more worms

[Gregory Nowak]

Hi all,

I just wanted to say that the earlier incident where Kerry's e-mail was faked, and a worm was sent to the list was not the only one. I've just recieved a private e-mail with a faked address from mailman-owner at braille.uwo.ca with a similar worm. I'm including the headers below along with the entry from my qmail messages.
Greg



>From carpy at mail.ru Mon May 13 02:37:54 2002
Return-Path: <carpy at mail.ru>
Delivered-To: greg at romualt.dhs.org
Received: (qmail 25741 invoked from network); 13 May 2002 02:37:50 -0000
Received: from mx9.mail.ru (194.67.57.19)
  by softdnserror with SMTP; 13 May 2002 02:37:50 -0000
Received: from 146-115-123-205.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com ([146.115.123.205] helo=Yshdx)
	by mx9.mail.ru with smtp (Exim SMTP.9)
	id 1775u8-000Erg-00
	for greg at romualt.dhs.org; Mon, 13 May 2002 06:49:40 +0400
From: mailman-owner <mailman-owner at braille.uwo.ca.>
To: greg at romualt.dhs.org
Subject: A special  good tool
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary=AP7383eS3L5oq9gt0
Message-Id: <E1775u8-000Erg-00 at mx9.mail.ru>
Date: Mon, 13 May 2002 06:49:40 +0400
Status: RO
Content-Length: 169918
Lines: 2345



The following is from my /var/adm/messages.


May 12 21:37:54 linserver qmail: 1021257474.823623 new msg 245715
May 12 21:37:54 linserver qmail: 1021257474.824347 info msg 245715: bytes 170583 from <carpy at mail.ru> qp 25741 uid 1005
May 12 21:37:54 linserver qmail: 1021257474.832134 starting delivery 169: msg 245715 to local greg at romualt.dhs.org
May 12 21:37:54 linserver qmail: 1021257474.832687 status: local 1/10 remote 0/20
May 12 21:37:55 linserver qmail: 1021257475.006857 delivery 169: success: did_0+0+1/
May 12 21:37:55 linserver qmail: 1021257475.006965 status: local 0/10 remote 0/20
May 12 21:37:55 linserver qmail: 1021257475.007005 end msg 245715