response 51 of 79:

Apr 29 14:18 UTC 2002

I just got a 'returned mail' from some company I never heard of with a
subject line that I am sure I did not write, which appears to have a worm
in it which I strongly doubt that I sent (I use Pine).  So now is Klez
attaching my email address as a return address when other people send out
worms? Should I be writing thompson.com to let them know they may have
Klez?



From mailer-daemon@thompson.com Mon Apr 29 10:04:03 2002
Received: from thompson.com (thompson.com [207.226.10.50]) by
grex.cyberspace.org (8.6.13/8.6.12) with ESMTP id DAA08432 for
<keesan@grex.org>; Mon, 29 Apr 2002 03:32:43 -0400 Date: 29 Apr 2002 03:30:24
-0400 From: "MAILER-DAEMON" <mailer-daemon@thompson.com> To: keesan@grex.org
Subject: Delivery problems: Directory, FPW26 Message-ID:
<020429.033024@thompson.com> X-Mailer: QuickMail Pro Server for Mac 2.0.1
MIME-Version: 1.0 Content-Type: multipart/report;
    report-type="delivery-status";
    boundary=shjdsh1784

The recipient is unknown

Warning, delivery failure! This is a status message indicating that a message
could not be delivered to 1 or more recipients.

Original message subject: Directory, FPW26
Date received: 29-Apr-2002 03:30:03 -0400


Recipients and delivery history

gbasar@thompson.com
    ---- Transcript of session follows ---
29-Apr-2002 03:30:03 -0400 Received via SMTP from DNS.BTTB.NET
29-Apr-2002 03:30:24 -0400 gbasar@thompson.com is unknown


  [ Part 2: "Included Message" ]

Reporting-MTA: dns;thompson.com.

Final-Recipient: rfc822;gbasar@thompson.com
Action: failed
Status: 5.0.0 (permanent failure)



  [ Part 3: "Included Message" ]

Date: Mon, 29 Apr 2002 13:31:37 -0600
From: keesan <keesan@grex.org>
To: gbasar@thompson.com
Subject: Directory, FPW26


  [Part 3.1, Text/HTML  4 lines]
  [Unable to print this part]


  [Part 3.2, Audio/X-MIDI  7.2KB]
  [Unable to print this part]

response 53 of 79:

Apr 29 19:50 UTC 2002

I wrote postmaster@thompson.com with a copy of my mail (I deleted the xmidi
attachment).

response 55 of 79:

Apr 30 14:53 UTC 2002

So some other company which had thompson.com's email address and my email
address in their computer unwittingly sent me a copy of Klez?  From the
headers is there any way to tell where the worm started?

response 57 of 79:

May 1 02:26 UTC 2002

But in this case the email with Klez got sent 'from me' to some email address
that no longer existed, so it came 'back' to me?

response 59 of 79:

May 1 03:06 UTC 2002

That happens, yes.  Not every address in our address books is still valid.
Rejections go to the sender of records.  Klez forges that sender.

response 61 of 79:

May 2 00:11 UTC 2002

Having just received mail via hicksplastics.com which does not exist, and
being informed of this by mindspring.com, I forwarded the spam to
abuse@mindspring.com and got back mail from earthlink suggesting I forward
spam to spamcop.  www.spamcop.com - fill in your email address, back up one
and hit the Enter key on Verification of email address, look in email, hit
T for Take and select the Submit...... email address for the Pine address book
and nickname it spamcop.  Now instead of sending spam reports to everyone in
the headers (half of whom do not exist) I can simply hit H for header and
forward the whole thing (answer N to the question about attachments) to
spamcop and they will look up the IP addresses for me instead.  This seems
too easy.  They want to sell you a paid filtering service but why bother?

response 63 of 79:

May 2 13:37 UTC 2002

Mostly because someone sent spam from Grex, from the looks of it.

response 65 of 79:

May 2 14:31 UTC 2002

Does grex have some filter on outgoing mail to prevent spamming?  Such as a
limit on how many emails can be sent to a list?  I recall that we were sending
out the Kiwanis news via grex, plain ascii.  Perhaps HTML multiple mailings
could be blocked, at least?

response 67 of 79:

May 3 00:02 UTC 2002

Here's some nice social engineering courtesy the Klez folks:

>Date: Fri, 3 May 2002 00:00:19 +0300 
>From: analiz <analiz@analiz.net> 
>To: goose@ais.org 
>Subject: Worm Klez.E immunity 

>Klez.E is the most common world-wide spreading worm.It's very dangerous by
>corrupting your files.
>Because of its very smart stealth and anti-anti-virus technic,most common AV
>software can't detect or clean it.
>We developed this free immunity tool to defeat the malicious virus.
>You only need to run this tool once,and then Klez will never come into your
>PC.
>NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV
>monitor maybe cry when you run it.
>If so,Ignore the warning,and select 'continue'.
>If you have any question,please mail to me. 

And of course the virus was attached....

response 69 of 79:

May 21 19:19 UTC 2002

New twist on the Nigerian scam:



Return-Path: <bradon@diplomats.com>
Received: from ws1-9.us4.outblaze.com ([205.158.62.37])
           by mail.Hostworks.com (Post.Office MTA v3.5.3 release 223
           ID# 0-69621U2500L300S0V35) with SMTP id com
           for <rms@privacyfoundation.org>; Sat, 18 May 2002 18:20:09
-0600
Received: (qmail 73112 invoked by uid 1001); 18 May 2002 16:04:36 -0000
Message-ID: <20020518160436.73110.qmail@mail.com>
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Received: from [63.100.194.163] by ws1-9.us4. with http for
     bradon@diplomats.com; Sat, 18 May 2002 11:04:36 -0500outblaze.com
From: "bradon curtis" <bradon@diplomats.com>
To: "FILE" <bradon@diplomats.com>
Date: Sat, 18 May 2002 11:04:36 -0500
Subject: A  CRY  FOR  HELP
X-Originating-Ip: 63.100.194.163
X-Originating-Server: ws1-9.us4.outblaze.com

18th MAY 2002.
Kabul, AFGHANISTAN

Dear Sir,

My name is Bradon Curtis, Special Forces Commando
currently on covert search and destroy missions in the mountainous
wastelands of Afghanistan impenetrable domicile of the dreaded Taleban
AlQeada terrorist network. Last week, my group (of 4agents)successfully
overran a hard drug processing enclave and recovered a booty cash sum of
US$36 million, which no doubt are proceeds from the
illegal trade used for funding terrorist activities. We have since
deposited this cash in a security luggage office in Kabul capital city.
We do not intend to surrender this cash booty to
our sector commandant for obvious reasons and we
cannot take out the consignment from Afghanistan
physically by ourselves as it is against military
ethics.

I hereby solicit your assistance to enable me ship
this money to your safe custody pending the expiration of our current
regional anti-terrorist exercise. It may interest you to know that
modalities have been perfected to move this funds to you through a
security courier agency as soon as you respond in the
affirmative,indicating your interest and capability to handle this
transaction.
We will thus send you the shipment waybill, so that you can help claim
this luggage on behalf of me and my colleagues. Needless to say the
trust reposed in you at this junction is enormous, we are willing
to offer you an agreeable percentage of this funds.


Finally, I believe that I have been very concise
sincere in my representation to you and I look forward to consummating
this transaction with you, but most importantly do acknowledge receipt
of this mail using my email for further clarification on the modus
operandi.

I will furnish you a phone number to reach me when I receive your
positive response.

Thanking you in anticipation.

Yours Truly

Bradon  Curtis




-- 
_______________________________________________

Sign-up for your own FREE Personalized E-mail at Mail.com

http://www.mail.com/?sr=signup

response 71 of 79:

May 21 19:39 UTC 2002

Not very covert anymore, is he?

response 73 of 79:

May 21 23:05 UTC 2002

Also interesting is the blend of jargobabble and malaprop.