VIRUS (Worm.SCO.A) IN YOUR MAIL (fwd)
miah
jjohnson at sunrise-linux.com
Tue Jan 27 12:53:36 EST 2004
Notifying the sender that they have a virus is kinda silly anyways since none of the email headers can be verified. Scanning for virii on incoming mail is fine, but bugging the hell out of people isnt.
anomy-sanitizer is great.
-miah
On Tue, Jan 27, 2004 at 11:52:11AM -0600, Chris Devers wrote:
> On Tue, 27 Jan 2004, David Kramer wrote:
>
> > I just got this. As far as I know, my relays are closed tight and my
> > firewall is solid. Is this spam?
>
> It looks like a dumb virus scanner to me. Most mail worms these days fake
> the from address, and virus scanners sometimes trap & incorrectly report
> back to the "source" of the spam.
>
> This jumps out at me:
>
> > ---------- Forwarded message ----------
> > Date: Tue, 27 Jan 2004 14:39:36 +0100 (CET)
> > From: Anti-Virus <virusmelding at hsbos.nl>
> > To: david at thekramers.net
> > Subject: VIRUS (Worm.SCO.A) IN YOUR MAIL
> >
> > [[snip --c.d.]]
> >
> > For your reference, here are headers from your email:
> > ------------------------- BEGIN HEADERS -----------------------------
> > Received: from thekramers.net (unknown [65.203.121.147])
> > by relay.surfnet.nl (Postfix) with ESMTP id AF6C63F461
> > for <pschouten at hsbos.nl>; Tue, 27 Jan 2004 14:37:23 +0100 (MET)
>
> So, the header suggests that thekramers.net is at 65.203.121.147, and yet:
>
> $ nslookup -sil thekramers.net
> Server: 151.203.0.84
> Address: 151.203.0.84#53
>
> Non-authoritative answer:
> Name: thekramers.net
> Address: 66.92.68.235
>
> It looks like 65.203.121.147 isn't you, is it?
>
>
>
> --
> Chris Devers
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
More information about the Discuss
mailing list