what was that?

Charles M. Richmond cmr at koibito.iisc.com
Mon Mar 31 12:45:54 PST 2003 

So I did a grep for msg IDs similar to the one that is being 
discussed and I got the following 3 examples. There is some
humour perhaps in the fact that 2 are from the bugtraq mailing
list. :) All 3 are from microsoft outlook and both of the bugtraq
samples are from the same individual. 

I would like to see some analysis of this. The chance that generated
msg IDs could correspond so closely is about 1/googleplex so we can
assume some mechanism. Are these systems in fact infected with a
virus and is embedded base64 in the MSG ID a viral vector?


07-Mar-00:01/mail.log:Mar  7 18:10:19 koibito sendmail[3110]: 
h27NAIVK003110: 
from=<bugtraq-return-8642-cmr=iisc.com at securityfocus.com>, size=11569, 
class=-60, nrcpts=1, 
msgid=<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAnPQpmkc/vBG8Jfb3ld
blgcKAAAAQAAAAm4xh+UzWb0OinqZZoa2a, proto=ESMTP, daemon=MTA, 
relay=outgoing2.securityfocus.com [205.206.231.26]

15-Mar-00:01/mail.log:Mar 15 17:59:59 koibito sendmail[8293]: 
h2FMxxQr008293: 
from=<bugtraq-return-8739-cmr=iisc.com at securityfocus.com>, size=3175, 
class=-60, nrcpts=1, 
msgid=<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAnPQpmkc/vBG8Jfb3ld
blgcKAAAAQAAAAtJa3PVSM7kCcGxoCbmy6, proto=ESMTP, daemon=MTA, 
relay=outgoing3.securityfocus.com [205.206.231.27]

26-Mar-00:01/mail.log:Mar 26 10:00:43 koibito sendmail[19304]: 
h2QF0gQr019304: from=<waldman at rotys.com>, size=4002, class=0, nrcpts=1, 
msgid=<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAdSnUABYNYU6DjpQqV8
1Jr8KAAAAQAAAAojU6KWs7KEKqLEcvgjY/, proto=ESMTP, daemon=MTA, 
relay=4t174240.aspadmin.net [209.126.174.240] (may be forged)

Here are the full IDs:

Date: Fri, 7 Mar 2003 23:46:35 +0200
Message-ID: 
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAnPQpmkc/vBG8Jfb3ldblgcKA
AAAQAAAAm4xh+UzWb0OinqZZoa2ajAEAAAAA at yahoo.com>
...
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024


Message-ID: 
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAnPQpmkc/vBG8Jfb3ldblgcKA
AAAQAAAAtJa3PVSM7kCcGxoCbmy6BQEAAAAA at yahoo.com>
...
X-Mailer: Microsoft Outlook, Build 10.0.4024
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106


Message-ID: 
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAdSnUABYNYU6DjpQqV81Jr8KA
AAAQAAAAojU6KWs7KEKqLEcvgjY/hwEAAAAA at rotys.com>
...
X-Mailer: Microsoft Outlook, Build 10.0.4510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

More information about the freebsd-security mailing list