From: Peter Dimov (pdimov_at_[hidden])
Date: 2004-02-12 08:11:14
Jeff Garland wrote:
> On Wed, 11 Feb 2004 23:38:49 -0500, Dan W. wrote
>> Yeah, never mind... 129.79.245.244 below is in the IP range of the
>> University of Indiana; and the fact that it says it received the
>> email from local host (127.0.0.1) either means that IU.edu's SMTP
>> server is hacked, or that there's another machine in their campus
>> that's hacked and pretending to be local host; or else that local
>> host is hacked, or that my ISP is hacked, or that the server here at
>> work is hacked, or...
>>
>> ...or that I'm hacked... :(
>
> Actually I believe one of the boosters at University of Indiana has
> been hacked. I've been receiving MyDoom infected email with sender
> names that coorespond to the user names of at least one of the
> boosters there and appear to be from there. And I'm certain that my
> machines haven't been hacked. As for me being hacked, that's less
> clear ;-)
MyDoom is a From: spoofer. The relevant header is:
Received: from curbralan.com ([202.103.247.70])
by heart-of-gold.osl.iu.edu (8.11.6/8.11.6) with ESMTP id i1C0Wq529796
for <boost_at_[hidden]>; Wed, 11 Feb 2004 19:32:53 -0500
where "curbralan.com" is forged. The IP address is assigned to:
inetnum: 202.103.192.0 - 202.103.255.255
netname: CHINANET-GX
descr: CHINANET Guangxi province network
descr: Data Communication Division
descr: China Telecom
country: CN
Kevlin will now receive tens of "You are infected" autoreplies, I'm sure
he'll be honored.