[sane-devel] Virus warning: Abuse of sane-devel email addresses

[Henning Meier-Geinitz]

Hi,

On Wed, Jul 23, 2003 at 07:15:51PM +0200, Oliver Schwartz wrote:
> in the last two days I received two emails with faked addresses that 
> claimed to be sent via sane-devel (but in fact were not). Both emails 
> contained a .pif file which, I assume, contains a virus. DO NOT OPEN 
> THIS FILE.

I have received emails claiming to be sent by SANE developers for
about 18 months now.

> The sender names were taken from SANE-Devel (Martin Kho, Henning 
> Meyer-Geinitz). The email address of the sender, however, was faked 
> (see attached mail below). To make the mail look more authentic it 
> also gives a small quote from an previous email to sane-devel.

That one looks like a new sort of worm/virus. I have received about 10
of those during the last two weeks. Mostly "from" SANE developers, but
also from other entities. One claims to be sent by "Henning
Meier-Geinitz" <henning@microsoft.com>. I thought about suing the real
author because of this defamation :-)

> I don't think such mails can be prevented, but, as always, you should 
> take extra care when opening attachements, even from people you 
> recognize from the mailing list.

I'd be interested on how the mails are created. Is the person who is
infected by this worm subscribed to sane-devel? Or are the messages
scanned from the web archive?

All mails of this type were sent over vsmtp1.tin.it. IIRC, that's a
big Italien provider.

> From: Henning Meier-Geinitz <henning@microsoft.com>

Hah, that's the same mail I also got today.

> X-Spam-Status: No, hits=-6.4 required=5.0
>         tests=EMAIL_ATTRIBUTION,MICROSOFT_EXECUTABLE
>         autolearn=ham version=2.53

-6.4 point for an obvious worm. Looks like GMX has to do more homework.

Bye,
  Henning