Re: Is this a worm?

Sun, 03 Aug 2003 11:11:21 -0700 

On 08/03/03 at 03:41 -0500, Joe Sporleder opined:

> I've been getting the following in my logs since July 5. Could this be 
> a worm that is going around? I have found out from other contacts, that 
> a contact with my address in their address book and that has a 
> comcast.net address does have a virus/worm. Is that what this log 
> indicates, or is this from something else? It is still going on as now, 
> and by looking at the size of my log files, is steadily getting worse.

The 'Return-Path-A Search Error' means that SIMS can't find an A record for
the domain of whatever Return Path was offered for the message that
rwcrmhc12.comcast.net is trying to send. You won't know what the return
path is unless you set your SMTP logging to something deeper than level 3.
The 'Abort Received' means that, for those connections, the connection was
dropped abnormally for some reason. Those two entries, in and of themselves
don't tell us much about the nature of the messages that
rwcrmhc12.comcast.net is trying to send. However, the frequency and
persistence of the attempts could well be consistent with an e-mail virus
attempting to propagate itself. Since you've got Return-Path checking
turned on, SIMS should be rejecting these messages because of the return
path domain failing to resolve. You might want to temporarily turn your
SMTP logging level up so that you can see the SMTP conversation and get
more information about the sender and the intended recipient.

> 03:41:12 3 SMTP-092(rwcrmhc12.comcast.net) Return-Path-A Search Error. 
> Error Code=-3162
> 03:41:58 3 SMTP-094(rwcrmhc11.comcast.net) Return-Path-A Search Error. 
> Error Code=-3162
[snip]
> 03:51:46 3 SMTP-098(rwcrmhc11.comcast.net) Abort Received, 
> reason=13559574
[etc.]

-- 
                   Christopher Bort | [EMAIL PROTECTED]
            Webmaster, Global Homes | [EMAIL PROTECTED]
                      <http://www.globalhomes.com/>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Reply via email to