyone.

Jim

Here is the ARIN info on the server from which the offending message
ostensibly came. As is noted this server covers folks in a lot of states.
Could be anyone. I did not find another message in my SNCC archived email
that used this server, so it may be someone's machine who knows H. Gray from
another of his lists and is exploiting his e-mail identity.


OrgName:    Road Runner-Commercial
OrgID:      RCWE
Address:    13241 Woodland Park Road
City:       Herndon
StateProv:  VA
PostalCode: 20171
Country:    US
Comment:    Allocations for this OrgID serve Road Runner commercial
customers out of the Honolulu, HI, Kansas City, KS, Orange, CA and San
Diego, CA RDCs.











More information about the Marxism mailing list