[Virtualacorn-list] Unexpected message on this mail list...

Vince M Hudd vince at softrock.co.uk
Wed Nov 4 10:22:58 GMT 2009 

Jeremy Nicoll - virtualacorn <jn.ml.vac.83 at wingsandbeaks.org.uk> wrote:
> Vince M Hudd <vince at softrock.co.uk> wrote:

[...]

> I've now received another one.  The relevant headers in the first one are:
[...]
> --- a tracert to address: 91.76.194.172  suggests it's in .ru (russia?)

Those headers don't have anything in common with the ones I received, but

> And in the second:
[...] 
>   Received: from dmp-host.de ([81.169.172.194]

That does.

> I think this doesn't help though.

No - we don't see the originating IP address, unfortunately, so my theory
about identifying the subscriber in question (which wouldn't have been easy
anyway) is completely shot. However, see my other post in which I think I've
identified him due the fluke of him being the only other subscriber to a
defunct list. And that one of the spams you've received uses the same server
after it goes through his machine that one of mine does - while this could
be coincidental (those are clearly either spammy servers, or b0rken servers
used by spammers), it's /another/ piece of circumstancial evidence that
points to this subscriber.

I should probably add that I'm on this list and the other one as well,
obviously, so I suppose I'm also a suspect - but I'd be amazed, quite
frankly, if it was my machine. (And I ran an extra full scan last night on
the offchance, which came up with nothing).
  
> I'll resubscribe to this list with a new address and unsubscribe the old
> one in a few days, and then bin anything coming to the old address.

TBH, I'd be inclined to not change just yet - as soon as you post with the
new address you'll be opening it up. It's probably better to wait until the
infected machine is cleared and, unfortunately, we don't know how long that
will be (How often does he check mail? Has he gone away for a few days
leaving his machine running? etc). I'll set a temporary limit of (say) one
week from today, though - ie, if I haven't heard back from him by one week
from now to say it's sorted (or that he's checked and it definitely isn't
his machine), I'll suspend him from the list until I *do* get such a
response.

Or should I suspend him anyway, even though it's only a *suspicion* (albeit
strong) that he has malware on his machine sending out spam?
 
-- 
Vince M Hudd
Soft Rock Software

More information about the Virtualacorn-list mailing list