[LARTC] question regarding spam and viruses from

[LARTC] question regarding spam and viruses from

[Marc Manthey]

[-- Attachment #1.1.1: Type: text/plain, Size: 2242 bytes --]

hello experts,

i am lurking  the  list for  a while to learn a bit
about iproute2 and  stuff.

But  one  thing  makes me  really mad. i got everyday
at least one mail with an attachment  or  virus  or trojan
or  whatever that is , from the mail adress wilson@sentrisystems.com
and this  for  about  3 -4 weeks.

What the  f**** is this. Is there anybody  else  who got  strange  
mails ?

What can i do?

sorry  for  bothering

nice  weekend  marc


P.S. i attached  the message  without the file.
Begin forwarded message:

> From: "Wilson" <wilson@sentrisystems.com>
> Date: May 14, 2005 4:16:33 PM GMT+02:00
> To: "LARTC" <LARTC@mailman.ds9a.nl>
> Subject: [LARTC] Re:
> Return-Path: <lartc-bounces@mailman.ds9a.nl>
> Envelope-To: marc@let.de
> Delivery-Date: Sat, 14 May 2005 16:26:15 +0200
> Received: from outpost.ds9a.nl ([213.244.168.210]) by  
> vm21.bln1.vrmd.de with esmtp (Exim 4.43) id 1DWxap-0007i7-G6 for  
> marc@let.de; Sat, 14 May 2005 16:26:15 +0200
> Received: from outpost.ds9a.nl (outpost [127.0.0.1]) by  
> outpost.ds9a.nl (Postfix) with ESMTP id F277E493B; Sat, 14 May 2005  
> 16:16:16 +0200 (CEST)
> Received: from jai.com (unknown [202.56.213.146]) by  
> outpost.ds9a.nl (Postfix) with SMTP id B9147493B for  
> <LARTC@mailman.ds9a.nl>; Sat, 14 May 2005 16:15:40 +0200 (CEST)
> Delivered-To: lartc@outpost.ds9a.nl
> Message-Id: <fmjycjqrrtikugtcqlv@mailman.ds9a.nl>
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary="--------sewqpdovgohbjompjdji"
> X-Beenthere: lartc@mailman.ds9a.nl
> X-Mailman-Version: 2.1.5
> Precedence: list
> List-Id: "Mailinglist of the Linux Advanced Routing &amp; Traffic  
> Control project" <lartc.mailman.ds9a.nl>
> List-Unsubscribe: <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/ 
> lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
> List-Archive: <http://mailman.ds9a.nl/pipermail/lartc>
> List-Post: <mailto:lartc@mailman.ds9a.nl>
> List-Help: <mailto:lartc-request@mailman.ds9a.nl?subject=help>
> List-Subscribe: <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/ 
> lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
> Sender: lartc-bounces@mailman.ds9a.nl
> Errors-To: lartc-bounces@mailman.ds9a.nl
>
>
> >Predators
>
>
> Password: 

[-- Attachment #1.1.2: maxmnznewp.bmp --]
[-- Type: image/bmp, Size: 2026 bytes --]

[-- Attachment #1.1.3: Type: text/plain, Size: 4 bytes --]

>
>

[-- Attachment #1.1.4: maxmnznewp.bmp --]
[-- Type: image/bmp, Size: 2026 bytes --]

[-- Attachment #1.1.5: Type: text/plain, Size: 1531 bytes --]

> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

http://www.whois.net/whois.cgi2?d=sentrisystems.com

[whois.domaincontender.com]
Registration and WHOIS Service Provided By: domaincontender.com

Domain Contender, LLC provides the data in the domaincontender.com
Registrar WHOIS database for informational purposes only. The  
information
may only be used to assist in obtaining information about a domain  
name's
registration record.

Domain Contender makes this information available "as is,"
and does not guarantee its accuracy.

Registrant:
  NOLDC, Inc
  838 Camp Street
  Apartment C
  New Orleans, LA 70130
  US
  504-523-0360


Domain Name: SENTRISYSTEMS.COM

Administrative Contact:
  Purchase, Domain noldc_dc@04desember.com
  838 Camp Street
  Apartment C
  New Orleans, LA 70130
  US
  504-523-0360


Technical Contact:
  Purchase, Domain noldc_dc@04desember.com
  838 Camp Street
  Apartment C
  New Orleans, LA 70130
  US
  504-523-0360


Record last updated 09-30-2004 08:37:34 AM
Record expires on 08-29-2005
Record created on 08-29-2004

Domain servers in listed order:
         NS1.SECUREMARKET.NET    209.16.87.45
         NS2.SECUREMARKET.NET    209.16.87.46

>

-- 
"In a world without walls or fences, who needs Windows and Gates?"

Marc Manthey
D - 50672 Cologne
West Germany
office: 0049.221.355.80.32
mobile: 0049.177.341.54.81
www.let.de
www.applehelpers.com
aim://macfreak2004
macfreak@jabber.org





[-- Attachment #1.2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 2814 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] question regarding spam and viruses from

[Denys]

Hi Marc

Maybe call his ISP.
Also good idea to send reports to SPAMCOP and etc, maybe admins of
this network will move ass and kick those user out.

inetnum:      202.56.192.0 - 202.56.255.255
netname:      BHARTI-IN
descr:        Bharti Infotel Ltd.
descr:        234 , Okhla Phase III
descr:        New Delhi 1100017
country:      IN
admin-c:      NA40-AP
tech-c:       NA40-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-IN-BBIL

route:        202.56.192.0/18
descr:        BHARTI-IN
descr:        BHARTI INFOTEL LTD.
descr:        Class A ISP in INDIA .
descr:        234 , OKHLA PHASE III ,
descr:        NEW DELHI
descr:        INDIA
country:      IN
origin:       AS9498
mnt-by:       MAINT-IN-BBIL
changed:      hm-changed@apnic.net 20050201
source:       APNIC

person:       Network Administrator
nic-hdl:      NA40-AP
e-mail:       techsupport@bharti.com
address:      Bharti Infotel Ltd.
address:      ISP Division - Long Distance - Telesonic
address:      234 ,
address:      Okhla Ind. Area,
address:      Phase III
address:      New Delhi,
address:      INDIA-110020
!!!!phone:        +91-11- 5171 0131
!!!!fax-no:       +91-11- 5171 1050
country:      IN
changed:      techsupport@bharti.com 20040911
mnt-by:       MAINT-IN-BBIL
source:       APNIC


> hello experts,

> i am lurking  the  list for  a while to learn a bit
> about iproute2 and  stuff.

> But  one  thing  makes me  really mad. i got everyday
> at least one mail with an attachment  or  virus  or trojan
> or  whatever that is , from the mail adress wilson@sentrisystems.com
> and this  for  about  3 -4 weeks.

> What the  f**** is this. Is there anybody  else  who got  strange  
> mails ?

> What can i do?

> sorry  for  bothering

> nice  weekend  marc


> P.S. i attached  the message  without the file.
> Begin forwarded message:

>> From: "Wilson" <wilson@sentrisystems.com>
>> Date: May 14, 2005 4:16:33 PM GMT+02:00
>> To: "LARTC" <LARTC@mailman.ds9a.nl>
>> Subject: [LARTC] Re:
>> Return-Path: <lartc-bounces@mailman.ds9a.nl>
>> Envelope-To: marc@let.de
>> Delivery-Date: Sat, 14 May 2005 16:26:15 +0200
>> Received: from outpost.ds9a.nl ([213.244.168.210]) by  
>> vm21.bln1.vrmd.de with esmtp (Exim 4.43) id 1DWxap-0007i7-G6 for  
>> marc@let.de; Sat, 14 May 2005 16:26:15 +0200
>> Received: from outpost.ds9a.nl (outpost [127.0.0.1]) by  
>> outpost.ds9a.nl (Postfix) with ESMTP id F277E493B; Sat, 14 May 2005
>> 16:16:16 +0200 (CEST)
>> Received: from jai.com (unknown [202.56.213.146]) by  
>> outpost.ds9a.nl (Postfix) with SMTP id B9147493B for  
>> <LARTC@mailman.ds9a.nl>; Sat, 14 May 2005 16:15:40 +0200 (CEST)
>> Delivered-To: lartc@outpost.ds9a.nl
>> Message-Id: <fmjycjqrrtikugtcqlv@mailman.ds9a.nl>
>> Mime-Version: 1.0
>> Content-Type: multipart/mixed;
>> boundary="--------sewqpdovgohbjompjdji"
>> X-Beenthere: lartc@mailman.ds9a.nl
>> X-Mailman-Version: 2.1.5
>> Precedence: list
>> List-Id: "Mailinglist of the Linux Advanced Routing &amp; Traffic  
>> Control project" <lartc.mailman.ds9a.nl>
>> List-Unsubscribe:
>> <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/ 
>> lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
>> List-Archive: <http://mailman.ds9a.nl/pipermail/lartc>
>> List-Post: <mailto:lartc@mailman.ds9a.nl>
>> List-Help: <mailto:lartc-request@mailman.ds9a.nl?subject=help>
>> List-Subscribe: <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/ 
>> lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
>> Sender: lartc-bounces@mailman.ds9a.nl
>> Errors-To: lartc-bounces@mailman.ds9a.nl
>>
>>
>> >Predators
>>
>>
>> Password: 



-- 
С уважением,
 Denys                          mailto:nuclearcat@nuclearcat.com

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] question regarding spam and viruses from

[S. Krishnan]

On Sat, 2005-05-14 at 17:53 +0300, Denys wrote:
> Hi Marc
> 
> Maybe call his ISP.
> Also good idea to send reports to SPAMCOP and etc, maybe admins of
> this network will move ass and kick those user out.
> 

OK, this is what is interesting.  The domain sentrisystems.com is
registered to an organization located in New Orleans in the USA, while
the email comes from a dialup host located on the India based Touchtel
ISP network, as pointed out by Denys.  A quick port scan of the
offending mail relay shows all ports to be filtered, so this seems to
rule out the idea that the sender is a compromised host.

Can't the listadmin just block this address?

Cheers,

Krishnan


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] question regarding spam and viruses

[Michael Renzmann]

Hi.

S. Krishnan wrote:
> OK, this is what is interesting.  The domain sentrisystems.com is
> registered to an organization located in New Orleans in the USA, while
> the email comes from a dialup host located on the India based Touchtel
> ISP network, as pointed out by Denys.

Wow, you just discovered the fact that e-mail addresses can be faked.

> Can't the listadmin just block this address?

Can't people just look into the archives for past discussions on this
topic? Can't people just put that address into their own blacklists?

Threads like this start to cause more traffic than the actual virus
mails themselves. And they are at least as annoying as those mails.

Bye, Mike

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] question regarding spam and viruses

[David Hough]

On Sat, 2005-05-14 at 22:16 +0200, Michael Renzmann wrote:
> Hi.
> 
> S. Krishnan wrote:
> > OK, this is what is interesting.  The domain sentrisystems.com is
> > registered to an organization located in New Orleans in the USA, while
> > the email comes from a dialup host located on the India based Touchtel
> > ISP network, as pointed out by Denys.
> 
> Wow, you just discovered the fact that e-mail addresses can be faked.
> 
> > Can't the listadmin just block this address?
> 
> Can't people just look into the archives for past discussions on this
> topic? Can't people just put that address into their own blacklists?
> 
> Threads like this start to cause more traffic than the actual virus
> mails themselves. And they are at least as annoying as those mails.
> 
The problem is that many systems are configured to bounce viruses
(proper bounces, not annoying messages telling the wrong people that a
virus was detected) so enough viruses to the list will cause people to
get unsubscribed. It's worse with this list because the probe message
checking for failures includes a copy of the message causing the bounce,
so it gets rejected as well. I'm sure I'm not the only one who has to
re-subscribe every few days because of viruses. It wouldn't be hard to
just remove posting access from that particular email address, I don't
think I've ever seen a real post from it anyway.

The topic keeps coming up because those with the power to do something
useful about it haven't yet done it.

Dave


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc