[ic] Mydoom-A Virus
Stefan Hornburg
racke at linuxia.de
Thu Feb 12 09:06:59 EST 2004
On Wed, 11 Feb 2004 18:15:31 -0800
Peter <peter at pajamian.dhs.org> wrote:
> Peter wrote:
> > Sam Batschelet wrote:
> >
> >> <peter wrote>
> >> Subject: [ic] Mydoom-A Virus
> >>
> >> There seems to be a lot of copis of the Mydoom-A virus coming through
> >> this list. I thought this list was supposed to be filtering out viruses
> >>
> >> and spam?
> >>
> >> Peter
> >>
> >> *******
> >>
> >> These Virus's are spoofed with the email address of the list and did not
> >> originate from it.
> >>
> >> -Sam
> >
> >
> > Actually, these ones are coming through the list server (not originating
> > from it, but they are coming through it) according to the recieved
> > headers. Mydoom-A knows how to spoof the from address and the HELO line
> > to the email server, but it cannot spoof the ip address in the recieved
> > header:
> >
> > Received: from icdevgroup.org (icdevgroup.org [69.57.146.17])
> > by defender.enslaved.com (8.11.6/8.11.6) with ESMTP id i1C1XhT26875
> > for <pj at abductor.com>; Wed, 11 Feb 2004 17:33:43 -0800
> >
> > $ dig -x 69.57.146.17
> >
> > ...
> >
> > ;; ANSWER SECTION:
> > 17.146.57.69.in-addr.arpa. 28000 IN PTR icdevgroup.org.
> >
> > Peter
>
> Actually, I take it back. What is coming through the list are the
> bounce messages from email servers that the virus is getting sent to.
> Some of these bounce messages *still contain the virus* so it would be
> nice if they got filtered out. Also, shouldn't the list be able to
> intercept bounce messages in general?
If these are proper bounce messages, they shouldn't appear on the list.
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
More information about the interchange-users
mailing list