[ic] Mydoom-A Virus
interchange at thedesignpeople.com
interchange at thedesignpeople.com
Mon Feb 16 15:43:49 EST 2004
Peter wrote:
> Stefan Hornburg wrote:
>
>> On Wed, 11 Feb 2004 18:15:31 -0800
>> Peter <peter at pajamian.dhs.org> wrote:
>>
>>
>>> Peter wrote:
>>>
>>>> Sam Batschelet wrote:
>>>>
>>>>
>>>>> <peter wrote>
>>>>> Subject: [ic] Mydoom-A Virus
>>>>>
>>>>> There seems to be a lot of copis of the Mydoom-A virus coming
>>>>> through this list. I thought this list was supposed to be
>>>>> filtering out viruses
>>>>>
>>>>> and spam?
>>>>>
>>>>> Peter
>>>>>
>>>>> *******
>>>>>
>>>>> These Virus's are spoofed with the email address of the list and
>>>>> did not
>>>>> originate from it.
>>>>>
>>>>> -Sam
>>>>
>>>>
>>>>
>>>> Actually, these ones are coming through the list server (not
>>>> originating from it, but they are coming through it) according to
>>>> the recieved headers. Mydoom-A knows how to spoof the from address
>>>> and the HELO line to the email server, but it cannot spoof the ip
>>>> address in the recieved header:
>>>>
>>>> Received: from icdevgroup.org (icdevgroup.org [69.57.146.17])
>>>> by defender.enslaved.com (8.11.6/8.11.6) with ESMTP id i1C1XhT26875
>>>> for <pj at abductor.com>; Wed, 11 Feb 2004 17:33:43 -0800
>>>>
>>>> $ dig -x 69.57.146.17
>>>>
>>>> ...
>>>>
>>>> ;; ANSWER SECTION:
>>>> 17.146.57.69.in-addr.arpa. 28000 IN PTR icdevgroup.org.
>>>>
>>>> Peter
>>>
>>>
>>> Actually, I take it back. What is coming through the list are the
>>> bounce messages from email servers that the virus is getting sent
>>> to. Some of these bounce messages *still contain the virus* so it
>>> would be nice if they got filtered out. Also, shouldn't the list be
>>> able to intercept bounce messages in general?
>>
>>
>>
>> If these are proper bounce messages, they shouldn't appear on the list.
>
>
> Nonetheless they are. It could be that bounces are sent to the
> return-path header if that exists. For actual messages coming from
> the list return-path is set to
> <interchange-users-bounces at icdevgroup.org> so bounces for actual list
> messages won't go to the list. But these are bounces of messages
> which are spoofed as coming from the list and the spoofed messages
> don't have a return-path set, so they are bounced back to the list
> because the list's email address is the only one that the bouncing MTA
> can find to send the bounce message to.
>
> Again, I think the list software should be able to recognize these
> bounces as well and redirect them or delete them so they're not sent
> out to the list, especially if they contain virus attachments.
>
>
Since this mailing list uses mailman (http://www.list.org/) maybe there
are some answers there, or maybe an upgrade is needed?
More information about the interchange-users
mailing list