[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Go to: Mailing List Archive | Makunouchi Banzuke Page

[Off Topic] Re: attachments

To: sumo@sun01pt2-1523.statgen.ncsu.edu
Subject: [Off Topic] Re: attachments
From: "John Banta @ basspet" <jebanta@basspet.com>
Date: Fri, 04 Oct 2002 08:45:17 -0500
In-reply-to: <00bd01c26b88$a07f8070$0700000a@parissn2>
References: <20021004072108.GA25473@SDF.LONESTAR.ORG>
Sender: owner-sumo@statgen.ncsu.edu

At 04:30 AM 10/4/2002, you wrote:
>Hi Joe and all,
>
>The sumo ML server does not pass any attachments.
>
>It appears that an ML member (or former member) is infected and his
>machine is sending out the virus to addresses taken from ML postings.
>
>Based on the headers of a recently received malicious message with
>a sumo related subject, I believe that the victim is in France,
>possibly a Wanadoo customer, probably in the Marseille area, and
>probably connected via DSL.  The machine name might be 'laurens'.

Is Klez getting more sophisticated or is this a new virus? For the sake of 
my sanity, I set my mail server to strip all executable attachments 
automatically, so I no longer get McAfee telling me what virus is coming my 
way. But I do get a full set of headers off of the message (my headers 
agree with you, it's coming from 'laurens' at wanadoo). It used to be that 
I could always spot a Klez virus because it spoofed the 'From' header, but 
left the 'Return Path' header alone, pointing back to the originator. Here 
in the last few days I've been getting vireo with all of the headers 
spoofed except for the much-harder-to-spoof 'Received from' headers.

BTW, here are the headers from the e-mail in question. Ignoring the spoofed 
'From' and 'Return-Path' headers of the first two lines shows that it seems 
to be from France.

 > From alexander.nitschke@statgen.ncsu.edu Fri Oct 4 02:27:08 2002
 > Return-Path: <alexander.nitschke@statgen.ncsu.edu>
 > Received: from mel-rto6.wanadoo.fr (smtp-out-6.wanadoo.fr [193.252.19.25])
 > by moonie.basspet.com (8.11.0/8.11.0) with ESMTP id g947R7S27283
 > for <jebanta@basspet.com>; Fri, 4 Oct 2002 02:27:07 -0500
 > Received: from mel-rta10.wanadoo.fr (193.252.19.193) by 
mel-rto6.wanadoo.fr (6.5.007)
 > id 3D760C25010D5EB1; Fri, 4 Oct 2002 08:48:45 +0200
 > Received: from laurens (217.128.57.23) by mel-rta10.wanadoo.fr (6.5.007)
 > id 3D80120800D2E6FF; Fri, 4 Oct 2002 08:48:45 +0200
 > Date: Fri, 4 Oct 2002 08:48:45 +0200 (added by postmaster@wanadoo.fr)
 > Message-ID: <3D80120800D2E6FF@mel-rta10.wanadoo.fr> (added by 
postmaster@wanadoo.fr)

John Banta - Network Administrator
Bass Enterprises Production Co.
voice: (817) 390-8594 fax: (817) 339-7307

References:
- attachments
  - From: Joe Petrow <sumoml@searchspell.com>
- Re: attachments
  - From: "Stewart Nelson" <sn@scgroup.com>

Prev by Date: Re: attachments
Next by Date: [re:Virus] was re:attachments
Previous by thread: Outlook virus vulnerability (was Re: attachments)
Next by thread: [re:Virus] was re:attachments
Index(es):
- Date
- Thread