Welcome to the MacNN Forums.

theolein · Oct 9, 2003, 05:33 PM

(Mods: If this is considered OT please move it to the right topic, whatever that may be)

The story goes like this:

I have the usual junk filter running in Mail for the almost daily trip of hundreds of copies of the sobig worm still being mailed to me, since I was dumb enough to place my mail address in a usenet group. I also have image display turned off so that spam servers can't track me using my IP.

Usually I just delete all the crap in junk mail regularly, but on occaision I view the whole header to try and follow who is sending this junk. (The mail in question looks like a page from Microsoft, which I'm sure a lot of you have seen. It has a supposed warning about a security vulnerability on windows machines and includes an EXE attachment and instructions on how to install it).

A few minutes ago I did a traceroute on one of the headers (the from address was spoofed of course) which turned up the following address: dialup-67.75.10.201.dial1.boston1.level3.net (67.75.10.201)
I then did a portscan to see if any ports were open (I was interested to see if this was a trojaned machine and if it had opened up some ports) and lo and behold port 80 (http) was open.
After this I did a curl -I and discovered that this is a Mac running OS 8.x or 9.x with personal web sharing (you can check it in the browser).

Now, I'm dumbfounded. If the Mac has been trojaned so that these things get sent automatically, why haven't we heard of it, and does this mean that Mac OS8 and Mac OS9 are vulnerable to certain trojans in the wild? Or is this some bastard doing this on purpose? (i.e. Do Windows spam or Trojan tools exist on the Mac)

malvolio · Oct 9, 2003, 05:55 PM

Might that machine be running Virtual PC? If so, it would certainly be vulnerable to Windoze viral infections.

eevyl · Oct 9, 2003, 06:00 PM

Maybe they just have a email server with a Really Big� security hole.

I bet for it.

theolein · Oct 9, 2003, 06:06 PM

Originally posted by malvolio:
Might that machine be running Virtual PC? If so, it would certainly be vulnerable to Windoze viral infections.

It would mean that our entrepid user uses Outlook on his Mac for his mails (Via VPC). It might be, but I somehow doubt it. In any case I've mailed his ISP with the header to see if they get a response.

Mithras · Oct 9, 2003, 06:12 PM

The most likely explanation is that the user with that IP address when the email was sent is not the user with that IP address when you went looking.

theolein · Oct 9, 2003, 06:16 PM

Originally posted by Mithras:
The most likely explanation is that the user with that IP address when the email was sent is not the user with that IP address when you went looking.

I doubt it, it's still up now: 67.75.10.201 (and has been so for the past hour)

Person Man · Oct 9, 2003, 06:57 PM

Originally posted by theolein:
I doubt it, it's still up now: 67.75.10.201 (and has been so for the past hour)

It is a dial up account. You posted at 6:33 and then again at 7:00. When I was on dialup sometimes I would spend 5 or 6 hours online... wait until tomorrow, then look it up. It probably won't be a Mac.

Besides, most spammers won't use dial up hosts anyways. No reliability.

theolein · Oct 9, 2003, 07:18 PM

Originally posted by Person Man:
It is a dial up account. You posted at 6:33 and then again at 7:00. When I was on dialup sometimes I would spend 5 or 6 hours online... wait until tomorrow, then look it up. It probably won't be a Mac.

Besides, most spammers won't use dial up hosts anyways. No reliability.

So it was you!

Person Man · Oct 9, 2003, 07:20 PM

Originally posted by theolein:
So it was you!

Nope. I don't live in Boston, and I haven't used dialup in about 2 years.

I might have been me if I was on a Windows machine.