OT-Virus that LOOKS like it is from Sybrand (but not)

From: Jim Kennedy <kennedy-family_at_attbi.com>
Date: Mon, 14 Oct 2002 14:45:26 GMT
Message-ID: <aMAq9.37705$rz6.5575_at_sccrnsc02>

I got 2 email messages today that looked like they were from Sybrand and they contained the Klenz virus. My anti-virus software stopped them. The email headers are forged and they were NOT from Sybrand. Here is a copy of the email header:

Return-Path: <julia_at_powerleader.com.cn> Received: from powerleader.com.cn ([211.154.134.140])

          by sccrgwc01.attbi.com
          (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
          id
<20021014091044.TCDU15415.sccrgwc01.attbi.com_at_powerleader.com.cn>
          for <kennedy-family_at_attbi.com>; Mon, 14 Oct 2002 09:10:44 +0000

Received: from Pvctnv [61.175.132.130] by powerleader.com.cn (SMTPD32-6.00) id AA41B9014C; Mon, 14 Oct 2002 17:11:29 +0800 From: postbus <postbus_at_sybrandb.demon.nl> To: kennedy-family_at_attbi.com
Subject: Re:welcome to my hometown
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Dt906Xlb94z
Message-Id: <200210141711937.SM01100_at_Pvctnv>

Date: Mon, 14 Oct 2002 17:11:32 +0800
X-NortonAV-TimeoutProtection: 0
X-NortonAV-TimeoutProtection: 1

....

You can see it came from 211.154.134.140 which is some jerk in China who is either the spammer or has an open relay email. Do NOT open any email that looks to be from Sybrand that has a subject of re:welcome to my hometown. Below is the whois on the China ip address. Jim

10/14/02 07:35:08 whois 211.154.134.140_at_whois.geektools.com

whois -h whois.geektools.com 211.154.134.140 ... Query: 211.154.134.140
Registry: whois.apnic.net
Results:
% [whois.apnic.net node-1]
% How to use this server http://www.apnic.net/db/
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum:      211.154.128.0 - 211.154.159.255
netname:      CMNET
descr:        China Motion Network Communication
country:      CN
admin-c:      WF58-AP
tech-c:       WF58-AP
mnt-by:       MAINT-CNNIC-AP
changed:      luoyan_at_cnnic.net.cn 20011024
status:       ALLOCATED PORTABLE
source:       APNIC

person:       wang fajun
address:      2/F,Yuhua Industrial&Trading Bldg,
address:      Baogang Road,ShenZhen,GD
country:      CN
phone:        +86-755-2189544
fax-no:       +86-755-2189555
e-mail:       idcservice_at_china-motion.com
nic-hdl:      WF58-AP
mnt-by:       MAINT-CNNIC-AP
changed:      IPAS_at_cnnic.net.cn 20011024
source:       APNIC

Results brought to you by the GeekTools WHOIS Proxy Server results may be copyrighted and are used with permission. Your host (12.241.212.232) has visited 1 times today.

--

Received on Mon Oct 14 2002 - 16:45:26 CEST

This message: [ Message body ]
Next message: Niksa Prezzi: "developer on red hat 7.3 problem"
Previous message: Bill Clinton: "loadjava"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message