VIRUS (Worm.SCO.A) IN YOUR MAIL (fwd)
Chris Devers
cdevers at pobox.com
Tue Jan 27 12:52:11 EST 2004
On Tue, 27 Jan 2004, David Kramer wrote:
> I just got this. As far as I know, my relays are closed tight and my
> firewall is solid. Is this spam?
It looks like a dumb virus scanner to me. Most mail worms these days fake
the from address, and virus scanners sometimes trap & incorrectly report
back to the "source" of the spam.
This jumps out at me:
> ---------- Forwarded message ----------
> Date: Tue, 27 Jan 2004 14:39:36 +0100 (CET)
> From: Anti-Virus <virusmelding at hsbos.nl>
> To: david at thekramers.net
> Subject: VIRUS (Worm.SCO.A) IN YOUR MAIL
>
> [[snip --c.d.]]
>
> For your reference, here are headers from your email:
> ------------------------- BEGIN HEADERS -----------------------------
> Received: from thekramers.net (unknown [65.203.121.147])
> by relay.surfnet.nl (Postfix) with ESMTP id AF6C63F461
> for <pschouten at hsbos.nl>; Tue, 27 Jan 2004 14:37:23 +0100 (MET)
So, the header suggests that thekramers.net is at 65.203.121.147, and yet:
$ nslookup -sil thekramers.net
Server: 151.203.0.84
Address: 151.203.0.84#53
Non-authoritative answer:
Name: thekramers.net
Address: 66.92.68.235
It looks like 65.203.121.147 isn't you, is it?
--
Chris Devers
More information about the Discuss
mailing list