[gentoo-security] .com attachment attack? - gentoo-security

From:	Adrian CAPDEFIER <adriancapdefier@×××××××.ro>
To:	gentoo-security@l.g.o
Subject:	[gentoo-security] .com attachment attack?
Date:	Sat, 14 Aug 2004 08:39:31
Message-Id:	`411DD185.9030009@digifin.ro`

1

Hi.

2

I seem to be the victim of an attack to get me of mailing lists.

3

Here is the message I've been getting with the contents of the

4

file ______-ed out.

5

So my server doesn't allow .com attachements and this attacker somehow 

6

manages to make the mailing list manager think messages sent to me are 

7

bouncing.

8

Am I right?

9

10

gentoo-security-help@l.g.o wrote:

11

> Hi! This is the ezmlm program. I'm managing the

12

> gentoo-security@g.o mailing list.

13

>

14

> I'm working for my owner, who can be reached

15

> at gentoo-security-owner@g.o.

16

>

17

>

18

> Messages to you from the gentoo-security mailing list seem to

19

> have been bouncing. I sent you a warning message, but it bounced.

20

> I've attached a copy of the bounce message.

21

>

22

> This is a probe to check whether your address is reachable. If this

23

> probe bounces, I will remove your address from the

24

> gentoo-security@g.o mailing list, without further notice.

25

>

26

> You can re-subscribe by sending a message to this address:

27

>    <gentoo-security-subscribe@g.o>

28

>

29

>

30

> --- Enclosed is a copy of the bounce message I received.

31

>

32

> Return-Path: <>

33

> Received: (qmail 22187 invoked from network); 2 Aug 2004 00:10:57 +0000

34

> Received: from horse.hostspectrum.com (209.120.224.103)

35

>   by lists.gentoo.org with AES256-SHA encrypted SMTP; 2 Aug 2004 00:10:57 +0000

36

> Received: from mailnull by horse.hostspectrum.com with local (Exim 4.34)

37

> 	id 1BrQPf-00072M-Nm

38

> 	for gentoo-security-return-warn-1091405444.lblaoilajclmcdganoam-adriancapdefier=digifin.ro@l.g.o; Sun, 01 Aug 2004 19:10:47 -0500

39

> X-Failed-Recipients: adriancapdefier@×××××××.ro

40

> Auto-Submitted: auto-generated

41

> From: Mail Delivery System <Mailer-Daemon@××××××××××××××××××.com>

42

> To: gentoo-security-return-warn-1091405444.lblaoilajclmcdganoam-adriancapdefier=digifin.ro@l.g.o

43

> Subject: Mail delivery failed: returning message to sender

44

> Message-Id: <E1BrQPf-00072M-Nm@××××××××××××××××××.com>

45

> Date: Sun, 01 Aug 2004 19:10:47 -0500

46

> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

47

> X-AntiAbuse: Primary Hostname - horse.hostspectrum.com

48

> X-AntiAbuse: Original Domain - lists.gentoo.org

49

> X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

50

> X-AntiAbuse: Sender Address Domain -

51

> X-Source:

52

> X-Source-Args:

53

> X-Source-Dir:

54

>

55

> This message was created automatically by mail delivery software.

56

>

57

> A message that you sent could not be delivered to one or more of its

58

> recipients. This is a permanent error. The following address(es) failed:

59

>

60

>   adriancapdefier@×××××××.ro

61

>     This message has been rejected because it has

62

>     a potentially executable attachment "MP3.com"

63

>     This form of attachment has been used by

64

>     recent viruses or other malware.

65

>     If you meant to send this file then please

66

>     package it up as a zip file and resend it.

67

>

68

> ------ This is a copy of the message, including all the headers. ------

69

>

70

> Return-path: <gentoo-security-return-warn-1091405444.lblaoilajclmcdganoam-adriancapdefier=digifin.ro@l.g.o>

71

> Received: from [156.56.111.196] (helo=parrot.gentoo.org)

72

> 	by horse.hostspectrum.com with esmtp (TLSv1:AES256-SHA:256)

73

> 	(Exim 4.34)

74

> 	id 1BrQPf-00071b-EC

75

> 	for adriancapdefier@×××××××.ro; Sun, 01 Aug 2004 19:10:47 -0500

76

> Received: (qmail 1401 invoked by uid 89); 2 Aug 2004 00:10:53 +0000

77

> Mailing-List: contact gentoo-security-help@g.o; run by ezmlm

78

> Date: 2 Aug 2004 00:10:53 -0000

79

> Message-ID: <1091405453.10469.ezmlm-warn@l.g.o>

80

> From: gentoo-security-help@l.g.o

81

> To: adriancapdefier@×××××××.ro

82

> Content-type: text/plain; charset=us-ascii

83

> Subject: ezmlm warning

84

>

85

> Hi! This is the ezmlm program. I'm managing the

86

> gentoo-security@g.o mailing list.

87

>

88

> I'm working for my owner, who can be reached

89

> at gentoo-security-owner@g.o.

90

>

91

>

92

> Messages to you from the gentoo-security mailing list seem to

93

> have been bouncing. I've attached a copy of the first bounce

94

> message I received.

95

>

96

> If this message bounces too, I will send you a probe. If the probe bounces,

97

> I will remove your address from the gentoo-security mailing list,

98

> without further notice.

99

>

100

>

101

> I've kept a list of which messages from the gentoo-security mailing list have

102

> bounced from your address.

103

>

104

> Copies of these messages may be in the archive.

105

>

106

> To retrieve a set of messages 123-145 (a maximum of 100 per request),

107

> send an empty message to:

108

>    <gentoo-security-get.123_145@g.o>

109

>

110

> To receive a subject and author list for the last 100 or so messages,

111

> send an empty message to:

112

>    <gentoo-security-index@g.o>

113

>

114

> Here are the message numbers:

115

>

116

>    1221

117

>    1224

118

>

119

> --- Enclosed is a copy of the bounce message I received.

120

>

121

> Return-Path: <>

122

> Received: (qmail 14884 invoked from network); 21 Jul 2004 07:44:37 +0000

123

> Received: from horse.hostspectrum.com (209.120.224.103)

124

>   by lists.gentoo.org with AES256-SHA encrypted SMTP; 21 Jul 2004 07:44:37 +0000

125

> Received: from mailnull by horse.hostspectrum.com with local (Exim 4.34)

126

> 	id 1BnBm3-0004IT-0b

127

> 	for gentoo-security-return-1221-adriancapdefier=digifin.ro@l.g.o; Wed, 21 Jul 2004 02:44:23 -0500

128

> X-Failed-Recipients: adriancapdefier@×××××××.ro

129

> Auto-Submitted: auto-generated

130

> From: Mail Delivery System <Mailer-Daemon@××××××××××××××××××.com>

131

> To: gentoo-security-return-1221-adriancapdefier=digifin.ro@l.g.o

132

> Subject: Mail delivery failed: returning message to sender

133

> Message-Id: <E1BnBm3-0004IT-0b@××××××××××××××××××.com>

134

> Date: Wed, 21 Jul 2004 02:44:23 -0500

135

> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

136

> X-AntiAbuse: Primary Hostname - horse.hostspectrum.com

137

> X-AntiAbuse: Original Domain - lists.gentoo.org

138

> X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

139

> X-AntiAbuse: Sender Address Domain -

140

> X-Source:

141

> X-Source-Args:

142

> X-Source-Dir:

143

>

144

> This message was created automatically by mail delivery software.

145

>

146

> A message that you sent could not be delivered to one or more of its

147

> recipients. This is a permanent error. The following address(es) failed:

148

>

149

>   adriancapdefier@×××××××.ro

150

>     This message has been rejected because it has

151

>     a potentially executable attachment "MP3.com"

152

>     This form of attachment has been used by

153

>     recent viruses or other malware.

154

>     If you meant to send this file then please

155

>     package it up as a zip file and resend it.

156

>

157

> ------ This is a copy of the message, including all the headers. ------

158

>

159

> Return-path: <gentoo-security-return-1221-adriancapdefier=digifin.ro@l.g.o>

160

> Received: from [156.56.111.196] (helo=parrot.gentoo.org)

161

> 	by horse.hostspectrum.com with esmtp (TLSv1:AES256-SHA:256)

162

> 	(Exim 4.34)

163

> 	id 1BnBm2-0004IJ-JR

164

> 	for adriancapdefier@×××××××.ro; Wed, 21 Jul 2004 02:44:22 -0500

165

> Received: (qmail 3276 invoked by uid 89); 21 Jul 2004 07:43:50 +0000

166

> Mailing-List: contact gentoo-security-help@g.o; run by ezmlm

167

> Precedence: bulk

168

> List-Post: <mailto:gentoo-security@g.o>

169

> List-Help: <mailto:gentoo-security-help@g.o>

170

> List-Unsubscribe: <mailto:gentoo-security-unsubscribe@g.o>

171

> List-Subscribe: <mailto:gentoo-security-subscribe@g.o>

172

> List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>

173

> X-BeenThere: gentoo-security@g.o

174

> Delivered-To: mailing list gentoo-security@l.g.o

175

> Received: (qmail 13423 invoked from network); 21 Jul 2004 07:43:43 +0000

176

> Date: Wed, 21 Jul 2004 09:40:45 +0100

177

> To: "Gentoo-security" <gentoo-security@l.g.o>

178

> From: "Gentoo" <gentoo@×××××××××××.org>

179

> Message-ID: <tnsnraezeeqrruituys@l.g.o>

180

> MIME-Version: 1.0

181

> Content-Type: multipart/mixed;

182

>         boundary="--------kkwrockmnbyvvzoqzwtn"

183

> Subject: [gentoo-security] Re:

184

>

185

> ----------kkwrockmnbyvvzoqzwtn

186

> Content-Type: text/html; charset="us-ascii"

187

> Content-Transfer-Encoding: 7bit

188

>

189

> <html><body>

190

>

191

>>Predators<br><br>

192

>

193

>

194

> <br>

195

> </body></html>

196

>

197

> ----------kkwrockmnbyvvzoqzwtn

198

> Content-Type: application/octet-stream; name="MP3._c_o_m_"

199

> Content-Transfer-Encoding: base64

200

> Content-Disposition: attachment; filename="MP3._c_o_m_"

201

>

202

> TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA

203

__________________________________________________________________________

204

> IrskcHZRkMCJnKCDZQEvHlKDnCwSTzI/KiFjw6SBbUIvg4LGDA==

205

>

206

>

207

> ----------kkwrockmnbyvvzoqzwtn

208

> Content-Type: text/plain; charset=us-ascii

209

>

210

> --

211

> gentoo-security@g.o mailing list

212

> ----------kkwrockmnbyvvzoqzwtn--

213

>

214

>

215

>

216

>

217

218

219

--

220

221

Adi

222

223

--

224

gentoo-security@g.o mailing list

1	Hi.
2	I seem to be the victim of an attack to get me of mailing lists.
3	Here is the message I've been getting with the contents of the
4	file ______-ed out.
5	So my server doesn't allow .com attachements and this attacker somehow
6	manages to make the mailing list manager think messages sent to me are
7	bouncing.
8	Am I right?
9
10	gentoo-security-help@l.g.o wrote:
11	> Hi! This is the ezmlm program. I'm managing the
12	> gentoo-security@g.o mailing list.
13	>
14	> I'm working for my owner, who can be reached
15	> at gentoo-security-owner@g.o.
16	>
17	>
18	> Messages to you from the gentoo-security mailing list seem to
19	> have been bouncing. I sent you a warning message, but it bounced.
20	> I've attached a copy of the bounce message.
21	>
22	> This is a probe to check whether your address is reachable. If this
23	> probe bounces, I will remove your address from the
24	> gentoo-security@g.o mailing list, without further notice.
25	>
26	> You can re-subscribe by sending a message to this address:
27	> <gentoo-security-subscribe@g.o>
28	>
29	>
30	> --- Enclosed is a copy of the bounce message I received.
31	>
32	> Return-Path: <>
33	> Received: (qmail 22187 invoked from network); 2 Aug 2004 00:10:57 +0000
34	> Received: from horse.hostspectrum.com (209.120.224.103)
35	> by lists.gentoo.org with AES256-SHA encrypted SMTP; 2 Aug 2004 00:10:57 +0000
36	> Received: from mailnull by horse.hostspectrum.com with local (Exim 4.34)
37	> id 1BrQPf-00072M-Nm
38	> for gentoo-security-return-warn-1091405444.lblaoilajclmcdganoam-adriancapdefier=digifin.ro@l.g.o; Sun, 01 Aug 2004 19:10:47 -0500
39	> X-Failed-Recipients: adriancapdefier@×××××××.ro
40	> Auto-Submitted: auto-generated
41	> From: Mail Delivery System <Mailer-Daemon@××××××××××××××××××.com>
42	> To: gentoo-security-return-warn-1091405444.lblaoilajclmcdganoam-adriancapdefier=digifin.ro@l.g.o
43	> Subject: Mail delivery failed: returning message to sender
44	> Message-Id: <E1BrQPf-00072M-Nm@××××××××××××××××××.com>
45	> Date: Sun, 01 Aug 2004 19:10:47 -0500
46	> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
47	> X-AntiAbuse: Primary Hostname - horse.hostspectrum.com
48	> X-AntiAbuse: Original Domain - lists.gentoo.org
49	> X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
50	> X-AntiAbuse: Sender Address Domain -
51	> X-Source:
52	> X-Source-Args:
53	> X-Source-Dir:
54	>
55	> This message was created automatically by mail delivery software.
56	>
57	> A message that you sent could not be delivered to one or more of its
58	> recipients. This is a permanent error. The following address(es) failed:
59	>
60	> adriancapdefier@×××××××.ro
61	> This message has been rejected because it has
62	> a potentially executable attachment "MP3.com"
63	> This form of attachment has been used by
64	> recent viruses or other malware.
65	> If you meant to send this file then please
66	> package it up as a zip file and resend it.
67	>
68	> ------ This is a copy of the message, including all the headers. ------
69	>
70	> Return-path: <gentoo-security-return-warn-1091405444.lblaoilajclmcdganoam-adriancapdefier=digifin.ro@l.g.o>
71	> Received: from [156.56.111.196] (helo=parrot.gentoo.org)
72	> by horse.hostspectrum.com with esmtp (TLSv1:AES256-SHA:256)
73	> (Exim 4.34)
74	> id 1BrQPf-00071b-EC
75	> for adriancapdefier@×××××××.ro; Sun, 01 Aug 2004 19:10:47 -0500
76	> Received: (qmail 1401 invoked by uid 89); 2 Aug 2004 00:10:53 +0000
77	> Mailing-List: contact gentoo-security-help@g.o; run by ezmlm
78	> Date: 2 Aug 2004 00:10:53 -0000
79	> Message-ID: <1091405453.10469.ezmlm-warn@l.g.o>
80	> From: gentoo-security-help@l.g.o
81	> To: adriancapdefier@×××××××.ro
82	> Content-type: text/plain; charset=us-ascii
83	> Subject: ezmlm warning
84	>
85	> Hi! This is the ezmlm program. I'm managing the
86	> gentoo-security@g.o mailing list.
87	>
88	> I'm working for my owner, who can be reached
89	> at gentoo-security-owner@g.o.
90	>
91	>
92	> Messages to you from the gentoo-security mailing list seem to
93	> have been bouncing. I've attached a copy of the first bounce
94	> message I received.
95	>
96	> If this message bounces too, I will send you a probe. If the probe bounces,
97	> I will remove your address from the gentoo-security mailing list,
98	> without further notice.
99	>
100	>
101	> I've kept a list of which messages from the gentoo-security mailing list have
102	> bounced from your address.
103	>
104	> Copies of these messages may be in the archive.
105	>
106	> To retrieve a set of messages 123-145 (a maximum of 100 per request),
107	> send an empty message to:
108	> <gentoo-security-get.123_145@g.o>
109	>
110	> To receive a subject and author list for the last 100 or so messages,
111	> send an empty message to:
112	> <gentoo-security-index@g.o>
113	>
114	> Here are the message numbers:
115	>
116	> 1221
117	> 1224
118	>
119	> --- Enclosed is a copy of the bounce message I received.
120	>
121	> Return-Path: <>
122	> Received: (qmail 14884 invoked from network); 21 Jul 2004 07:44:37 +0000
123	> Received: from horse.hostspectrum.com (209.120.224.103)
124	> by lists.gentoo.org with AES256-SHA encrypted SMTP; 21 Jul 2004 07:44:37 +0000
125	> Received: from mailnull by horse.hostspectrum.com with local (Exim 4.34)
126	> id 1BnBm3-0004IT-0b
127	> for gentoo-security-return-1221-adriancapdefier=digifin.ro@l.g.o; Wed, 21 Jul 2004 02:44:23 -0500
128	> X-Failed-Recipients: adriancapdefier@×××××××.ro
129	> Auto-Submitted: auto-generated
130	> From: Mail Delivery System <Mailer-Daemon@××××××××××××××××××.com>
131	> To: gentoo-security-return-1221-adriancapdefier=digifin.ro@l.g.o
132	> Subject: Mail delivery failed: returning message to sender
133	> Message-Id: <E1BnBm3-0004IT-0b@××××××××××××××××××.com>
134	> Date: Wed, 21 Jul 2004 02:44:23 -0500
135	> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
136	> X-AntiAbuse: Primary Hostname - horse.hostspectrum.com
137	> X-AntiAbuse: Original Domain - lists.gentoo.org
138	> X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
139	> X-AntiAbuse: Sender Address Domain -
140	> X-Source:
141	> X-Source-Args:
142	> X-Source-Dir:
143	>
144	> This message was created automatically by mail delivery software.
145	>
146	> A message that you sent could not be delivered to one or more of its
147	> recipients. This is a permanent error. The following address(es) failed:
148	>
149	> adriancapdefier@×××××××.ro
150	> This message has been rejected because it has
151	> a potentially executable attachment "MP3.com"
152	> This form of attachment has been used by
153	> recent viruses or other malware.
154	> If you meant to send this file then please
155	> package it up as a zip file and resend it.
156	>
157	> ------ This is a copy of the message, including all the headers. ------
158	>
159	> Return-path: <gentoo-security-return-1221-adriancapdefier=digifin.ro@l.g.o>
160	> Received: from [156.56.111.196] (helo=parrot.gentoo.org)
161	> by horse.hostspectrum.com with esmtp (TLSv1:AES256-SHA:256)
162	> (Exim 4.34)
163	> id 1BnBm2-0004IJ-JR
164	> for adriancapdefier@×××××××.ro; Wed, 21 Jul 2004 02:44:22 -0500
165	> Received: (qmail 3276 invoked by uid 89); 21 Jul 2004 07:43:50 +0000
166	> Mailing-List: contact gentoo-security-help@g.o; run by ezmlm
167	> Precedence: bulk
168	> List-Post: <mailto:gentoo-security@g.o>
169	> List-Help: <mailto:gentoo-security-help@g.o>
170	> List-Unsubscribe: <mailto:gentoo-security-unsubscribe@g.o>
171	> List-Subscribe: <mailto:gentoo-security-subscribe@g.o>
172	> List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
173	> X-BeenThere: gentoo-security@g.o
174	> Delivered-To: mailing list gentoo-security@l.g.o
175	> Received: (qmail 13423 invoked from network); 21 Jul 2004 07:43:43 +0000
176	> Date: Wed, 21 Jul 2004 09:40:45 +0100
177	> To: "Gentoo-security" <gentoo-security@l.g.o>
178	> From: "Gentoo" <gentoo@×××××××××××.org>
179	> Message-ID: <tnsnraezeeqrruituys@l.g.o>
180	> MIME-Version: 1.0
181	> Content-Type: multipart/mixed;
182	> boundary="--------kkwrockmnbyvvzoqzwtn"
183	> Subject: [gentoo-security] Re:
184	>
185	> ----------kkwrockmnbyvvzoqzwtn
186	> Content-Type: text/html; charset="us-ascii"
187	> Content-Transfer-Encoding: 7bit
188	>
189	> <html><body>
190	>
191	>>Predators<br><br>
192	>
193	>
194	> <br>
195	> </body></html>
196	>
197	> ----------kkwrockmnbyvvzoqzwtn
198	> Content-Type: application/octet-stream; name="MP3._c_o_m_"
199	> Content-Transfer-Encoding: base64
200	> Content-Disposition: attachment; filename="MP3._c_o_m_"
201	>
202	> TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA
203	__________________________________________________________________________
204	> IrskcHZRkMCJnKCDZQEvHlKDnCwSTzI/KiFjw6SBbUIvg4LGDA==
205	>
206	>
207	> ----------kkwrockmnbyvvzoqzwtn
208	> Content-Type: text/plain; charset=us-ascii
209	>
210	> --
211	> gentoo-security@g.o mailing list
212	> ----------kkwrockmnbyvvzoqzwtn--
213	>
214	>
215	>
216	>
217
218
219	--
220
221	Adi
222
223	--
224	gentoo-security@g.o mailing list

Gentoo Archives: gentoo-security