emailx.com is a valid domain. If you are going to use a munged
address, the domain should be invalid, and it should end with the
tld .invalid.
From EmailX.com:
Contact us if you are interested in above domain.
If I remember correctly from '98, signing up for posting to
news.uni-berlin.de required the "from" to be a valid domain.
If you were infected, it would not matter whether ever read a.c.a-v
or whether you had my address on your HDD. You copy of Swen would
have a peek at Usenet and find my address there. Afaik, each
infected machine sends two to each address it finds, but not two for
each instance of that address.
»Q«, I can only come to conclusions and make recommendations based on what
I've read and from my own experiences. Admittedly, I'm mainly just a home
user doing basic functions. I based my post on what is written at
http://www.us.sophos.com/virusinfo/analyses/w32gibef.html, "W32/Gibe-F is a
worm which spreads by emailing itself via its own SMTP engine to addresses
extracted from various sources on the victim's drives (e.g. MBX and DBX
files)." Since the a.c.a-v posts I have are stored in a DBX file, I saw the
potential for a lot a mails going out.
My error is not taking into consideration those that read through their
browser. That could (dramatically?) cut down the maximum exposure. Are
read browser messages stored (or can they be saved) at all on the user's
HDD, and if so in what type of file?
From
http://vil.nai.com/vil/content/v_100662.htm
"Propagation via Newsgroups:
The worm carries a compressed list of newsgroup servers. At run time, the
list is decompressed and written to a temp file. The worm uses the default
newsgroup server from the machine or one from the list to post messages to a
randomly selected group. The message is the same from the email
propagation."
I focused on "to post messages", that is, it does not get addresses from
this action, but sends a post (in hopes of) getting someone to open the
message and get infected via a very old exploit, or DL and/or open the
attachment.
Concerning "not two for each instance of that address"; I have no clue as to
what actually happens. My math was based on how I thought this thing was
operating. If I were the programmer, would I do the extra code to compare
each address to what I already had in order to exclude duplicates (would I
think, up front, there would be many duplicates to exclude in order to make
the mail more believable?) or would I just get an address and send, then
repeat. The number of mails some people are receiving per minute are so
great that I believed they were coming from multiple instances from the same
machine ("from" address changed for each set) rather than from an incredibly
huge number of infected machines. Because this hit the home user, and it
installs to repeat, it appears a whole new round of mails go out under a
different IP at startup / log-on.
If I'm out-of-sync I apologize, and, where did I go astray? (The EmailX.com
though is non-negotiable. Your point is taken and I consider it to be
valid.)
--
~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
Remove X from address
~~~~~~~~~~~~~~~~~~
