Over the last few days Ive been receiving a lot of bounced
emails from servers that are finding "*.exe" files attached to
emails that Ive never sent (knowingly anyway), many of which
were emailed while my computer was OFF no less!!!. Did a
little bit of investigating. . . . .

Symptomatically these emails seem to be products of the
Klez worm, specifically a "spoofing" variety of the KLEZ
worm. Spoofing in this case means that the worm spins out
these mass-mailing emails to everyone on your computer's
email directory or possibly off of emails in your "In
Basket" or "TRASH" as well, and uses one of those email
addresses as the fictional "sender". This little switcheroo
is apparently included to hide the true source of the
infection. This was what really tipped me off to the
possible source of the problem.

I use a Mac and the KLEZ worms are windows specific. In other
words my machine can not catch this virus even if I do use MS
Explorer and Outlook, yet all of these rejected emails are
apparently from me! Just to be sure that a Mac-equivalent bug
had not sneaked in, Ive also done a complete sweep using the
latest Norton antivirus and my mac is clean. Also checked my
kids' windows machines and they are clean, not to mention the
fact that they do not have any contact with the SAP or
paleoanthro email addresses.

So. . . . . unfortuately, it appears that someone out there
with a PC (and something less than the most recent
Outlook/Explorer) has the bug and apparently gets a lot of the
same emails as I (Paleoanthro, etc). Its almost certain that
its "one of us" since the servers sending back these
contaminated files to me show most of the intended addresses
were picked directly off of this newsgroup and off of the
paleoanthro email summaries.

Suggest that everyone with Windows check their machines.
According to some of the writeups at least a few of the KLEZ
worms turn very destructive on the 12th of even numbered
months and start irrecoverably trashing files on the
infected machines.

If you have received or do receive one of these emails
apparently from me or anyone else on the newsgroup, with an
attachment that has any sort of *.exe or *.bat file attached
(that you dont expect), rest assured that it did not come from
me or from the person who's email address appears in the
header, and is NOT one that you should open. Just put it in
the trash and flush.

If anyone turns up a W32.KLEZ virus you might want to let the
rest of the group know.

Regards (and good luck!) bk

Bob, I am having the same problem. In fact, I spent most of
the day yesterday trying to find some evidence of this virus
in my computer and could find none ... but I've been getting
"returned mails" which I did not send. I've received 3 over
the last couple of days and the 3rd (today) had a virus
attached. AVG anti-virus system caught it.

There is some very good information on this virus at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.k-
lez.h@mm.html

including a (free) removal tool, registration settings to
check, etc. etc. As you say, a person can be associated with
the virus and yet, not be infected:

"Because this worm uses a randomly chosen address that it
finds on an infected computer as the "From:" address, numerous
cases have been reported in which users of uninfected
computers received complaints that they sent an infected
message to someone else.

For example, Linda Anderson is using a computer that is
infected with
W32.Klez.H@mm. Linda is not using a antivirus program or does
not have current virus definitions. When W32.Klez.H@mm
performs its emailing routine, it finds the email address
of Harold Logan. It inserts Harold's email address into
the "From:" portion of an infected message that it then
sends to Janet Bishop. Janet then contacts Harold and
complains that he sent her an infected message, but when
Harold scans his computer, Norton AntiVirus does not find
anything--as would be expected--because his computer is
not infected."

I think what may have happened is that many of us are on a
Spam mailing list in an infected computer. The letters I've
been receiving originated in the UK.

Gisele

On Tue, 14 May 2002 02:58:30 GMT, Bob Keeter
<rkeeter@earthlink.net> wrote:

>Over the last few days Ive been receiving a lot of bounced
>emails from servers that are finding "*.exe" files attached
>to emails that Ive never sent (knowingly anyway), many of
>which were emailed while my computer was OFF no less!!!. Did
>a little bit of investigating. . . . .
>
>Symptomatically these emails seem to be products of the
>Klez worm, specifically a "spoofing" variety of the KLEZ
>worm. Spoofing in this case means that the worm spins out
>these mass-mailing emails to everyone on your computer's
>email directory or possibly off of emails in your "In
>Basket" or "TRASH" as well, and uses one of those email
>addresses as the fictional "sender". This little switcheroo
>is apparently included to hide the true source of the
>infection. This was what really tipped me off to the
>possible source of the problem.
>
>I use a Mac and the KLEZ worms are windows specific. In other
>words my machine can not catch this virus even if I do use MS
>Explorer and Outlook, yet all of these rejected emails are
>apparently from me! Just to be sure that a Mac-equivalent bug
>had not sneaked in, Ive also done a complete sweep using the
>latest Norton antivirus and my mac is clean. Also checked my
>kids' windows machines and they are clean, not to mention the
>fact that they do not have any contact with the SAP or
>paleoanthro email addresses.
>
>So. . . . . unfortuately, it appears that someone out there
>with a PC (and something less than the most recent
>Outlook/Explorer) has the bug and apparently gets a lot of
>the same emails as I (Paleoanthro, etc). Its almost certain
>that its "one of us" since the servers sending back these
>contaminated files to me show most of the intended addresses
>were picked directly off of this newsgroup and off of the
>paleoanthro email summaries.
>
>Suggest that everyone with Windows check their machines.
>According to some of the writeups at least a few of the KLEZ
>worms turn very destructive on the 12th of even numbered
>months and start irrecoverably trashing files on the infected
>machines.
>
>If you have received or do receive one of these emails
>apparently from me or anyone else on the newsgroup, with an
>attachment that has any sort of *.exe or *.bat file attached
>(that you dont expect), rest assured that it did not come
>from me or from the person who's email address appears in the
>header, and is NOT one that you should open. Just put it in
>the trash and flush.
>
>If anyone turns up a W32.KLEZ virus you might want to let the
>rest of the group know.
>
>Regards (and good luck!) bk

rkeeter@earthlink.net writes:

>Over the last few days Ive been receiving a lot of bounced
>emails from servers that are finding "*.exe" files attached
>to emails that Ive never sent (knowingly anyway), many of
>which were emailed while my computer was OFF no less!!!. Did
>a little bit of investigating. . . . .

I've had a similar problem recently, but my bounce messages
claim it's a .pif file. Mostly they bounce from UK addresses,
which suggest it's somebody there. But maybe my spoofer has a
different virus?

Thanks for the research.

Curt Adams (curtadams@aol.com) "It is better to be wrong than
to be vague" - Freeman Dyson

Bk

>>
> If you have received or do receive one of these emails
> apparently from me
or
> anyone else on the newsgroup, with an attachment that has
> any sort of
*.exe
> or *.bat file attached (that you dont expect), rest assured
> that it did
not
> come from me or from the person who's email address appears
> in the header, and is NOT one that you should open. Just put
> it in the trash and flush.
>
> If anyone turns up a W32.KLEZ virus you might want to let
> the rest of the group know.
>
> Regards (and good luck!)

I've been getting a bunch of these "e-mails" from various
sources in the last few days(one of them was supposedly from
somebody in a sane and sober academic email list), and I'm
fortunate. I have a very good antivirus program that warned me
about each and every one of them. So I'm not affected. But I
would *strongly* suggest that, if anyone out there *doesn't*
have an antivirus program, they should get one forthwith! I
even know of a good one you can download and use --- free! And
it updates things very frequently. So people shouldn't have
any real problems with this. Anne G

---
Outgoing mail is certified Virus Free. Checked by AVG
anti-virus system (http://www.grisoft.com). Version: 6.0.361 /
Virus Database: 199 - Release Date: 5/7/02

Gisele Horvat wrote:

> Bob, I am having the same problem. In fact, I spent most of
> the day yesterday trying to find some evidence of this virus
> in my computer and could find none ... but I've been getting
> "returned mails" which I did not send. I've received 3 over
> the last couple of days and the 3rd (today) had a virus
> attached. AVG anti-virus system caught it.
>
> There is some very good information on this virus at:
>
> http://securityresponse.symantec.com/avcenter/venc/data/w32-
> .klez.h@mm.html
>
> including a (free) removal tool, registration settings to
> check, etc. etc. As you say, a person can be associated with
> the virus and yet, not be infected:
>
> "Because this worm uses a randomly chosen address that it
> finds on an infected computer as the "From:" address,
> numerous cases have been reported in which users of
> uninfected computers received complaints that they sent an
> infected message to someone else.
>
> For example, Linda Anderson is using a computer that is
> infected with
> W32.Klez.H@mm. Linda is not using a antivirus program or
> does not have current virus definitions. When
> W32.Klez.H@mm performs its emailing routine, it finds
> the email address of Harold Logan. It inserts Harold's
> email address into the "From:" portion of an infected
> message that it then sends to Janet Bishop. Janet then
> contacts Harold and complains that he sent her an
> infected message, but when Harold scans his computer,
> Norton AntiVirus does not find anything--as would be
> expected--because his computer is not infected."
>
> I think what may have happened is that many of us are on a
> Spam mailing list in an infected computer. The letters I've
> been receiving originated in the UK.
>
> Gisele
>
> On Tue, 14 May 2002 02:58:30 GMT, Bob Keeter
> <rkeeter@earthlink.net> wrote:
>
> >Over the last few days Ive been receiving a lot of bounced
> >emails from servers that are finding "*.exe" files attached
> >to emails that Ive never sent (knowingly anyway), many of
> >which were emailed while my computer was OFF no less!!!.
> >Did a little bit of investigating. . . . .
> >
> >Symptomatically these emails seem to be products of the
> >Klez worm, specifically a "spoofing" variety of the KLEZ
> >worm. Spoofing in this case means that the worm spins out
> >these mass-mailing emails to everyone on your computer's
> >email directory or possibly off of emails in your "In
> >Basket" or "TRASH" as well, and uses one of those email
> >addresses as the fictional "sender". This little switcheroo
> >is apparently included to hide the true source of the
> >infection. This was what really tipped me off to the
> >possible source of the problem.
> >
> >I use a Mac and the KLEZ worms are windows specific. In
> >other words my machine can not catch this virus even if I
> >do use MS Explorer and Outlook, yet all of these rejected
> >emails are apparently from me! Just to be sure that a
> >Mac-equivalent bug had not sneaked in, Ive also done a
> >complete sweep using the latest Norton antivirus and my mac
> >is clean. Also checked my kids' windows machines and they
> >are clean, not to mention the fact that they do not have
> >any contact with the SAP or paleoanthro email addresses.
> >
> >So. . . . . unfortuately, it appears that someone out there
> >with a PC (and something less than the most recent
> >Outlook/Explorer) has the bug and apparently gets a lot of
> >the same emails as I (Paleoanthro, etc). Its almost certain
> >that its "one of us" since the servers sending back these
> >contaminated files to me show most of the intended
> >addresses were picked directly off of this newsgroup and
> >off of the paleoanthro email summaries.
> >
> >Suggest that everyone with Windows check their machines.
> >According to some of the writeups at least a few of the
> >KLEZ worms turn very destructive on the 12th of even
> >numbered months and start irrecoverably trashing files on
> >the infected machines.
> >
> >If you have received or do receive one of these emails
> >apparently from me or anyone else on the newsgroup, with an
> >attachment that has any sort of *.exe or *.bat file
> >attached (that you dont expect), rest assured that it did
> >not come from me or from the person who's email address
> >appears in the header, and is NOT one that you should open.
> >Just put it in the trash and flush.
> >
> >If anyone turns up a W32.KLEZ virus you might want to let
> >the rest of the group know.
> >
> >Regards (and good luck!) bk
> >

Having exactly the same problem. I have sweeped my machine
and it is supposedly clean. But I have been sending,
supposedly, messages to you and others on this group. If you
got the one re sexy Japanese ladies my apologies. A lot of
the mail delivery failure notices have been coming back from
the UK and the Daemon mail system in particular. Since I can
find nothing on my machine does this mean I am, safe - apart
from having people think I am a nutcase? Is there a way to
track down the infected computer since it seems to have
victimized this group?

Rick Wagler

PS If, like me, you are only getting two or three mail
failure notices a day does this mean you are clean. A
friend of mine who had this virus was getting hundreds of
these a day.

Gisele and all:

> I am having the same problem. In fact, I spent most of the
> day yesterday trying to find some evidence of this virus in
> my computer and could find none ... but I've been getting
> "returned mails" which I did not send. I've received 3 over
> the last couple of days and the 3rd (today) had a virus
> attached. AVG anti-virus system caught it.

AVG is an excellent little program. I use it, and it works
very well.
>
> There is some very good information on this virus at:
>
> http://securityresponse.symantec.com/avcenter/venc/data/w32-
> .klez.h@mm.html
>
> including a (free) removal tool, registration settings to
> check, etc. etc. As you say, a person can be associated with
> the virus and yet, not be infected: I think what may have
> happened is that many of us are on a Spam mailing list in an
> infected computer. The letters I've been receiving
> originated in the UK.
>
I don't know if it originated in the UK, but for all I know,
it could have. It has tried to "infect" me a couple of times,
and now that I've got my antivirus program working properly,
it does a very good job of warning me so I don't accidentally
open attachments that might be infected(I've had this problem
in the past --- with disastrous results). But I've been
getting *tons* of spam that originates in Korea. Do you or
anyone else suppose there is a connection here? Anne G

---
Outgoing mail is certified Virus Free. Checked by AVG
anti-virus system (http://www.grisoft.com). Version: 6.0.361 /
Virus Database: 199 - Release Date: 5/7/02

I think it might be instructive to make a number of important
points here, to clear up a whole lot of fog.

First of all, noone doing system administration for a
competent network would _ever_ write or use a script that paid
any attention whatsoever to "From:" addresses on incoming
spam. If you are getting bounces of mails not sent by you,
based on the "From:" address of the mail, without regard to
the "Received:" headers, then the site you are receiving them
from is so hopelessly mismanaged as to be utterly ignored.
They are idiots.

Next, it is crucial if you are going to understand what mail
is coming to you, and where it is coming from, that you
understand how to read the headers, and glean the truth from
them. Otherwise, you will simply contribute to confusion. If
you are using a mindless-consumer directed mail reader that
suppresses all the headers except "From:", "Subject:" and
"Date:", then you must roll up your sleeves, get under the
hood, and tweek your software until it coughs up the full
headers, so you can see what's really happening. Decyphering
the pertinent headers, particularly the "Received:" series, is
fairly easy, and can be learned from tutorials at the various
spam-hunter websites such as Sam Spade.

Next, I concur with Philip, that the first move to secure your
mail system is to avoid anything made in Redmond. If at all
possible, start with the operating system. VMS, which our mail
system used until very recently, is totally 100% bulletproof,
and has been for decades, unfortunately it isn't very
practical or accessible for most folx, though I continue to
hope that Compaq (who bought it along with the rest of DEC)
may decide to liberate it to the cybergeek world. Macs are
fine if you have 'em, but if you don't want to replace your
hardware, a Linux installation will work happily on a windoze
box. OS security varies inversely with popularity, so as Linux
enjoys a fair amount of patronage, it is not 100% secure, but
the risk level is down in the noise compared to windoze. If
you aren't up to escaping the Redmond stranglehold on the OS
market, at the very least, get an aftermarket mailer, and
while you're at it get a mail virus screener (a genrally good
idea if you're going to expose yourself by running windoze,
and if you have an IP connection of some flavour (as most folx
do these days) get a firewall as well. That will keep the spam
weasels from penetrating the non-existent protection on your
widoze box and relaying 10 million porn spams a day via your
mailer, using your cpu cycles to pollute the net.

Now as to how your address finds its way to infected mail, and
korean spammers: the spamweasel community constantly mines
usenet, and webpages, and ftp archives, and anything else they
can think of (including the Deja/Google archive, so it's too
late to do much about it) for any instance of *@*, which gets
plowed into those "*superbulkmailer* make money marketing on
the internet*" programs you've probably seen promoted in a
billion spams, and into those "100billion new valid email
addresses all eager to read your promotional message" cd's
you've also seen.

The cause of the current fit of garbage is apparently a
spammer's machine, judging from the headers posted by Anne, it
is operated from
modem-244.alakazam.dialup.pol.co.uk[217.135.11.244], although
that may simply be an insecure box belonging to some schmuck
which is being plundered to relay the mail. The spammer has
the virus on his box, and the virus is working its way through
the mass of addresses he's harvested from somewhere, possibly
here, possibly a mailing list. I haven't had any of these
bounces, so either the harvesting wasn't from this group, or
any mails with my address spoofed didn't go to the site which
stupidly responds to the "From:" address.

As to the Koreans, the are striving to emulate all the best
features of the american capitalism they love so much, so
they have recently discovered the joys of email marketing.
For the most part, they can't speak or write english, and
they have no interest in marketing to english-speaking
recipients, but unfortunately, address harvesting 'bots can't
distinguish what part of the world *@* is from, and being
good capitalists who understand that time is money, the
koreans can't be bothered to sort out the 500million email
addresses from the rest of the world in order to get their
spam to the 200,000 Korean language email account holders, so
the several billion spams coming out of Korea each day and
clogging the network pipes around the world are simply
collateral damage. A very large number of people in north
america and europe never actually see these spams, as most
large ISPs have all of Korea blocked completely, and simply
drop all their packets on the floor. This is because the
Korean network companies completely ignore all spam
complaints from beyond their borders, and the main pipes
connecting korea to the rest of the world - Teleglobe, and I
forget, one other I think - can't be bothered to block the
problem at the source, as they are getting big bucks every
day from korea to keep the pipe open, so to hell with the
rest of the net. If you are receiving korean spam, it is
simply because your provider can't be bothered to use the
SPEWS canonical list of spam sources to filter out junk email
at the source, and drop the packets before their first
gateway. It has nothing to do with anything else. If your
email address has ever been written to a file in plain text
on any machine connected to the net anywhere, the koreans
have been sending you megabytes of crap for the last six
months, Urging you to drop by their second hand electronics
store in Seoul for the big sale toomorrow. If you haven't
received it, count yourself lucky. `

--
==========================================================================

vincent@triumf[munge].ca Pete Vincent
Disclaimer: all I know I learned from reading Usenet.

On Mon, 13 May 2002 23:31:05 -0600, Richard Wagler
<taxidea3@shaw.ca> wrote:

>Having exactly the same problem. I have sweeped my machine
>and it is supposedly clean. But I have been sending,
>supposedly, messages to you and others on this group. If you
>got the one re sexy Japanese ladies my apologies. A lot of
>the mail delivery failure notices have been coming back from
>the UK and the Daemon mail system in particular. Since I can
>find nothing on my machine does this mean I am, safe - apart
>from having people think I am a nutcase? Is there a way to
>track down the infected computer since it seems to have
>victimized this group?

I have only received "undeliverable mail". The one which was
from the "Postmaster" had the virus attachment (and this
attachment was very visible). As far as I know, if we do not
have the registry entires "wink***.exe" or any other signs of
the virus, our computers must be clean.... but it's an awful
feeling just the same to see our names on these letters.

>Rick Wagler
>
>PS If, like me, you are only getting two or three mail
> failure notices a day does this mean you are clean. A
> friend of mine who had this virus was getting hundreds of
> these a day.

I'm wondering if the ones who post more frequently have
received more of these letters (because their e-mail addresses
are more visible?). My undeliverable mails were supposedly
addressed to: 1) someone who does buisness at Ebay, someone at
Microsoft and Anne Gilbert (!). I don't know the first two
individuals at all but when I saw Anne's name, I was
concerned.

Gisele

On Mon, 13 May 2002 23:31:05 -0600, Richard Wagler
<taxidea3@shaw.ca> wrote:

>Having exactly the same problem. I have sweeped my machine
>and it is supposedly clean. But I have been sending,
>supposedly, messages to you and others on this group. If you
>got the one re sexy Japanese ladies my apologies. A lot of
>the mail delivery failure notices have been coming back from
>the UK and the Daemon mail system in particular. Since I can
>find nothing on my machine does this mean I am, safe - apart
>from having people think I am a nutcase? Is there a way to
>track down the infected computer since it seems to have
>victimized this group?

You guys need to get some real readers. In agent you can 'turn
off' the exe.file recognition so that files do not launch in
agent. What is probably happened is someone has embedded virus
in html code.

Phil's tips for keeping virus's away.

Don't use any microsoft product. Eudora-light is all you need,
block the html code recognition. I dump mail into the trash
can an empty it if I do not know who its from, 9/10 times its
a virus/porn site or both.

Some ISPs allow you to 'child safe' your computer, you can
preselect the mail recipients and block everyone else. Some
ISPs allow you to report spammers, IMHO, though these are
ineffectual because the spammers change email and ISP
everynight.

Use agent to read you news (the full version also has
killfilters, I have dumped the contents of my killfile in my
signature file). Avoid using programs that autolaunch when
computer starts, like real player or other start tray items.
Avoid any program that autolaunches text segments. Surf
carefully, if you find yourself entering a site that is not
what your expected Use the "Stop" key on your browser.

Virus's cannot infect postings, they are text, only binary
files and attachements. Don't open binary files or
attachments. List of safe files to open:

1. JPEG or JPG
2. Txt
3. Rtf
4. Bmp

Files not to open without scanning.
5. Com
6. Exe
7. Html (unless you have Java and Vb scripting on your browser
turned off)
8. Doc files (such as MSWORD version 2.0 or later)

Protect yourself, if you are sent any of these, save the file
as an attachment, never open content over the internet. Then
get the latest virus recognition files and scan the contents
of your attachment directory.

>PS If, like me, you are only getting two or three mail
> failure notices a day does this mean you are clean. A
> friend of mine who had this virus was getting hundreds of
> these a day.

No it means that you are infected. If you're sending mail you
did not send and it is bounced it means probably that 2 or 3
mails got through.

Philip [pdeitik at bcm.tmc.edu]
http://home.att.net/~DNAPaleoAnth

For those folks that have Agent here is my filter file:

Author: Algis Kuliukas Author: Bob Keeter Author: Jabriol
Author: jabriol Author: James Michael Howard Author: Jim
McGinn Author: marc verhaegen Author: Paul Crowley Author: Tim
Tyler Author: Watch Tower AAT Creation CreationEvolve Abortion
Aquatic aquatic

in article absnuv$k75$1@nntp.itservices.ubc.ca, pete at
vincent@triumfunspam.ca wrote on 5/14/02 11:25 PM:

> I think it might be instructive to make a number of
> important points here, to clear up a whole lot of fog.
>
> First of all, noone doing system administration for a
> competent network would _ever_ write or use a script that
> paid any attention whatsoever to "From:" addresses on
> incoming spam. If you are getting bounces of mails not sent
> by you, based on the "From:" address of the mail, without
> regard to the "Received:" headers, then the site you are
> receiving them from is so hopelessly mismanaged as to be
> utterly ignored. They are idiots.
>

Sorry, didnt state it well. The "bounces" are because the ISPs
server detected the presence of the macrovirus in the form of
an attached executable. I did post a copy of one of the
straight up "invected mails" that I had received from a
totally reputable, but totally spoofed "return address". The
"bounces" come back with the following attached to the front:

"This message was created automatically by mail delivery
software (Exim).

A message that you sent could not be delivered to one or more
of its recipients. This is a permanent error. The following
address(es) failed:

bidshelp@bids.ac.uk This message has been rejected because
it has an apparently executable attachment BORDER.exe This
is a virus prevention measure. If you meant to send this
file then please package it up as a zip file and resend it.

------ This is a copy of the message, including all the
headers. ------ ------ The body of the message is 145847
characters long; only the first ------ 65536 or so are
included here.

"

The address in this case "bidshelp@bids.ac.uc" was just the
unlucky recipient of an email that was fraudulently sent with
my return address. When the sender detected the BORDER.exe
attachment, it "returned to sender" and I found out about it.
That is all.

> Next, it is crucial if you are going to understand what mail
> is coming to you, and where it is coming from, that you
> understand how to read the headers, and glean the truth from
> them. Otherwise, you will simply contribute to confusion. If
> you are using a mindless-consumer directed mail reader that
> suppresses all the headers except "From:", "Subject:" and
> "Date:", then you must roll up your sleeves, get under the
> hood, and tweek your software until it coughs up the full
> headers, so you can see what's really happening. Decyphering
> the pertinent headers, particularly the "Received:" series,
> is fairly easy, and can be learned from tutorials at the
> various spam-hunter websites such as Sam Spade.
>

Yep. Its those full headers that can at least to a degree be
used to trace them. The headers on MOST of these that Ive been
getting look to be UK dialups, but there are apparently some
interesting ways to fake those as well. Who knows (for sure
anyway!) where in the world the actual infected comptuer
happens to be.

> Next, I concur with Philip,

And you were doing so well to this point . . . . 8-)
Seriously, I do tend to agree with him, a LONG time
before I knew him. Have been a Macintosh user since about
1986 or so. 8-)

> . . . . . . . . . . . . . . that the first move to secure
> your mail system is to avoid anything made in Redmond.
> snippage. . . . . ..

Even Philip mutters some reasonable things from time to time.

>
> Now as to how your address finds its way to infected mail,
> and korean spammers: the spamweasel community constantly
> mines usenet, and webpages, and ftp archives, and anything
> else they can think of (including the Deja/Google archive,
> so it's too late to do much about it) for any instance of
> *@*, which gets plowed into those "*superbulkmailer* make
> money marketing on the internet*" programs you've probably
> seen promoted in a billion spams, and into those "100billion
> new valid email addresses all eager to read your promotional
> message" cd's you've also seen.
>

Yup! Thats a fact jack! The issue here seems to be that there
is a great deal of commonality amongst the senders and
receivers. I have recognized MANY of the email addresses on
the bounced emails (with my own address as the "return") and I
suspect that people have seen me as the recipient of at least
a few bounced ones that were returned to them. The "gotcha"
right now, is that many of the addresses that are "coming
through" with actual viruses aboard are legitimate entries in
my email directories!!! IOW, rejecting emails that are not
from known sources does not work!!

It was this high rate of "commonality" and familiarity with
the email addresses being used in the spam is what led me to
believe that it was one of "the group's" computers that might
have the infection, i.e. someone that actually had a lot of
our **@****.coms laying around in one form or another. IOW,
the mix of emails was not the totally random hodge podge that
you would get from one of those 1,000,000 addresses discs, it
was very selective.

> The cause of the current fit of garbage is apparently a
> spammer's machine, judging from the headers posted by Anne,
> it is operated from
> modem-244.alakazam.dialup.pol.co.uk[217.135.11.244],
> although that may simply be an insecure box belonging to
> some schmuck which is being plundered to relay the mail. The
> spammer has the virus on his box, and the virus is working
> its way through the mass of addresses he's harvested from
> somewhere, possibly here, possibly a mailing list. I haven't
> had any of these bounces, so either the harvesting wasn't
> from this group, or any mails with my address spoofed didn't
> go to the site which stupidly responds to the "From:"
> address.
>

Yep. Ive seen that one and a couple of others.

modem-1138.abra.dialup.pol.co.uk ([217.135.5.114]
mail5.svr.pol.co.uk (mail5.svr.pol.co.uk [195.92.193.20]
modem-653.aerodactyl.dialup.pol.co.uk ([217.135.8.141]

> As to the Koreans, the are striving to emulate all the best
> features of the american capitalism they love so much,

snippage. . . .

> first gateway. It has nothing to do with anything else. If
> your email address has ever been written to a file in plain
> text on any machine connected to the net anywhere, the
> koreans have been sending you megabytes of crap for the last
> six months, Urging you to drop by their second hand
> electronics store in Seoul for the big sale toomorrow.

Sounds about right.

> If you haven't received it, count yourself lucky. `
Does this mean that I should buy a couple of Big Game tickets
tomorrow since my luck is bound to change! ;-)))

Regards bk

g-horvat@shaw.ca (Gisele Horvat) wrote :

> I'm wondering if the ones who post more frequently have
> received more of these letters (because their e-mail
> addresses are more visible?). My undeliverable mails were
> supposedly addressed to: 1) someone who does buisness at
> Ebay, someone at Microsoft and Anne Gilbert (!). I don't
> know the first two individuals at all but when I saw Anne's
> name, I was concerned.
>
> Gisele

~no undeliverable rejection notices. ~updated scanned and
spiffy clean

But i post from a defunct address which has no e-box so if
someone used it as the return to spam other folks from i would
perhaps never know about it right?

ejudy

Gisele:

> I'm wondering if the ones who post more frequently have
> received more of these letters (because their e-mail
> addresses are more visible?). My undeliverable mails were
> supposedly addressed to: 1) someone who does buisness at
> Ebay, someone at Microsoft and Anne Gilbert (!). I don't
> know the first two individuals at all but when I saw Anne's
> name, I was concerned.

I'm terribly sorry to tell you this, but when I saw what you
wrote about my supposed mail being undeliverable, I just sat
there and laughed and laughed. Not because of the virus, which
has attempted to deliver itself to *my* computer, and I've now
gotten completely protected and even upgraded, but because
they were so stupid as to use my name! And yes, I got the
supposed Microsoft person and the eBay user, and AVG detected
them forthwith. I've gotten some supposed mails supposedly
sent by some perfectly respectable people on perfectly
respectable e-lists, and AVG(to my surprise)detected them,
too. I've gotten to the point where I can pretty much
recognize suspicious e-mails by now. Anne g

---
Outgoing mail is certified Virus Free. Checked by AVG
anti-virus system (http://www.grisoft.com). Version: 6.0.361 /
Virus Database: 199 - Release Date: 5/7/02

in article j5b2euoqgflg32u367edje1m40opntq3j8@4ax.com, Philip
Deitiker at pdeitik@bcm.tmc.edu wrote on 5/14/02 10:41 AM:

Snippage. . . . . . .

PLEEEEEEEESSSSSEEEEE! Please! Please! Please dont DO this to
me! Im insulted beyond all conception! Totally scandalized!
Flabbergasted, no less! You HAVE to tell me that this is not a
prioritization scheme and Im NOT #2!!!!!!!!

>
> For those folks that have Agent here is my filter file:
>
> Author: Algis Kuliukas Author: Bob Keeter Author: Jabriol
> Author: jabriol Author: James Michael Howard Author: Jim
> McGinn Author: marc verhaegen Author: Paul Crowley Author:
> Tim Tyler Author: Watch Tower AAT Creation CreationEvolve
> Abortion Aquatic aquatic

Regards bk

--
In all of the right places,
. . . . . my name is Mudd!

Bob Keeter wrote:
>
>You see there are two ways these sex-spammers can get you
>with this bug. Your email address can be paired up with
>their email address and just about any way it goes, they
>end up with your address. The problem is that SOMEHOW those
>two addresses have to end up on the same computer. When he
>said that, I remembered a little snigglet of trivia from
>times past.
>
>http://groups.google.com/groups?q=deitiker+korean&hl=en&as_q-
>dr=all&selm=5qsa
>7uk55bm67clfv1o89o22g8lq2meme5%404ax.com&rnum=3
>
>Watch the wrap. . . . . . .
>
>Anyway, just in case good ole Philip did actually kill file
>me, and Im certainly NOT complaining if he did, MATTER OF
>FACT, I would even suggest the proverbial "*.*" would be most
>appropriate, you might want to mention it to him! Even such a
>blowhard as he might want to check that work computer. Who
>knows, SOMEONE that works there might actually have something
>important or at least meaningful on it. At least according to
>the guy at work, the 12th of June will show soon enough.
>
>Regards bk
>
Ok then BK, how do you propose that my JOKE may have nabbed
everybody's computer? OR are you just blowing this around cuz
you have a bone to pick and want to capitalize on the moment?
You never miss a chance to do that sorta thing and shroud it
in a vast array of innocent goodnaturedness. SO before you
pull this outa your ....hat, lets just see if maybe there may
in fact be other possibilities as well.

I am not experiencing any symptoms. And of course PHILIP i am
vastly regretful for making ~that~ particular joke. I will
roast and you can throw me to the ravens and vultures to pick
off my bones if i caused you more than a minor momentary
discomfort from that posting.

And Mr. BK you say you got my defunct address? The my-deja
one? That would mean it was picked up in SAP and not
paleoant.... ANd it has no ebox attached so thats a clue to
sumthin' and i am not sure what. Like i said earlier somebody
may be used and not have any evidence. We could post a private
file list or something. Maybe not.

I don't think i have it in my computer so even if you had
something from me i don't think i can do anything at all or
even need to now.

Where's Jois? Maybe her computer has tied her in the closet
and is trying to take over the world.

ejudy

on Thu, 16 May 2002 03:18:45 GMT, Bob Keeter
<rkeeter@earthlink.net> sez: ` in article
absnuv$k75$1@nntp.itservices.ubc.ca, pete at `
vincent@triumfunspam.ca wrote on 5/14/02 11:25 PM: ` `> I
think it might be instructive to make a number of important
points `> here, to clear up a whole lot of fog. `> `> First of
all, noone doing system administration for a competent `>
network would _ever_ write or use a script that paid any
attention `> whatsoever to "From:" addresses on incoming spam.
If you are getting `> bounces of mails not sent by you, based
on the "From:" address of `> the mail, without regard to the
"Received:" headers, then the site `> you are receiving them
from is so hopelessly mismanaged as to `> be utterly ignored.
They are idiots. `> ` ` Sorry, didnt state it well. The
"bounces" are because the ISPs server ` detected the presence
of the macrovirus in the form of an attached ` executable. I
did post a copy of one of the straight up "invected mails" `
that I had received from a totally reputable, but totally
spoofed "return ` address".

No, you stated it correctly, you just don't understand what
I'm saying: This "Exim" program at the mailserver of
"bids.ac.uk" is utterly braindead, because it is believing the
"From:" or "Reply-to:" addresses on obviously forged spams.
Only an idiot would configure a mail handler that way.

The "bounces" come back with the following attached to the
front: ` ` "This message was created automatically by mail
delivery software (Exim). ` ` A message that you sent could
not be delivered to one or more of its ` recipients. This is
a permanent error. The following address(es) failed: ` `
bidshelp@bids.ac.uk ` This message has been rejected because
it has ` an apparently executable attachment BORDER.exe `
This is a virus prevention measure. ` If you meant to send
this file then please ` package it up as a zip file and
resend it. ` ` ------ This is a copy of the message,
including all the headers. ------ ` ------ The body of the
message is 145847 characters long; only the first ` ------
65536 or so are included here. [...]

The issue here seems to be that there is a great ` deal of
commonality amongst the senders and receivers. I have
recognized ` MANY of the email addresses on the bounced
emails (with my own address as ` the "return") and I suspect
that people have seen me as the recipient of at ` least a few
bounced ones that were returned to them. The "gotcha" right `
now, is that many of the addresses that are "coming through"
with actual ` viruses aboard are legitimate entries in my
email directories!!! IOW, ` rejecting emails that are not
from known sources does not work!! ` ` It was this high rate
of "commonality" and familiarity with the email ` addresses
being used in the spam is what led me to believe that it was
one ` of "the group's" computers that might have the
infection, i.e. someone that ` actually had a lot of our
**@****.coms laying around in one form or another. ` IOW, the
mix of emails was not the totally random hodge podge that you
would ` get from one of those 1,000,000 addresses discs, it
was very selective.

Yes, I guess it is likely, particularly as ejudy says her deja
address was only used here, that someone who has been a reader
of sap, and for some reason has stored our email addresses on
their machine, has the virus. ` `> The cause of the current
fit of garbage is apparently a spammer's

OK, scratch "spammer"

`> machine, judging from the headers posted by Anne, it is
operated `> from
modem-244.alakazam.dialup.pol.co.uk[217.135.11.244], although
`> that may simply be an insecure box belonging to some
schmuck which `> is being plundered to relay the mail.

[...]

` Yep. Ive seen that one and a couple of others. ` `
modem-1138.abra.dialup.pol.co.uk ([217.135.5.114] `
mail5.svr.pol.co.uk (mail5.svr.pol.co.uk [195.92.193.20] `
modem-653.aerodactyl.dialup.pol.co.uk ([217.135.8.141] ` OK,
what's happening here is the sap reader has a dialup account
with pol.co.uk, and has dynamic IP assignment. Each time they
log on, they're given a different IP number/name from pol.co's
dialup pool, so these viral emails have been made over at
least four dialup sessions. We can also speculate that whoever
this is, probably, besides being unaware of having the virus,
isn't reading sap anymore, or they would put this together
from these posts, before now. It appears pol.co.uk is a pretty
popular provider: I did a quick google, and found at least
five occasional sap posters from the UK using a pol.co.uk
server to post through, over the last couple of years, and I
suppose any of them, or probably more likely a lurker, might
be the source.

--
==========================================================================

vincent@triumf[munge].ca Pete Vincent
Disclaimer: all I know I learned from reading Usenet.

On Tue, 14 May 2002 19:52:31 GMT, "ANNE V. GILBERT"
<avgilbert@prodigy.net> wrote:

>Gisele:
>
>> I'm wondering if the ones who post more frequently have
>> received more of these letters (because their e-mail
>> addresses are more visible?). My undeliverable mails were
>> supposedly addressed to: 1) someone who does buisness at
>> Ebay, someone at Microsoft and Anne Gilbert (!). I don't
>> know the first two individuals at all but when I saw Anne's
>> name, I was concerned.
>
>I'm terribly sorry to tell you this, but when I saw what you
>wrote about my supposed mail being undeliverable, I just sat
>there and laughed and laughed. Not because of the virus,
>which has attempted to deliver itself to *my* computer, and
>I've now gotten completely protected and even upgraded, but
>because they were so stupid as to use my name! And yes, I got
>the supposed Microsoft person and the eBay user, and AVG
>detected them forthwith. I've gotten some supposed mails
>supposedly sent by some perfectly respectable people on
>perfectly respectable e-lists, and AVG(to my
>surprise)detected them, too. I've gotten to the point where I
>can pretty much recognize suspicious e-mails by now. Anne g

I'm glad that one of us had a good laugh. :-)

Here's the header of the e-mail in question (supposedly
returned from the US to Canada via the UK?):

Date: Sun, 12 May 2002 14:44:29 +0100 From: Mail Delivery
System <Mailer-Daemon@mailcore.pol.net.uk> Subject: Mail
delivery failed: returning message to sender To:
g-horvat@shaw.ca X-Failed-Recipients: avgilbert@prodigy.net

This message was created automatically by mail delivery
software (Exim). A message that you sent could not be
delivered to one or more of its recipients. This is a
permanent error. The following address(es) failed:
avgilbert@prodigy.net This message has been rejected because
it has an apparently executable attachment _launch.bat This is
a virus prevention measure. If you meant to send this file
then please package it up as a zip file and resend it. ------
This is a copy of the message, including all the headers.
------
------ The body of the message is 121138 characters long; only
the first ------ 65536 or so are included here. Return-path:
<g-horvat@shaw.ca> Received: from
modem-244.alakazam.dialup.pol.co.uk ([217.135.11.244]
helo=Cpgyyzb) by tmailb1.svr.pol.co.uk with smtp (Exim 3.35
#1) id 176tdo-0000n2-00 for avgilbert@prodigy.net; Sun, 12 May
2002 14:44:02 +0100 From: g-horvat <g-horvat@shaw.ca> To:
avgilbert@prodigy.net Subject: Sos! MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Txu75n8i0t645PwN08GR8 Message-Id:
<E176tdo-0000n2-00.2002-05-12-14-44-02@tmailb1.svr.pol.co.uk>
Date: Sun, 12 May 2002 14:44:02 +0100 --Txu75n8i0t645PwN08GR8
Content-Type: text/html; Content-Transfer-Encoding:
quoted-printable

--Txu75n8i0t645PwN08GR8 Content-Type: audio/x-midi;
name=_launch.bat Content-Transfer-Encoding: base64 Content-ID:
<DO0jD86hW32zb6W>
-----------------
>Outgoing mail is certified Virus Free. Checked by AVG
>anti-virus system (http://www.grisoft.com). Version: 6.0.361
>/ Virus Database: 199 - Release Date: 5/7/02

I like this anti-virus program (easy to use, easy to update,
etc.) but, until now, it had not detected any viruses and I
was beginning to wonder if it was working properly. Now, I
know. It works.

Gisele

in article 46e43451.0205140642.2deeebd3@posting.google.com,
ejudy at ejudy@my-deja.com wrote on 5/14/02 9:42 AM:

Snippage. . . . . .

>
>
> ~no undeliverable rejection notices. ~updated scanned and
> spiffy clean
>

Good thing to do from time to time.

> But i post from a defunct address which has no e-box so if
> someone used it as the return to spam other folks from i
> would perhaps never know about it right?
>

I can absolutely assure you that your defunct address is being
used by whoever is the purveyor around here. Got one.

Until whoever the unfortunate party is, finds out that they
are the source, we are all probably "marked" by the protected
servers around the world and cursed by users everywhere.
Luckily, most of the responsible ISPs put a clamp on
forwarding emails with these attachements, right now the
biggest nusiance is that the bounced emails get sent back to
the "spoofed" senders address. There is an "upside" to that as
well. Probably to cover "six" on liabilities, the ISP's
servers cut the guts out of the macro-virus attachment.

Anyway, I did get a chance to check with one of our "computer
security gurus" today and confirmed a couple of things.

1. Windoze only! Mac's and Unix boxes are not vulnerable to
this particular bad guy, even if they happen to be running
Microsoft applications. Needs MS Explorer/Outlook AND
windows. The only way a Mac / UNIX box can even
"participate" in spreading this little nusiance is by
forwarding an email with the virus attached.

2. The email address "stealer" doesnt care what kind of
machine is behind the email address, its just hijacking
the address to "incriminate" a different user/computer and
blow smoke to cover its trail.

3. The "good news" is that whoever is hosting this little bug
will find out on the 12th of June even if they dont bother
looking before then. If you have the bug, it goes crazy on
the 12th of the even numbered months and starts erasing
and corrupting files. Again, ONLY effective on Windoze
platforms and ONLY if not running the most recent versions
of Outlook (supposedly anyway!). Lets just hope that
whoever the "party animal" is, he is doing this
accidentally and not on purpose. As best as I can tell
right now from the header info, the emails are originating
from one of several dial-up connections in the UK for the
"bounces" that Im getting back. These days of "net phones"
and such, that does not mean much.

4. Also came across somethig equally interesting. You see Ive
also been getting a lot of indecipherable (what Ive
eventually found to be Korean) emails, most of them easily
in the same "ballpark" as the Bonobo fad that played out
here a while back (if I am to judge by the pictures on the
referenced web pages). My original thought was that
perhaps the son had been exercising a bit more than a
healthy curiosity in the seemier aspects of Korean culture
and had gotten on some of the bad mailing lists. Checked
both of the kids computers for "cookies", found a couple
that I would have prefered not to have found, but none
that were korean. Well, the guru at work told me that if I
really wanted to "track down" where these were coming
from, about the only way would be to try to "correlate"
the email addreses of the apparent "senders" and the
emails of the recipients. (which was what I was trying to
do in the first place.)

You see there are two ways these sex-spammers can get you with
this bug. Your email address can be paired up with their email
address and just about any way it goes, they end up with your
address. The problem is that SOMEHOW those two addresses have
to end up on the same computer. When he said that, I
remembered a little snigglet of trivia from times past.

http://groups.google.com/groups?q=deitiker+korean&hl=en&as_qd-
r=all&selm=5qsa
7uk55bm67clfv1o89o22g8lq2meme5%404ax.com&rnum=3

Watch the wrap. . . . . . .

Anyway, just in case good ole Philip did actually kill file
me, and Im certainly NOT complaining if he did, MATTER OF
FACT, I would even suggest the proverbial "*.*" would be most
appropriate, you might want to mention it to him! Even such a
blowhard as he might want to check that work computer. Who
knows, SOMEONE that works there might actually have something
important or at least meaningful on it. At least according to
the guy at work, the 12th of June will show soon enough.

Regards bk

--

A hypothesis or theory is clear, decisive, and positive, but
it is believed by no one but the man who created it.
Experimental findings, on the other hand, are messy, inexact
things, which are believed by everyone except the man who did
that work.

-- Harlow Shapley (1885-1972)

On 14 May 2002 19:01:26 -0700, ejudy@my-deja.com (ejudy)
wrote:

>Bob Keeter wrote:
>>
>>You see there are two ways these sex-spammers can get you
>>with this bug. Your email address can be paired up with
>>their email address and just about any way it goes, they
>>end up with your address. The problem is that SOMEHOW those
>>two addresses have to end up on the same computer. When he
>>said that, I remembered a little snigglet of trivia from
>>times past.
>>
>>http://groups.google.com/groups?q=deitiker+korean&hl=en&as_-
>>qdr=all&selm=5qsa
>>7uk55bm67clfv1o89o22g8lq2meme5%404ax.com&rnum=3

What an idiot. Were you born a complete ass or did you have to
work at it? Seems to me you work pretty hard at it.

>>Anyway, just in case good ole Philip did actually kill file
>>me, and Im certainly NOT complaining if he did, MATTER OF
>>FACT, I would even suggest the proverbial "*.*" would be
>>most appropriate

Better yet why don't you try this for your machine, it is 100%
guaranteed to get rid of viruses. Boot from Drive A: From a
dos disk with basic dos files on it.

FDISK

Delete Active paritition

Select partition

Confirm Volume name

Are You Sure? [I don't know about you but I am real sure it
will work for you, Bob]

I recommend and OS like Dos 2.1 Bob, you can't do too much
more damage with that.

>>you might want to mention it to him!

You are killfiled, now if EJ would do the same you guys can
stop the Meta discussions about how you don't know how to put
on a condom while you are having virtual cyber sex. Raise of
hands here is the topic on or OFF TOPIC.

>> Even such a blowhard as he might want to check that work
>> computer.

Work Computer has a new hard drive and a fresh install of OS,
Norton Antivirus Corperate Edition, Live update with last
update 5 days ago. The Email server/Post Office is now run by
Norton AntiVirus and is filtered. How about you? [Don't answer
its a rhetorical question]

>>Who knows, SOMEONE that works there might actually have
>>something important or at least meaningful on it. At least
>>according to the guy at work, the 12th of June will show
>>soon enough.

The guy at work should have given you a box of cyber condoms
before you went to all those sex sites, yeah? The computer at
home has Zone Alarm (free) and Email is written through ATT
server and has an antivirus with the autoupdate on it.

Your confused style and whimsical fruitloop manner has finally
caught up with you Bob, I just hope you haven't contaminated
too many people in the group whom you carry on your infamous
side e-mail conversations with. We might think Bob would learn
a lesson here, but it is asking alot isn't it.

Deitiker at home has his mailbox restricted now to 2 people,
korean mail has stopped. ATT gets smart they will just block
all korean ISPs. And Best of all no Email from BK, no viruses.

Text newsgroups don't distribute viruses, while you are
running around trying to figure out what caused this problem,
you might try deleting those korean sex sites you've got
bookmarked, clean out your mailbox and empty you recipient
list, maybe even try installing a new email program and
exporting your important stuff over.

If you get Email from BK, don't open it just delete it, virus
or not. Philip [pdeitik at bcm.tmc.edu]
http://home.att.net/~DNAPaleoAnth

For those folks that have Agent here is my filter file:

Author: Algis Kuliukas Author: Bob Keeter Author: Jabriol
Author: jabriol Author: James Michael Howard Author: Jim
McGinn Author: marc verhaegen Author: Paul Crowley Author: Tim
Tyler Author: Watch Tower AAT Creation CreationEvolve Abortion
Aquatic aquatic

in article 46e43451.0205141801.5774c3ec@posting.google.com,
ejudy at ejudy@my-deja.com wrote on 5/14/02 9:01 PM:

Snippage. . . . .

>>
> Ok then BK, how do you propose that my JOKE may have nabbed
> everybody's computer?

Not at all sure what joke you might be referring to.
Afraid that Ive not noticed much beyond the fact that
every thing I say seems to generate some sort of putdown.
You are not my enemy.

> OR are you just blowing this around cuz you have a bone to
> pick and want to capitalize on the moment? You never miss a
> chance to do that sorta thing and shroud it in a vast array
> of innocent goodnaturedness. SO before you pull this outa
> your ....hat, lets just see if maybe there may in fact be
> other possibilities as well.
>

What am I blowing around? I just dont understand. Philip
mentioned that his work computer had managed to get on one of
the Korean sex spammer lists. can happen to anyone that ever
posts a real email address on a newsgroup. According to my
computer security engineer, who makes a living keeping these
things off of the corporate intranet, if one gets started it
can filch things that look like email address from just about
anywhere. From your address books, from mail in you "in
basket" to mailings that are in the trash can, or quite
frankly simply by scanning postings to these newsgroups. Now
some of the scanners apparently "target" specific newsgroups
for specific interests or locations or whatever, others just
shotgun anything that they can download. PERHAPS, some Korean
hacker decided that anyone interested in studying the human
species, even very old examples, would also be interested in
studying naked women. WHO KNOWS. There are LOTs of ways a
given address can be picked up.

The fact remains that at least for the ones Ive received
including at least one that I noticed from your my_deja.com
address, and the ones that have come back to me as "rejects"
even though I did not send them (AND my Macintosh is
completely immune to this particular bug and unable to "play"
even if I did have malicious intent!!!!!), seem to be coming
from and going to a relative small group of people. They all
tend to be people from the paleoanthro and SAP readership. Did
you see the clipping that I got from E. Trinkhaus no less?
Dont believe that he sent it, also dont believe that you sent
it through the my_deja address.

Still, if there were ONE infected computer that had all of
our email addresses on it, in one form or another, it could
be the "source". Not saying ANYTHING other than it COULD BE
THE SOURCE. Now since I started to receive these Korean spams
(not long after I started to receive the "virus" mails and
the returned "spoofed" emails, it tweaked my memory that
Philip had said that he had the same problem. Not of HIS
causing it or anything, but just that he had managed, through
a now terminated employee to get "hooked up" to some
spammers. Is it a total coincidence that I should start
getting these same kinds of emails (OBTW, I DONT employ any
of PHilip's fired researchers!), or is there PERHAPS a
connection. I would seriously hate to have a virus make a
mess of my computer at work, and my security engineer would
be very, VERY upset (and suprised!) if it got through his
firewalls! If this computer at PHilips worksite was being
used to access Korean porn sites in the first place, it does
not sound to ahve a very solid "firewall" in place in the
first place, so. . . . . I felt at least a little obligation
to pass on the word I had been given. As much as I might
dislike his attitude, I must assume that he is a professional
with some worthwyile information and data. If trying to warn
him of the possibility, even if indirectly, EVEN if he is a
grade A schmuck, is an evil thing, well, guess I might as
well just superglue those devil horns on. 8-)

Since you are not MY enemy, why do you so begrudge me every
breathe I take and try to put such a vile spin on
everything I say? A quote on one of your favorite subjects,
the middle east. . . . ."If they cant control you, they try
to destroy you!" Kofi Annan, IIRC. I could not do all of
the evil you seem to think me capable of if I did not have
other things to do.

> I am not experiencing any symptoms. And of course PHILIP i
> am vastly regretful for making ~that~ particular joke.

Will you PLEASE let me in on the joke?

> I will roast and you can throw me to the ravens and vultures
> to pick off my bones if i caused you more than a minor
> momentary discomfort from that posting.

8-)))))))))

>
> And Mr. BK you say you got my defunct address? The
> my-deja one?

Yep, thats a fact! Last loads of similar files that the
antiviral has not automatically trashed, Ive just been sending
straight to the trash without even looking since I know pretty
much what I will see.

> That would mean it was picked up in SAP and not paleoant....

yes.

> ANd it has no ebox attached so thats a clue to sumthin' and
> i am not sure what. Like i said earlier somebody may be used
> and not have any evidence.

That is exactly what is happening. SOMEBODY that reads these
groups and saves the messages on their computer, (shoot, I do
that every time I fail to "mark as read" all of the postings
when I shut down), could be the source of these problems
(except for those of us that use UNIX, any of its LINNUX
spinnoffs, or Macintosh hardware!). No matter what you do with
emails, or newsgroup postings or whateve if you are not
WINDOZE, it cant be you that is the "culprit". You can be the
victim of the email slander no matter what machine and
certainly no matter if the email address is real!

> We could post a private file list or something. Maybe not.
>

I think not.

> I don't think i have it in my computer so even if you had
> something from me i don't think i can do anything at all or
> even need to now.
>
I have no illusion that you might have sent it. Its a very
characteristic KLEZ virus posting from a windows machine. You
are Macintosh as well, right? With macintoshes, we just cant
"play" in the windows games except as recipients of a totally
neutered but invected email or two, and as the "scapegoats"
for people who receive emails with our return addresses
attached. Sometimes there are games that I really dont worry
about being left out! 8-)

> Where's Jois? Maybe her computer has tied her in the closet
> and is trying to take over the world.
>

Now THERE is an interesting thought. What if someone's
computer was infected while they wre away fom home. Run for
a couple or three weeks, spamming the world, only to hit
that "die day", supposedly the 12th of June for the latest
KLEZ bugs, and have the owner come home to a totally
disconbubulated hard disk! The world would hate you and
your disk would need a low level formatting! Aint life
grand!!!! 8-)

NOW, I have a suggestion. We have a basic, very fundamental,
totally uncompromising disagreement about one of the frequent
posters here. I think that his attitude, particularly when
exhibited amongst scientists and educated people is as much
of a threat to the world of science and education as
Torquemada ever was. You seem to think that every word Philip
types is worthy of being carved into marble on the
sacrificial altar of the rest of the human race. OK, we
disagree. That is an immutable, undeniable fact. Im not going
to change that opinion in you and you are not going to change
my opinion either. so. . . . . I will avoid you on the
subject of our dear
Dr. Deitiker, please do the same favor for me. I have no
desire to argue his merits with you and as I mentioned
several times before, you are not my enemy.

Adieu bk

--
Curse the darkness! There are lions and tigers and bears
out there!

Just a "heads up". Just got this one,

"Klez.E is the most common world-wide spreading worm.It's very
dangerous by corrupting your files. Because of its very smart
stealth and anti-anti-virus technic,most common AV software
can't detect or clean it. We developed this free immunity tool
to defeat the malicious virus. You only need to run this tool
once,and then Klez will never come into your PC. NOTE: Because
this tool acts as a fake Klez to fool the real worm,some AV
monitor maybe cry when you run it. If so,Ignore the
warning,and select 'continue'. If you have any question,please
mail to me <mailto:trinkaus@artsci.wustl.edu> . "

with a couple of very nasty attachments (if I happened to be
WINDOZE that
is).

If you get this one or one like it, no matter what the return
address says, dont touch those attachements and send it
straight to the "big bit bucket in the sky", assuming of couse
that your anti-viral has not done that automatically.

This is one of the forms tthe bug uses, and you might notice
the "return address" is quite legitimate. Just finished
updating my Norton virus definitions, just in case;

and all you windows people . . . . . ."BE CAREFUL OUT THERE!"

Regards bk

--
"The fool who know his foolishness, is wise at least so
far. But a fool who thinks himself wise, he is called a
fool indeed."

The Buddhist Dhammapada or The Path to Virtue

Gisele:

> >Outgoing mail is certified Virus Free. Checked by AVG
> >anti-virus system (http://www.grisoft.com). Version:
> >6.0.361 / Virus Database: 199 - Release Date: 5/7/02
>
> I like this anti-virus program (easy to use, easy to update,
> etc.) but, until now, it had not detected any viruses and I
> was beginning to wonder if it was working properly. Now, I
> know. It works.

Yes, it *does* work. And it's free to download and use. And if
you *do* end up with a virus in your computer, it gets rid of
it efficiently and promptly. Anne G

---
Outgoing mail is certified Virus Free. Checked by AVG
anti-virus system (http://www.grisoft.com). Version: 6.0.361 /
Virus Database: 199 - Release Date: 5/7/02

Snippage. . . . . .

> Philip [pdeitik at bcm.tmc.edu]
> http://home.att.net/~DNAPaleoAnth
>
> For those folks that have Agent here is my filter file:
>
> Author: Algis Kuliukas Author: Bob Keeter Author: Jabriol
> Author: jabriol Author: James Michael Howard Author: Jim
> McGinn Author: marc verhaegen Author: Paul Crowley Author:
> Tim Tyler Author: Watch Tower AAT Creation CreationEvolve
> Abortion Aquatic aquatic

8-)

Im still insulted by not being at the top of your list
there philip!

But as the old saw goes, dont go away mad. . . . . . .

all due regards bk

--
In all of the right places,
. . . . . my name is Mudd!

Bob:

They put Erik Trinkaus's name on an "e-mail" with a virus
attached? That's his e-mail address, you know. If I see this
little hummer, I'll know *exactly* what to do with it. Anne G

"Bob Keeter" <rkeeter@earthlink.net> wrote in message
news:B9072E0B.D8E1%rkeeter@earthlink.net...
> Just a "heads up". Just got this one,
>
> "Klez.E is the most common world-wide spreading worm.It's
> very dangerous
by
> corrupting your files. Because of its very smart stealth and
anti-anti-virus
> technic,most common AV software can't detect or clean it. We
> developed
this
> free immunity tool to defeat the malicious virus. You only
> need to run
this
> tool once,and then Klez will never come into your PC. NOTE:
> Because this tool acts as a fake Klez to fool the real
> worm,some AV monitor maybe cry when you run it. If so,Ignore
> the warning,and select 'continue'. If you
have
> any question,please mail to me
> <mailto:trinkaus@artsci.wustl.edu> . "
>
> with a couple of very nasty attachments (if I happened to be
> WINDOZE that
> is).
>
> If you get this one or one like it, no matter what the
> return address
says,
> dont touch those attachements and send it straight to the
> "big bit bucket
in
> the sky", assuming of couse that your anti-viral has not
> done that automatically.
>
> This is one of the forms tthe bug uses, and you might notice
> the "return address" is quite legitimate. Just finished
> updating my Norton virus definitions, just in case;
>
>
> and all you windows people . . . . . ."BE CAREFUL OUT
> THERE!"
>
> Regards bk
>
>
> --
> "The fool who know his foolishness, is wise at least so far.
> But a fool who thinks himself wise, he is called a fool
> indeed."
>
> The Buddhist Dhammapada or The Path to Virtue
>
>
>
>

---
Outgoing mail is certified Virus Free. Checked by AVG
anti-virus system (http://www.grisoft.com). Version: 6.0.361 /
Virus Database: 199 - Release Date: 5/7/02

in article
%kyE8.2266$uZ4.76863669@newssvr15.news.prodigy.com, ANNE V.
GILBERT at avgilbert@prodigy.net wrote on 5/15/02 2:06 PM:

> Bob:
>
> They put Erik Trinkaus's name on an "e-mail" with a virus
> attached? That's his e-mail address, you know. If I see
> this little hummer, I'll know *exactly* what to do with
> it. Anne G
>
That it is! The virus does not care who's address it uses as a
source or where it sends the mail to. According to the fellow
at work it just shuffles the pile and pulls out a "source" and
a "recipient". Doesnt matter who, or even if the email is
valid as long as it matches the format of a legal internet
mail address, i.e. abc@z12345.com is completely "legit" to the
macrovirus. If it sends to that address, well 'taint nobody
there, but if Dr. Trinikaus's address, or mine or yours is
used as the "sender" we get the rejected mail back!

Gotta wonder what could be accomplished if these people with
enough "smarts" to come up with these software viruses were
turned off the track into productive work! But then, that is
one of my old gripes. . . . . . .

Regards bk