Results of Experiment to ferret out the true dumbasses

Jay T. Blocksom · 10-07-2003, 05:22 PM

[Posted & Mailed, just to make the point -- I half expect the mailed copy to
bounce as "Unknown User".]

On 29 Sep 2003 22:10:48 -0700, in four completely unrelated newsgroups,
dumbass_detector2003@yahoo.com (Dumbass Detector) wrote:
>
> With a new mail address, I posted a single message yesterday
> (September 28th) to a single newsgroup, alt.idiots.
>
> Here is the list of email addresses and IP's from which I received the
> SWEN worm through email: (In other words, here's a list of TOTAL
> dumbasses):
>
[snip]

Wrong. The only thing you've "proven" is that YOU are a bigger "dumbass"
than any of the folks you accuse.

The "From:" header on any message generated by any variant of the Gibe worm
(including W32.Swen.A) is *always* forged, and is gleaned from the same
sources as the addresses it sends itself to (this is usually done by
scraping the infected host's Windows Address Book; in the specific case of
the Swen.A variant, it scrapes Usenet postings). It bears *NO* relationship
to the actual source of the worm-infected message.

Here is a spot-check, to prove the point (I've lightly munged the address
you quoted, in an effort to keep it from being further harvested):

> malev[at]selamer.com 209.29.198.119
[snip]

A quick search of the <alt.privacy.spyware> newsgroups shows that the
following sources for messages posted by "malev":

--> NNTP-Posting-Host: acbed4c2.ipt.aol.com (172.190.212.194)
--> NNTP-Posting-Host: acbf45fa.ipt.aol.com (172.191.69.250)
--> NNTP-Posting-Host: acbed4a5.ipt.aol.com (172.190.212.165)
--> NNTP-Posting-Host: acbaa55b.ipt.aol.com (172.186.165.91)
--> NNTP-Posting-Host: acb9fa70.ipt.aol.com (172.185.250.112)
--> NNTP-Posting-Host: acba4ad3.ipt.aol.com (172.186.74.211)

IOW, he is a standard-issue dial-up AOL user. Hold that thought.

The IP you claim for "malev" has no rDNS (PTR record) configured; but as
shown at:

<http://www.dnsstuff.com/tools/whois.ch?ip=209.29.198.119>

the netblock it belongs to is:

--> OrgName: TELUS Communications Inc.
--> OrgID: TACE
--> Address: #2600 4720 Kingsway Avenue
--> City: Burnaby
--> StateProv: BC
--> PostalCode: V5N-4N2
--> Country: CA
-->
--> NetRange: 209.29.0.0 - 209.29.255.255
--> CIDR: 209.29.0.0/16
--> NetName: TELUS-209-29-0-0
--> NetHandle: NET-209-29-0-0-1
--> Parent: NET-209-0-0-0-0
--> NetType: Direct Allocation
--> NameServer: PRI3.DNS.CA.TELUS.COM
--> NameServer: PRI4.DNS.CA.TELUS.COM
--> Comment:
--> RegDate:
--> Updated: 2002-03-27

Exactly where do you se a tie-in to AOL there?

Now you, OTOH...

> From: dumbass_detector2003@yahoo.com (Dumbass Detector)
[snip]

Using a Yahoo drop-box address.

> Newsgroups: alt.idiots,
> soc.culture.greek,
> comp.periphs.printers,
> alt.privacy.spyware,
> alt.stop.spamming
[snip]

Posting to several clearly off-topic newsgroups.

> Subject: Results of Experiment to ferret out the true dumbasses
> Date: 29 Sep 2003 22:10:48 -0700
> Organization: http://groups.google.com/
> Lines: 20
> Message-ID: <278cc13e.0309292110.a44b07c@posting.google.com>
[snip]

Posting to Usenet via the web-based "Google Groups", proably in a lame
attempt at "anonymity".

> NNTP-Posting-Host: 130.94.107.164
[snip]

But actually coming from Verio, one of the top half-dozen (or less) chronic
spam sewers on the Internet. And indeed, a couple of quick lookups via:

<http://openrbl.org/ip/130/94/107/164.htm>
<http://moensted.dk/spam/?addr=130.94.107.164&Submit=Submit>

show that your posting IP is currently listed in no less than a half-dozen
different DNSbl zones.

> It is rare that a chance to expose true dumbasses comes along, don't
> thank me - It was my pleasure.
[snip]

So then, you're saying you *like* exposing your limitless ignorance in
public?

> The above users should 1) put down the
> crack pipe 2) step away from the keyboard 3) UNPLUG the computer and
> never plug it in again!
>
[snip]

You should take your own advice, Dumbass.

On that note, there is only one thing left to say...

.:\:/:.
+-------------------+ .:\:\:/:/:.
| PLEASE DO NOT | :.:\:\:/:/:.:
| FEED THE TROLLS | :=.' - - '.=:
| | '=(\ 9 9 /)='
| Thank you, | ( (_) )
| Management | /`-vvv-'\
+-------------------+ / \
| | @@@ / /|,,,,,|\ \
| | @@@ /_// /^\ \\_\
@x@@x@ | | |/ WW( ( ) )WW
\||||/ | | \| __\,,\ /,,/__
\||/ | | | jgs (______Y______)
/\/\/\/\/\/\/\/\//\/\\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thread: Results of Experiment to ferret out the true dumbasses

Thread Tools

Display

Threaded View

Re: Results of Experiment to ferret out the true dumbasses

Thread Information

Users Browsing this Thread

Posting Permissions