[Virtualacorn-list] Unexpected message on this mail list...
Jeremy Nicoll - virtualacorn
jn.ml.vac.83 at wingsandbeaks.org.uk
Tue Nov 3 23:52:19 GMT 2009
Vince M Hudd <vince at softrock.co.uk> wrote:
> Jeremy Nicoll - virtualacorn <jn.ml.vac.83 at wingsandbeaks.org.uk> wrote:
>
> [...]
>
> > This suggests that someone else's machine, perhaps containing an address
> > book that has my address in it, may have been compromised.
>
> Yes, that is the most likely cause - and particularly likely given what
> this list is for (ie, by definition, most if not all of the people on this
> list are here because they're using an emulator on an OS that can be
> compromised).
>
> It's a pity there's no easy way for me to identify which subscriber it is
> from the headers of the spam you've received. /Possibly/ the originating
> IP address from the first (chronologically) of the Received: lines could
> be matched with the IP address of someone posting here, on another list,
> or to comp.sys.acorn on usenet - but there's no guarantee the person with
> the compromised machine is even posting, and it can be a tedious task.
>
> It might be worth you posting whatever information you can identify,
> though - ie "FAO whoever has IP address blahdeblah, on such-and-such
> netwotk; your computer has a virus."
I've now received another one. The relevant headers in the first one are:
Envelope-To: jn.ml.vac.83 at wingsandbeaks.org.uk
Received: from da7.activedomain.nl ([79.170.92.50])
by B.hopeless.aaisp.net.uk ([81.187.81.12])
with AAISP icebox mailer (build Jan 29 2008 09:14:02)
for jn.ml.vac.83 at wingsandbeaks.org.uk;
Tue, 03 Nov 2009 16:38:14 +0000
Received: from apache by da7.activedomain.nl with local (Exim 4.69)
(envelope-from <wmc at wmcservice.nl>)
id 1N5LB3-0006aY-0l
for jn.ml.vac.83 at wingsandbeaks.org.uk; Tue, 03 Nov 2009 16:20:09 +0100
To: jn.ml.vac.83 at wingsandbeaks.org.uk
Subject: Online Service Message
X-PHP-Script: www.wmcservice.nl/pages//index.php for 91.76.194.172
^^^^^^^^^^^^^
From: Lloyds TSB Bank plc <online at lloydstsb.co.uk>
--- a tracert to address: 91.76.194.172 suggests it's in .ru (russia?)
--- AAISP got the mail from: da7.activedomain.nl ([79.170.92.50])
a tracert to that also goes through a .ru server
And in the second:
Envelope-To: jn.ml.vac.83 at wingsandbeaks.org.uk
Received: from dmp-host.de ([81.169.172.194]
helo=h4446.serverkompetenz.net)
by B.hopeless.aaisp.net.uk ([81.187.81.12])
with AAISP icebox mailer (build Jan 29 2008 09:14:02)
for jn.ml.vac.83 at wingsandbeaks.org.uk;
Tue, 03 Nov 2009 22:59:44 +0000
Received: by h4446.serverkompetenz.net (Postfix, from userid 30)
id 8F0FE387986; Tue, 3 Nov 2009 23:36:28 +0100 (CET)
To: jn.ml.vac.83 at wingsandbeaks.org.uk
Subject: Banking Update
From: Natwest <alerts at online.natwest.co.uk>
--- tracert of 81.169.172.194 (from dmp-host.de ([81.169.172.194] )
also goes through a .ru server.
I think this doesn't help though.
I'll resubscribe to this list with a new address and unsubscribe the old one
in a few days, and then bin anything coming to the old address.
--
Jeremy C B Nicoll - my opinions are my own.
More information about the Virtualacorn-list
mailing list