[Virtualacorn-list] Unexpected message on this mail list...

Jeremy Nicoll - virtualacorn jn.ml.vac.83 at wingsandbeaks.org.uk
Tue Nov 3 23:52:19 GMT 2009 

Vince M Hudd <vince at softrock.co.uk> wrote:

> Jeremy Nicoll - virtualacorn <jn.ml.vac.83 at wingsandbeaks.org.uk> wrote:
> 
> [...]
> 
> > This suggests that someone else's machine, perhaps containing an address
> > book that has my address in it, may have been compromised.
> 
> Yes, that is the most likely cause - and particularly likely given what
> this list is for (ie, by definition, most if not all of the people on this
> list are here because they're using an emulator on an OS that can be
> compromised).
>  
> It's a pity there's no easy way for me to identify which subscriber it is
> from the headers of the spam you've received. /Possibly/ the originating
> IP address from the first (chronologically) of the Received: lines could
> be matched with the IP address of someone posting here, on another list,
> or to comp.sys.acorn on usenet - but there's no guarantee the person with
> the compromised machine is even posting, and it can be a tedious task.
> 
> It might be worth you posting whatever information you can identify,
> though - ie "FAO whoever has IP address blahdeblah, on such-and-such
> netwotk; your computer has a virus."

I've now received another one.  The relevant headers in the first one are:

  Envelope-To: jn.ml.vac.83 at wingsandbeaks.org.uk
  Received: from da7.activedomain.nl ([79.170.92.50])
    by B.hopeless.aaisp.net.uk ([81.187.81.12])
    with AAISP icebox mailer (build Jan 29 2008 09:14:02)
    for jn.ml.vac.83 at wingsandbeaks.org.uk;
    Tue, 03 Nov 2009 16:38:14 +0000
  Received: from apache by da7.activedomain.nl with local (Exim 4.69)
    (envelope-from <wmc at wmcservice.nl>)
    id 1N5LB3-0006aY-0l
    for jn.ml.vac.83 at wingsandbeaks.org.uk; Tue, 03 Nov 2009 16:20:09 +0100
  To: jn.ml.vac.83 at wingsandbeaks.org.uk
  Subject: Online Service Message 
  X-PHP-Script: www.wmcservice.nl/pages//index.php for 91.76.194.172
                                                       ^^^^^^^^^^^^^
  From: Lloyds TSB Bank plc <online at lloydstsb.co.uk>

--- a tracert to address: 91.76.194.172  suggests it's in .ru (russia?) 

--- AAISP got the mail from: da7.activedomain.nl ([79.170.92.50])
    a tracert to that also goes through a .ru server


And in the second:

  Envelope-To: jn.ml.vac.83 at wingsandbeaks.org.uk
  Received: from dmp-host.de ([81.169.172.194]
    helo=h4446.serverkompetenz.net)
    by B.hopeless.aaisp.net.uk ([81.187.81.12])
    with AAISP icebox mailer (build Jan 29 2008 09:14:02)
    for jn.ml.vac.83 at wingsandbeaks.org.uk;
    Tue, 03 Nov 2009 22:59:44 +0000
  Received: by h4446.serverkompetenz.net (Postfix, from userid 30)
    id 8F0FE387986; Tue,  3 Nov 2009 23:36:28 +0100 (CET)
  To: jn.ml.vac.83 at wingsandbeaks.org.uk
  Subject: Banking Update
  From: Natwest <alerts at online.natwest.co.uk>

--- tracert of 81.169.172.194   (from dmp-host.de ([81.169.172.194] )
    also goes through a .ru server.


I think this doesn't help though.

I'll resubscribe to this list with a new address and unsubscribe the old one
in a few days, and then bin anything coming to the old address.



-- 
Jeremy C B Nicoll - my opinions are my own.

More information about the Virtualacorn-list mailing list