[26726] in North American Network Operators' Group
Re: Shock news - NANOG likely to carry less operational content
daemon@ATHENA.MIT.EDU (Kai Schlichting)
Fri Jan 14 13:16:29 2000
Message-Id: <4.2.2.20000114130205.00c81730@mail.speedus.net>
Date: Fri, 14 Jan 2000 13:14:46 -0500
To: nanog@merit.edu
From: Kai Schlichting <kai@pac-rim.net>
In-Reply-To: <387F500C.6753DA07@greendragon.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Errors-To: owner-nanog-outgoing@merit.edu
I never received any of those mailings. Never ever.
Are specific people being targeted?
A quick scan of the machine that sent this reveals what appears to be
a MS Personal Webserver running on a Winblows machine:
$ telnet 168.212.244.134 80
Trying 168.212.244.134...
Connected to 168.212.244.134.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 200 OK
Server: Microsoft-PWS-95/2.0
Date: Fri, 14 Jan 2000 18:09:01 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Sun, 22 Aug 1999 05:10:40 GMT
Content-Length: 2117
[snip]
Let me take a good guess about the security of this system,
given that it seems to run a version of this server from 1997.
Tanks are rolling.
bye,Kai
At Friday 11:34 AM 1/14/00 , William Allen Simpson wrote:
>I've received several of these the past month, with valid operational
>subject lines, and all trying to get me to click and run an .exe.
>Good thing I read my email on a Mac!
>
>They are using the operational list persons as targets! Shall the
>operational folks get together and find them?
>
>Alex Bligh wrote:
> >
> > I *believe* (really hope) this SPAM impersonating a NANOG poster
> > replying to a thread (traceroute doesn't go through pacrim.net).
> >
> > Op content:
> >
> > If so, be prepared for all sorts of being accused of sending
> > all sorts of other exciting messages about lesbians, cookie recipes
> > etc. etc.
> >...
> > Received: from [168.212.244.134] (helo=3Dmail.gxn.net)
> > by brimstone.noc.gxn.net with smtp (Exim 3.02 #3)
> > id 1291Gi-0004Sb-00
> > for amb@gxn.net; Fri, 14 Jan 2000 07:35:36 +0000
> >...
> > 2. Lesbians.exe
> >
>Mine were:
>
>Received: from [209.125.100.122] (HELO mail.greendragon.com) by watervalley.net
>(Stalker SMTP Server 1.7) with SMTP id S.0003055677 for wsimpson@greendragon.com; Thu, 16 Dec
>1999 18:29:22 -0600
>From: Nora Lavelle <nora@geocast.com>
>To: wsimpson@greendragon.com
>Subject: Re: ARIN whois
>
>panther.exe
>
>Received: from [152.160.253.2] (HELO mail.greendragon.com) by watervalley.net
>(Stalker SMTP Server 1.7) with SMTP id S.0003108551 for wsimpson@greendragon.com; Mon, 20 Dec
>1999 01:37:37 -0600
>From: Ivars Upatnieks <ivars@ic.net>
>To: wsimpson@greendragon.com
>Subject: Re: MCI/Worldcom fiber cut in NY?
>
>baby.exe
>
>Received: from [212.7.65.97] (HELO mail.greendragon.com) by watervalley.net
>(Stalker SMTP Server 1.7) with SMTP id S.0003149731 for wsimpson@greendragon.com;
>Wed, 22 Dec 1999 07:04:26 -0600
>From: CORE <core@denic.de>
>To: wsimpson@greendragon.com
>Subject: Re: PAB after comments ?
>
>copier.exe
>
>WSimpson@UMich.edu
> Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
>
