[regex-coach] Trojan Horse suspect message from regex-coach list

Dennis Williamson dennis at netstrata.com
Fri Sep 28 18:34:41 UTC 2007 

I received an email from the list today that appears to be bogus. It has 
an attached file called file.zip (which I have not opened). AVG detected 
the Dropper.Generic_c.GH trojan horse in the file.

The subject of the message is "[regex-coach] Mail System Error - 
Returned Mail"

The body of the message is:

> Dear user of common-lisp.net,
>
> We have received reports that your account has been used to send a large amount of unsolicited e-mail during this week.
> Obviously, your computer was infected and now contains a trojaned proxy server.
>
> Please follow the instruction in order to keep your computer safe.
>
> Virtually yours,
> The common-lisp.net team.
Here is a partial header with some info obscured by "*****":


Return-Path: <regex-coach-bounces at common-lisp.net>
Received: from common-lisp.net [80.68.86.115] by ***** with SMTP;
   Fri, 28 Sep 2007 09:50:12 -0700
Received: by common-lisp.net (Postfix, from userid 65534)
	id 705C27E04A; Fri, 28 Sep 2007 12:49:36 -0400 (EDT)
Received: from common-lisp.net (localhost [127.0.0.1])
	by common-lisp.net (Postfix) with ESMTP id 2C5175311A
	for <*****>; Fri, 28 Sep 2007 12:49:26 -0400 (EDT)
Received: by common-lisp.net (Postfix, from userid 65534)
	id D868050044; Fri, 28 Sep 2007 12:49:23 -0400 (EDT)
Received: from common-lisp.net (unknown [189.177.43.107])
	by common-lisp.net (Postfix) with ESMTP id 25ABC4E03C
	for <regex-coach at common-lisp.net>; Fri, 28 Sep 2007 12:49:21 -0400 (EDT)
X-Original-To: regex-coach at common-lisp.net
Delivered-To: regex-coach at common-lisp.net
From: "Automatic Email Delivery Software" <noreply at common-lisp.net>
To: regex-coach at common-lisp.net
Date: Fri, 28 Sep 2007 11:47:05 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0008_07436ADC.6EB5240A"
Message-Id: <20070928164921.25ABC4E03C at common-lisp.net>
Subject: SPAM-LOW:   [regex-coach] Mail System Error - Returned Mail

The header appears to be very well spoofed or it's actually coming from 
the expected server. It looks a lot like one from a known-good message.

Dennis

More information about the regex-coach mailing list