[ic] Mydoom-A Virus
racke at linuxia.de
Thu Feb 12 09:06:59 EST 2004
On Wed, 11 Feb 2004 18:15:31 -0800
Peter <peter at pajamian.dhs.org> wrote:
> Peter wrote:
> > Sam Batschelet wrote:
> >> <peter wrote>
> >> Subject: [ic] Mydoom-A Virus
> >> There seems to be a lot of copis of the Mydoom-A virus coming through
> >> this list. I thought this list was supposed to be filtering out viruses
> >> and spam?
> >> Peter
> >> *******
> >> These Virus's are spoofed with the email address of the list and did not
> >> originate from it.
> >> -Sam
> > Actually, these ones are coming through the list server (not originating
> > from it, but they are coming through it) according to the recieved
> > headers. Mydoom-A knows how to spoof the from address and the HELO line
> > to the email server, but it cannot spoof the ip address in the recieved
> > header:
> > Received: from icdevgroup.org (icdevgroup.org [220.127.116.11])
> > by defender.enslaved.com (8.11.6/8.11.6) with ESMTP id i1C1XhT26875
> > for <pj at abductor.com>; Wed, 11 Feb 2004 17:33:43 -0800
> > $ dig -x 18.104.22.168
> > ...
> > ;; ANSWER SECTION:
> > 22.214.171.124.in-addr.arpa. 28000 IN PTR icdevgroup.org.
> > Peter
> Actually, I take it back. What is coming through the list are the
> bounce messages from email servers that the virus is getting sent to.
> Some of these bounce messages *still contain the virus* so it would be
> nice if they got filtered out. Also, shouldn't the list be able to
> intercept bounce messages in general?
If these are proper bounce messages, they shouldn't appear on the list.
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
More information about the interchange-users