>we are getting some Lentin Viruses, and one of them I found strange:
>
>-------------------------------------------
>Received: from mail.siller.de [80.128.231.29] by siller.de
> (SMTPD32-7.07) id A885F57014E; Sun, 30 Jun 2002 16:41:09 +0200
>From: Mail Delivery System<[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Undelivered Mail Returned to Sender -goldfish
...
>-------------------------------------------
>it looks like we are sending the virus to ourself, but 80.128 is a dial-in
>pool of the german telekom, not really our ip range :)
>
>is this a normal behaviour?
That is normal -- the Lentin/Yaha virus (like Klez) will forge the return
address of the sender. It also claims (in the HELO/EHLO data) to be your
mailserver (in the Received: header above), when it really is not.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
