At 8:34 AM -0700 6/28/02, Warren Michelsen imposed structure on a stream of electrons, yielding: >Is this email just a virus at work?
Yes, I think. There is weirdness here. >Return-Path: [EMAIL PROTECTED] >Received: from [216.158.230.42] (HELO ns2.com) > by MDCCLXXVI.com (Stalker SMTP Server 1.8b9d11) > with ESMTP id S.0000405034 for <[EMAIL PROTECTED]>; Fri, >28 Jun 2002 08:09:42 -0700 >Received: from Lwkuuiokj ([216.158.224.134]) > by ns2 (8.11.6+Sun/8.10.2) with SMTP id g5SF3h810801 > for <[EMAIL PROTECTED]>; Fri, 28 Jun 2002 08:03:43 -0700 (PDT) >Date: Fri, 28 Jun 2002 08:03:43 -0700 (PDT) >Message-Id: <[EMAIL PROTECTED]> >From: postmaster <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Returned mail--"content, continued " >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary=R379E52786886ofpp > >Content-Type: text/html; > ><x-html><!x-stuff-for-pete base="" src="" id="0" >charset=""><HTML><HEAD></HEAD><BODY> > ><FONT>The following mail can't be sent to [EMAIL PROTECTED]:<br> ><br> >From: [EMAIL PROTECTED]<br> >To: [EMAIL PROTECTED]<br> >Subject: content, continued <br> >The file is the original mail</FONT></BODY></HTML> > ></x-html> >Content-Type: application/octet-stream; > name=nav_b_parts_f21.bat >Content-ID: <A96K803G97e57G> > > > >Is the Return-path the likely infected source? Not likely. At first glance it looked like something out there is sending a virus (probably Klez) from some infected machine where the owner has <[EMAIL PROTECTED]> in a local address book. Klez uses random address book entries as the Return-path on its mail, so when mail appearing to be from you hit the MTA with this filter on it, it sent the bounce back to you. Then I looked again. This bounce just isn't right. It isn't coming from <> and it isn't coming from anywhere near mossmotorsdodge.com. The immediate source is a stupidly misconfigured Solaris machine running sendmail which seems to have no connection to you, but seems like a possible nearest relay for what appears to be the true origin, which is trying to claim to be "Lwkuuiokj" I think "Lwkuuiokj" is infected, and the bounce message itself is the viral vector, made to look like a bounce of a viral vector. -- Bill Cole [EMAIL PROTECTED] ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
