[MV] Final word on the worm

From: Mil-Veh List Admin (postmaster@uller.skylee.com)
Date: Fri Dec 24 1999 - 13:18:09 PST


I believe that this will be the last posting concerning this
worm situation. If you need to discuss it, please e-mail me
directly.

With the kind help of several mil-veh list members, I have
examined the details of the worm message that a few people
have received. I am now completely confident that the worm
did NOT spread via the list, despite the appearance that it
did so. The thing to bear in mind is that it is a relatively
trivial matter to forge message headers (spammers do it all
the time), and the list address is no doubt in quite a few
of your address books.

These items in the worm message show that it was not
generated by and not sent from the list:

First, the "From:" header of the worm message is fake:

   From: mil-veh@skylee.com

List mail is always "From:" the original poster, never
"From:" the list itself. If you get a message "From:"
mil-veh@skylee.com or mil-veh@uller.skylee.com, you most
likely have received a worm or virus. However, the message
is just as likely--or actually more likely--to come from
another address. The only protection for Windows users will
be to use adequate anti-virus software.

Second, the worm has this Return-Path:

   Return-Path: <mil-veh@skylee.com>

But messages that come from the list have one of two
possible return paths, depending on whether it was processed
before or after the cutover to the new server:

Before:
   Return-Path: <owner-Mil-Veh@skylee.com>

After:
   Return-Path: <mil-veh-report@uller.skylee.com>

The worm simply uses the same address as it claims to be
from.

Finally, the worm message has no Sender header, which would
be either one of these:

Before:
   Sender: owner-Mil-Veh@skylee.com

After:
   Sender: <mil-veh@uller.skylee.com> (Military Vehicles
List)

There are a number of other clues that this message didn't
come via the list, but they are a bit too technical to
bother with here.

Considering the headers, the prohibition against messages
containing HTML or attachments being posted to the list, and
the limitation of posted message size all tell me that the
worm did not travel via the list.

However, be aware that there are many worms and viruses out
there, and the precautions I take are not a 100% guarantee
against their propagation. If you use a PC (or even a Mac;
there are Mac viruses out there, too), use anti-virus
software to protect yourself.

I hope that this will be the final posting on this subject.
If you feel that you have received a virus via the list or
from a member, please e-mail me immediately and I will do
what I can to help.

--Arthur Kyle Mil-Veh List Admin
  Please do not quote my whole message when replying

===Mil-Veh is a member-supported mailing list===
To unsubscribe, send e-mail to: <mil-veh-off@uller.skylee.com>
To switch to the DIGEST mode, send e-mail to <mil-veh-digest@uller.skylee.com>
Send administrative queries to <mil-veh-request@uller.skylee.com>



This archive was generated by hypermail 2b29 : Wed Jan 05 2000 - 22:42:35 PST