John E. Malmberg
wb8tyw at qsl.net
Tue Jun 3 12:20:11 GMT 2003
Tim Potter wrote:
> On Tue, Jun 03, 2003 at 01:48:06AM +0000, splint-bug at cs.virginia.edu wrote:
From adsl-34-165-79.hsv.bellsouth.net [188.8.131.52]? This does not
appear to be a mail server.
>>Please see the attached file.
> Which was stripped by mailman. Care to resend? Assuming you are not a
> spammer of course.
It is the same worm that was being sent with the forged address of
support(at)microsoft.com. It has morphed to use different from: address.
Apparently this worm is going directly to the SAMBA MX from the infected
It may be that it's purpose is to identify machines that are vulnerable
to being taken over, so it targets e-mail addresses from usenet. Then
the cracker can use google to find I.P. addresses and possibly e-mail
addresses in the archives that they can send remote control programs too.
wb8tyw at qsl.network
Personal Opinion Only
More information about the samba-technical