[Groff] Our spam

[Ted Harding]

Hi Folks,

I've browsed a bit on one of the subject lines from our
current spate of spam (similar to what we were getting
around Feb - September 2005).

This turned up a worm virus known by various names,
such as I-Worm.Nyxem.b, Win32:Nyxem, Win32.Blackmal.B,
I-Worm.Win32.MyWife.79409, Worm/Nyxem.B, Win32/address@hidden

A full description can be found at

http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=WORM_BLUEWORM.E

[equivalently at http://tinyurl.com/2baq3s if you prefer]

which indicates that it apparently dates from June 2004.

I'm still puzzled by our own experience of it. For some
reason, the most frequent "sender" is myself, with a few
(in the past) "from" Werner or, once or twice, "from"
Joergen Haegg.

Also, the groff list is the only one (of many lists I am on)
which receives it.

For what it's worth, the latest stream originates from IP
addresses owned by Awalnet in Saudi Arabia, e.g.

whois 86.60.115.64
inetnum:        86.60.112.0 - 86.60.123.255
netname:        Awal_Jawal_Pro
descr:          Awalnet Jawal Proj
country:        SA

which is different from previous streams, e.g. Feb-Sep 2005:

whois 194.2.232.250
inetnum:      194.2.232.0 - 194.2.232.255
netname:      FR-ISEP
descr:        Institut Superieur d'Electronique de Paris

So, despite the variations in apparent source, the limitation
(in our experience) to the groff list, and to a few "senders"
seems to be invariant!

Anyway, let's hope that Werner's action, based on Nick's
excellent analysis. will do the trick!

Best wishes to all,
Ted.

--------------------------------------------------------------------
E-Mail: (Ted Harding) <address@hidden>
Fax-to-email: +44 (0)870 094 0861
Date: 27-Jan-07                                       Time: 10:31:15
------------------------------ XFMail ------------------------------