[ic] Mydoom-A Virus
Peter
peter at pajamian.dhs.org
Wed Feb 11 21:15:31 EST 2004
Peter wrote:
> Sam Batschelet wrote:
>
>> <peter wrote>
>> Subject: [ic] Mydoom-A Virus
>>
>> There seems to be a lot of copis of the Mydoom-A virus coming through
>> this list. I thought this list was supposed to be filtering out viruses
>>
>> and spam?
>>
>> Peter
>>
>> *******
>>
>> These Virus's are spoofed with the email address of the list and did not
>> originate from it.
>>
>> -Sam
>
>
> Actually, these ones are coming through the list server (not originating
> from it, but they are coming through it) according to the recieved
> headers. Mydoom-A knows how to spoof the from address and the HELO line
> to the email server, but it cannot spoof the ip address in the recieved
> header:
>
> Received: from icdevgroup.org (icdevgroup.org [69.57.146.17])
> by defender.enslaved.com (8.11.6/8.11.6) with ESMTP id i1C1XhT26875
> for <pj at abductor.com>; Wed, 11 Feb 2004 17:33:43 -0800
>
> $ dig -x 69.57.146.17
>
> ...
>
> ;; ANSWER SECTION:
> 17.146.57.69.in-addr.arpa. 28000 IN PTR icdevgroup.org.
>
> Peter
Actually, I take it back. What is coming through the list are the
bounce messages from email servers that the virus is getting sent to.
Some of these bounce messages *still contain the virus* so it would be
nice if they got filtered out. Also, shouldn't the list be able to
intercept bounce messages in general? They tend to be irritating and
clutter up the list.
Peter
More information about the interchange-users
mailing list