>we are getting some Lentin Viruses, and one of them I found strange: > >------------------------------------------- >Received: from mail.siller.de [80.128.231.29] by siller.de > (SMTPD32-7.07) id A885F57014E; Sun, 30 Jun 2002 16:41:09 +0200 >From: Mail Delivery System<[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Undelivered Mail Returned to Sender -goldfish ... >------------------------------------------- >it looks like we are sending the virus to ourself, but 80.128 is a dial-in >pool of the german telekom, not really our ip range :) > >is this a normal behaviour?
That is normal -- the Lentin/Yaha virus (like Klez) will forge the return address of the sender. It also claims (in the HELO/EHLO data) to be your mailserver (in the Received: header above), when it really is not. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .