[ic] Mydoom-A Virus

interchange at thedesignpeople.com interchange at thedesignpeople.com
Mon Feb 16 15:43:49 EST 2004


Peter wrote:

> Stefan Hornburg wrote:
>
>> On Wed, 11 Feb 2004 18:15:31 -0800
>> Peter <peter at pajamian.dhs.org> wrote:
>>
>>
>>> Peter wrote:
>>>
>>>> Sam Batschelet wrote:
>>>>
>>>>
>>>>> <peter wrote>
>>>>> Subject: [ic] Mydoom-A Virus
>>>>>
>>>>> There seems to be a lot of copis of the Mydoom-A virus coming 
>>>>> through this list.  I thought this list was supposed to be 
>>>>> filtering out viruses
>>>>>
>>>>> and spam?
>>>>>
>>>>> Peter
>>>>>
>>>>> *******
>>>>>
>>>>> These Virus's are spoofed with the email address of the list and 
>>>>> did not
>>>>> originate from it.
>>>>>
>>>>> -Sam
>>>>
>>>>
>>>>
>>>> Actually, these ones are coming through the list server (not 
>>>> originating from it, but they are coming through it) according to 
>>>> the recieved headers.  Mydoom-A knows how to spoof the from address 
>>>> and the HELO line to the email server, but it cannot spoof the ip 
>>>> address in the recieved header:
>>>>
>>>> Received: from icdevgroup.org (icdevgroup.org [69.57.146.17])
>>>>    by defender.enslaved.com (8.11.6/8.11.6) with ESMTP id i1C1XhT26875
>>>>    for <pj at abductor.com>; Wed, 11 Feb 2004 17:33:43 -0800
>>>>
>>>> $ dig -x 69.57.146.17
>>>>
>>>> ...
>>>>
>>>> ;; ANSWER SECTION:
>>>> 17.146.57.69.in-addr.arpa. 28000 IN     PTR     icdevgroup.org.
>>>>
>>>> Peter
>>>
>>>
>>> Actually, I take it back.  What is coming through the list are the 
>>> bounce messages from email servers that the virus is getting sent 
>>> to. Some of these bounce messages *still contain the virus* so it 
>>> would be nice if they got filtered out.  Also, shouldn't the list be 
>>> able to intercept bounce messages in general?  
>>
>>
>>
>> If these are proper bounce messages, they shouldn't appear on the list.
>
>
> Nonetheless they are.  It could be that bounces are sent to the 
> return-path header if that exists.  For actual messages coming from 
> the list return-path is set to 
> <interchange-users-bounces at icdevgroup.org> so bounces for actual list 
> messages won't go to the list.  But these are bounces of messages 
> which are spoofed as coming from the list and the spoofed messages 
> don't have a return-path set, so they are bounced back to the list 
> because the list's email address is the only one that the bouncing MTA 
> can find to send the bounce message to.
>
> Again, I think the list software should be able to recognize these 
> bounces as well and redirect them or delete them so they're not sent 
> out to the list, especially if they contain virus attachments.
>
>
Since this mailing list uses mailman (http://www.list.org/) maybe there 
are some answers there, or maybe an upgrade is needed?


More information about the interchange-users mailing list