Re: RARA sending me viruses

More info??

Wayne

got an email

from owner-rarageneral@airrace.org
subject ID npblikiyit... thanks

My system here at work deleted the virus.

watch out.

Steve, have you looked at the full email headers? I get a TON of bounced email that has somethingorother@aafo.com in the "from" field.. it's spoofed.

Some of the email virui that are out there (most from what I can tell) dig into the infected computer's address book, *USUALLY* Microsoft Outlook (for this reason, I call it LOOKOUT) which is frequently the target of the virui...

Anway, getting back on point, the infected computer then sends out tons of messages using the addresses in the book as the "from"....

Just because the "from" field carries an address, does not necessairly mean that it actually came from that box... if you open full email headers, you can track the IP address of the "from/to" trail and see where it actually came from..

Anyway.. that might be it but at the moment, it looks as though their site is inop..

A point to bring up though, even if that message you received was from a valid @airrace.org address, it would not mean that the site was infected, it would indicate that the users computer was.

Wayne

how about this

So does the below info shed any light on this. it does say "(,ay be forged) these machines are a kick but also way above my head.

I really didn't want to freak anybody out but I didn't want it to go unmentioned.
Back to lurking, maybe I'll send another picture of the LandStang just for fun.


Received: from fdns2.rolm.com ([165.218.1.59]) by stca200a.bus.sc.rolm.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72)
id FD0K0QL0; Tue, 17 Feb 2004 10:02:42 -0800
Received: from brmx1.fl.icn.siemens.com (brmx1.boca.ssc.siemens.com [165.218.21.132])
by fdns2.rolm.com (8.12.10/8.12.10) with ESMTP id i1HI2VYn003660
for <steven.b.wilson@icn.siemens.com>; Tue, 17 Feb 2004 10:02:40 -0800 (PST)
Received: from airrace.org (ftp.intsysint.intsysint.com [66.70.221.43] (may be forged))
by brmx1.fl.icn.siemens.com (8.9.3p092403/8.9.3) with ESMTP id NAA08659
for <steven.b.wilson@icn.siemens.com>; Tue, 17 Feb 2004 13:02:29 -0500 (EST)
From: owner-rarageneral@airrace.org
Received: (from airrace@localhost)
by airrace.org (8.11.6/8.11.6) id i1HH6hb11724
for rarageneral-outgoing; Tue, 17 Feb 2004 12:06:43 -0500
X-Authentication-Warning: intsysint.intsysint.com: airrace set sender to owner-rarageneral@airrace.org using -f
Received: from intsysint.intsysint.com (root@localhost)
by airrace.org (8.11.6/8.11.6) with ESMTP id i1HH6gK11719
for <rarageneral@airrace.org>; Tue, 17 Feb 2004 12:06:42 -0500
X-ClientAddr: 129.42.184.35
Received: from terra2 ([129.42.184.35])
by intsysint.intsysint.com (8.11.6/8.11.6) with SMTP id i1HH6gg11715
for <rarageneral@airrace.org>; Tue, 17 Feb 2004 12:06:42 -0500
Date: Tue, 17 Feb 2004 09:06:59 -0800
To: rarageneral@airrace.org
Subject: ID npblikiyit... thanks
Message-ID: <nrrhqjwhbnluuwptajy@airrace.org>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------881408040821076"
Sender: owner-rarageneral@airrace.org
Precedence: bulk

----------881408040821076
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

----------881408040821076
Content-Type: application/x-msdownload; name="cqkh.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="celxtpmc.exe"

----------881408040821076--

Phew.. too many IP's for me to track it... It does appear to my untrained eye that originally, it came from an address *not* within the system that airrace.org is located in... then somehow got returned to them, and bounced to you...

I *COULD* be totally wrong though. I'm ok reading these things until you throw in as many back and forth's that this one has!

Maybe Mark Johnston will pick up on this and be able to decypher this better than I have... I'd not worry about the site though, linux is not normally infected by virui... from what I understand anyway...

I'm guessing that airrace.org is on a linux box..

Wayne

i got the same email and thought it was a special code
to ride in the pace plane with steve hinton.darn it all!!!