[ic] Mydoom-A Virus

Peter peter at pajamian.dhs.org
Fri Feb 13 20:40:07 EST 2004


Stefan Hornburg wrote:
> On Wed, 11 Feb 2004 18:15:31 -0800
> Peter <peter at pajamian.dhs.org> wrote:
> 
> 
>>Peter wrote:
>>
>>>Sam Batschelet wrote:
>>>
>>>
>>>><peter wrote>
>>>>Subject: [ic] Mydoom-A Virus
>>>>
>>>>There seems to be a lot of copis of the Mydoom-A virus coming through 
>>>>this list.  I thought this list was supposed to be filtering out viruses
>>>>
>>>>and spam?
>>>>
>>>>Peter
>>>>
>>>>*******
>>>>
>>>>These Virus's are spoofed with the email address of the list and did not
>>>>originate from it.
>>>>
>>>>-Sam
>>>
>>>
>>>Actually, these ones are coming through the list server (not originating 
>>>from it, but they are coming through it) according to the recieved 
>>>headers.  Mydoom-A knows how to spoof the from address and the HELO line 
>>>to the email server, but it cannot spoof the ip address in the recieved 
>>>header:
>>>
>>>Received: from icdevgroup.org (icdevgroup.org [69.57.146.17])
>>>    by defender.enslaved.com (8.11.6/8.11.6) with ESMTP id i1C1XhT26875
>>>    for <pj at abductor.com>; Wed, 11 Feb 2004 17:33:43 -0800
>>>
>>>$ dig -x 69.57.146.17
>>>
>>>...
>>>
>>>;; ANSWER SECTION:
>>>17.146.57.69.in-addr.arpa. 28000 IN     PTR     icdevgroup.org.
>>>
>>>Peter
>>
>>Actually, I take it back.  What is coming through the list are the 
>>bounce messages from email servers that the virus is getting sent to. 
>>Some of these bounce messages *still contain the virus* so it would be 
>>nice if they got filtered out.  Also, shouldn't the list be able to 
>>intercept bounce messages in general?  
> 
> 
> If these are proper bounce messages, they shouldn't appear on the list.

Nonetheless they are.  It could be that bounces are sent to the 
return-path header if that exists.  For actual messages coming from the 
list return-path is set to <interchange-users-bounces at icdevgroup.org> so 
bounces for actual list messages won't go to the list.  But these are 
bounces of messages which are spoofed as coming from the list and the 
spoofed messages don't have a return-path set, so they are bounced back 
to the list because the list's email address is the only one that the 
bouncing MTA can find to send the bounce message to.

Again, I think the list software should be able to recognize these 
bounces as well and redirect them or delete them so they're not sent out 
to the list, especially if they contain virus attachments.

Peter


More information about the interchange-users mailing list