[ic] Mydoom-A Virus

Peter peter at pajamian.dhs.org
Mon Feb 16 20:12:44 EST 2004


interchange at thedesignpeople.com wrote:
> Peter wrote:
> 
>> Stefan Hornburg wrote:
>>
>>> On Wed, 11 Feb 2004 18:15:31 -0800
>>> Peter <peter at pajamian.dhs.org> wrote:
>>>
>>>
>>>> Peter wrote:
>>>>
>>>>> Sam Batschelet wrote:
>>>>>
>>>>>
>>>>>> <peter wrote>
>>>>>> Subject: [ic] Mydoom-A Virus
>>>>>>
>>>>>> There seems to be a lot of copis of the Mydoom-A virus coming 
>>>>>> through this list.  I thought this list was supposed to be 
>>>>>> filtering out viruses
>>>>>>
>>>>>> and spam?
>>>>>>
>>>>>> Peter
>>>>>>
>>>>>> *******
>>>>>>
>>>>>> These Virus's are spoofed with the email address of the list and 
>>>>>> did not
>>>>>> originate from it.
>>>>>>
>>>>>> -Sam
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Actually, these ones are coming through the list server (not 
>>>>> originating from it, but they are coming through it) according to 
>>>>> the recieved headers.  Mydoom-A knows how to spoof the from address 
>>>>> and the HELO line to the email server, but it cannot spoof the ip 
>>>>> address in the recieved header:
>>>>>
>>>>> Received: from icdevgroup.org (icdevgroup.org [69.57.146.17])
>>>>>    by defender.enslaved.com (8.11.6/8.11.6) with ESMTP id i1C1XhT26875
>>>>>    for <pj at abductor.com>; Wed, 11 Feb 2004 17:33:43 -0800
>>>>>
>>>>> $ dig -x 69.57.146.17
>>>>>
>>>>> ...
>>>>>
>>>>> ;; ANSWER SECTION:
>>>>> 17.146.57.69.in-addr.arpa. 28000 IN     PTR     icdevgroup.org.
>>>>>
>>>>> Peter
>>>>
>>>>
>>>>
>>>> Actually, I take it back.  What is coming through the list are the 
>>>> bounce messages from email servers that the virus is getting sent 
>>>> to. Some of these bounce messages *still contain the virus* so it 
>>>> would be nice if they got filtered out.  Also, shouldn't the list be 
>>>> able to intercept bounce messages in general?  
>>>
>>>
>>>
>>>
>>> If these are proper bounce messages, they shouldn't appear on the list.
>>
>>
>>
>> Nonetheless they are.  It could be that bounces are sent to the 
>> return-path header if that exists.  For actual messages coming from 
>> the list return-path is set to 
>> <interchange-users-bounces at icdevgroup.org> so bounces for actual list 
>> messages won't go to the list.  But these are bounces of messages 
>> which are spoofed as coming from the list and the spoofed messages 
>> don't have a return-path set, so they are bounced back to the list 
>> because the list's email address is the only one that the bouncing MTA 
>> can find to send the bounce message to.
>>
>> Again, I think the list software should be able to recognize these 
>> bounces as well and redirect them or delete them so they're not sent 
>> out to the list, especially if they contain virus attachments.
>>
>>
> Since this mailing list uses mailman (http://www.list.org/) maybe there 
> are some answers there, or maybe an upgrade is needed?

Well, Mydoom-A seems to have ceased to be a problem since the virus was 
programed to go dormant after 12th Feb.  This is still an issue, though, 
as it could easily happen with other viri.

Peter


More information about the interchange-users mailing list