[SGVLUG] I'm being attacked by an email flood from kernel.org

David Lawyer dave at lafn.org
Wed Apr 19 00:44:35 PDT 2006 

On Mon, Apr 17, 2006 at 12:04:57PM -0700, Emerson, Tom wrote:
> > -----Original Message-----
> > K. Zachary Abbott
> > 
> > The easiest explanation:
> > 
> > there is a computer somewhere (likely a Windows box, but 
> > not necessarily) that is infected by a computer virus.
> > That infected computer has your email address somewhere ...
> > The virus is for whatever reason targeting kernel.org ...
> 
> Actually, "targeting" may be too harsh of a word -- it may simply be
> that the virus is attempting to replicate itself to /every address/ it
> found on the infected system

I don't think so.  Why would it send out hundreds of emails to the
same "person": Majordomo at vger.kernel.org.  A virus is usually sent out
to different people.  If a person doesn't open the attachment for the
1st email, they are not likely to open an attachment if they get
hundreds of copies of the same (or similar) email from the
same sender.

> -AND- is "spoofing" the return address as
> /some other address/ found on that system.  In short, David needs to
> find someone with an infected system that has both his e-mail AND the
> kernel.org end-user management e-mail address.

Right.  The easiest way is for someone at kernel.org to find out where
they are coming from and complain to the ISP, etc (or as a last
resort, just block them). 

I've used grep to get a listing of the time stamps when Majordomo
emailed me.  They are almost all in the morning and spaced a couple of
minutes apart.  When I said several seconds I was wrong and may have
been looking at the time stamp when it was sent to my PC by fetchmail
after having set for hours at my mailbox at my ISP.  Now there are
periods of hours when there is no activity (no email from Majordomo is
sent to me).  So it does look like it's coming from an infected PC.
Why do they email me mostly in the morning (actually from 0000
to 1500 Eastern Savings Time).  Simple.  The location is in Russia (or
thereabouts: Iran, Iraq, etc.)

> 
> Since David indicated he is getting these as fast as "a few seconds
> apart", it may be that the infected system has a very short list of
> "addresses" found upon it, thus increasing the likelyhood that his
> is the resulting "source" address.
Sorry, I was wrong about the "few seconds apart".

> Question for David: are you also
> getting spam or viral messages from random sources with similar
> "random strings" as what the list software is claiming you sent "as
> a command"?
Don't know since my ISP (LA Freenet) filters out most of the spam.

> Bearing in mind that "all" of those return addresses will be
> spoofed, you *might* be able to narrow things down to someone *you*
> know who would likely have your address, the kernel.org address, and
> the "other" addresses stored on their system [and uses windows...]
Don't really know anyone in Russia.

> Sad but true, what the list reflector software needs is spam/virus
> checking on input to ignore these attacks.

Or to prevent them from being used for flooding.  There's likely no
spam/virus involved.

I've emailed my ISP about this problem and emailed the postmaster at
kernel.org.  I previously emailed Majordomo-Owner at vger.kernel.org but
got no response.  The from IP in the long header (routing part) of my
emails is identical to the one used by vger.kernel.org, so I think
it's likely coming from them.

			David Lawyer

More information about the SGVLUG mailing list