|
Author
|
Topic: ANOTHER virus on the list...
|
SD_PokeMom
Member # 97
|
posted August 21, 2002 10:52 PM
Just got another 142K email from "pokeprofessor", titled "click here"... ![[Roll Eyes]](../tcg/rolleyes.gif)
Please be careful, fellow Professors and MPs!
'Mom
--------------------
Master Professor/Tournament Organizer/Pokémon League Gym Leader,
Adventure Games and Comics, Poway, CA
Nothing endures in this world. Everything changes according to karma. But, like the ocean, underneath the restless existance of the countless waves there is one boundless stillness that embraces and gives life to all the moving waves. Namuamidabutsu...
From: San Diego, CA --location of WCSTS-2001 and West Stadium Challenge 2002 | Registered: Feb 2001
| IP: Logged
|
|
GreatFox
Member # 77642
|
posted August 21, 2002 11:25 PM
I don't want to sound rude or anything, but do we really need a post about the visrus everytime someone recives it.
I think we all know what to look for. Most of us have already recived lots of e-mails containng this virus and in turn should already know what to look for.
Sorry about that. Maybe its becuase I use a Mac and don't have to worry about this virus (eventhough I can still indentify an e-mail that containes before opening it) that I think it is not necassery to warn us everytime its mailed out to the list.
Once again, sorry if that come off a little rude on my part. I just can't believe that that virus still hasn't been taken care of.
--------------------
Westminster SBZ Correspondent for PIRN: Pokémon Radio!
The Labs! Powered by pMachine.
The New Pokémon Labs|The New PokéLabs Forum|PIRN
Mmmmm... Tungsten!
From: Los Angeles, California | Registered: Apr 2002
| IP: Logged
|
|
Darkleaf Master
Member # 59034
|
posted August 22, 2002 02:01 AM
I dont want to sound rude or anything.. but I do think these are useful for other Newer Pokemon Professors who havent gotten one yet. Thank you SD_Pokemom ![[Smile]](../tcg/smile.gif)
[ August 22, 2002, 02:02 AM: Message edited by: Darkleaf Master ]
--------------------
Yes... Im 17 AND like Pokemon.. Problem??
Pokemon... Not just a game, its a lifestyle.
See you at the SBZ!!!
"This hand of mine is burning red. It's loud roar tells me to grasp victory! Now, Here we go! Burning Finger!" Domon Kashu
From: San Diego | Registered: Jan 2002
| IP: Logged
|
|
CJ-Mich
Member # 835
|
posted August 22, 2002 05:28 AM
I agree. There can never be too much public awareness when it comes to these things.
I would think WOTC could filter out any messages with attachments.
From: Michigan | Registered: Feb 2001
| IP: Logged
|
|
Noah Weiss
Member # 59265
|
posted August 22, 2002 06:41 AM
I got one. It had a "click here" with a message of about 2000 lines of nonsense. I hope that just clicking on the message then immediately deleting it won't infect my system. My e-mail has a problem, because the "sender" for the real thing AND the impostor is "Automatic digest processor". The only way I can find the sender's e-mail address is by opening it. (Does anyone know how to change it so that on "Sender", it shows the e-mail address instead of the name on Netscape e-mail?)
--------------------
Just call me Noah121... I accidentally mixed up "Login name" and "Displayed name..."
Link to My Forums: go.ezboard.com/bgameshowboard . It's a forum for Pokémon and game shows.
*Supporter of Rogue Decks*
*Opposer of Trainermon*
From: Lincoln, NE | Registered: Jan 2002
| IP: Logged
|
|
yoshi1001
Member # 825
|
posted August 22, 2002 06:57 AM
In order to do dmage, the attachment must be opened.
--------------------
Visit Pokéwatch!
Listen to PIRN, the Pokémon Internet Radio Network. We have interviews with Master Trainer Mike, Kierin Chase, and more, as well as your favorite Pokémon music! PIRN: The number 1 Pokémon Internet Radio Station!
PIRN: The Magazine
GCAbGEbGF
AIM: yoshi1001
From: Janesville, Wisconsin | Registered: Feb 2001
| IP: Logged
|
|
SD_PokeMom
Member # 97
|
posted August 22, 2002 08:44 AM
quote:
Originally posted by CJ-Mich:
I would think WOTC could filter out any messages with attachments.
The first time one of these went to the Professor List (on July 11), Lugia909 looked at the headers and found that this had been a deliberate mailing, forwarded from a dial-up provider with a return address in RUSSIA: quote:
And after opening it and examining the header (which I can do, since I don't run a PC), this appears to have been routed either through a SMTP server in Russia from another sender at 12.29.201.2 or as a spoof from 209.221.129.19. I'm attaching the entire header below for reference in case other people have a way of filtering these crossmailings via full header data.
Return-Path: <[email protected]>
Received: from oracle.wizards.com (oracle.wizards.com [209.221.129.19])
by lepton.soltec.net (8.11.6/8.11.6) with ESMTP id g6B7iif08883;
Thu, 11 Jul 2002 02:44:44 -0500 (CDT)
Received: from lotus (209.221.129.19) by oracle.wizards.com (LSMTP for Windows NT v1.1b) with SMTP id <[email protected]>; Thu, 11 Jul 2002 0:48:31 -0700
Received: from ORACLE.WIZARDS.COM by ORACLE.WIZARDS.COM (LISTSERV-TCP/IP
release 1.8d) with spool id 32768776 for
[email protected]; Thu, 11 Jul 2002 00:47:39 -0700
Received: from mx2.mail.ru (194.67.57.12) by oracle.wizards.com (LSMTP for
Windows NT v1.1b) with SMTP id <[email protected]>; Thu,
11 Jul 2002 0:47:36 -0700
Received: from [12.229.201.2] (helo=Eqiqfape) by mx2.mail.ru with smtp (Exim
SMTP.2) id 17SYc4-0003za-00 for [email protected];
Thu, 11 Jul 2002 11:43:44 +0400
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=Af05D0g98x79p9G
Approved-By: pokeprofessor <[email protected]>
Message-ID: <[email protected]>
Date: Thu, 11 Jul 2002 11:43:44 +0400
Sender: The Pokemon Professor Program Newsletter <[email protected]>
From: pokeprofessor <[email protected]>
Subject: Music Files (.mes)
To: [email protected]
X-UIDL: $=g!!''g"!]Ce!!XLc"!
Also, the content contains the following: an attachment called "rock.exe 1", and the following:
Content-Type: application/octet-stream;
name=happyduo_top.jpg
Content-Transfer-Encoding: base64
Content-ID: <Ec1c7Qz96O8d>
Following this in my copy was the now-dead encoded file, which I won't forward as it's still a valid base64 encode.
This _appears_ to be Klez.H again...except that it would come from an actual source that we'd know and not via a spoof thru the Profs listserver. Looks a bit more deliberate, therefore.
It is not coming from Wizards of the Coast; everytime I've gotten it I've been able to tell immediately that it's not from the real list because of the way the return address shows up in my inbox. The return address is shown as "pokeprofessor" instead of "[email protected]".
Hope this helps...
--------------------
Master Professor/Tournament Organizer/Pokémon League Gym Leader,
Adventure Games and Comics, Poway, CA
Nothing endures in this world. Everything changes according to karma. But, like the ocean, underneath the restless existance of the countless waves there is one boundless stillness that embraces and gives life to all the moving waves. Namuamidabutsu...
From: San Diego, CA --location of WCSTS-2001 and West Stadium Challenge 2002 | Registered: Feb 2001
| IP: Logged
|
|
SNESWhiz
Member # 225
|
posted August 22, 2002 09:15 AM
quote:
Originally posted by GreatFox:
I don't want to sound rude or anything, but do we really need a post about the visrus everytime someone recives it.
I think we all know what to look for. Most of us have already recived lots of e-mails containng this virus and in turn should already know what to look for.
I msut concur. It's also happening with such a great frequency that it really doesn't need to be repeatedly mentioned.
quote:
Originally posted by SD_Pokemom:
It is not coming from Wizards of the Coast; everytime I've gotten it I've been able to tell immediately that it's not from the real list because of the way the return address shows up in my inbox. The return address is shown as "pokeprofessor" instead of "[email protected]".
The headers indicate it comes from an SMTP server in Russia, that was sent to the Wizards list. Therefore, it is still going through the Wizards server.
Wizards can do several things...
- Ensure only authorized people can send mail to the list
- Add a footer like the DCIJUDGE-L list does (though in this case, warning about viruses)
- Filter out attachments
--------------------
Kevin Chen
MIT Class of 2006! (Anyone else?)
http://www.sneswhiz.com/
Find official TCG rulings and chat logs at Team Compendium:
http://pkcompendium.hypermart.net/
Check out the articles at IPGeek21's site:
http://www.ipgeek21.com/articles/articles_index.html
From: Chesapeake, VA, USA | Registered: Feb 2001
| IP: Logged
|
|
tick
Member # 65651
|
posted August 22, 2002 10:46 AM
The SMTP server in Russia is not an open relay, so it must mean the server itself is infected (and forging the header), or that the Cable modem user has permissions to use the SMTP server.
If any one of the WotC staff reads this, present this question to the ListServe administrator:
The Professor list is moderated, why is this e-mail making it out to all the Professors unchecked?
[ August 22, 2002, 10:47 AM: Message edited by: tick ]
--------------------
You know Arthur, when evil is afoot and you don't have any arms, you gotta use your head. And when evil is ahead and you're behind, you gotta do the legwork. But when you can't get a leg up, you gotta be hip...
From: The City | Registered: Feb 2002
| IP: Logged
|
|
rebellee1187
Member # 58122
|
posted August 23, 2002 12:23 PM
These viruses are becomming problematic.
I almost accidentally opened mine!
WHich makes me wonder, what kind of virus is contained within it?
--------------------
I am stronger than ALL the Jedi! Even you!- Darth Tyrannis
Much to learn, you still have.- Yoda
http://pub39.ezboard.com/brebellee
From: The basement of the house half a block down the street from Jerry's bait shop. | Registered: Jan 2002
| IP: Logged
|
|
|
Printer-friendly view of this topic
