RE: good morningMike Ayers wrote: > > This mail (containing a virus: shower_response.exe) was sent to me > > through [EMAIL PROTECTED]: > > > > Received: from 209.235.17.55 (EHLO unicode.org) (209.235.17.55) > > by mta150.mail.dcn.yahoo.com with SMTP; Fri, 09 Apr 2004 > > 05:17:31 -0700 > > Received: from sarasvati.unicode.org (localhost.localdomain > > [127.0.0.1]) > > by unicode.org (8.11.6/8.11.6) with ESMTP id i39BupS08634; > > Fri, 9 Apr 2004 07:56:51 -0400 > > Received: with ECARTIS (v1.0.0; list unicode); Fri, 09 Apr > > 2004 07:56:50 -0400 (EDT) > > Received: from unicode.org (slkcapanas11poola155.slkc.uswest.net > > [65.103.249.155]) > > by unicode.org (8.11.6/8.11.6) with ESMTP id i39BunS08623 > > for <[EMAIL PROTECTED]>; Fri, 9 Apr 2004 07:56:49 -0400
> You have not included the full set of headers here. It is common > practice for spammers and virus propogaters (yes, there are people > who deliberately spread infection, apparently as a hobby) to prepend > fake pathing information to hide the start of the real transfers. It is > also now common to use stolen IDs, such as mailing lists or individuals, > in the sender fields. It's true that a spammer can inject fake "Received:" lines in their mail but they won't be able to fake the supplementary "Received:" lines added on the top by the SMTP server to which they send their spews. We don't need full headers in fact to track spammers, as the only realiable info is the "Received:" line generated here by the unicode mailing list server that has received and processed this email. So the relevant header line is: > > Received: from unicode.org (slkcapanas11poola155.slkc.uswest.net > > [65.103.249.155]) > > by unicode.org (8.11.6/8.11.6) with ESMTP id i39BunS08623 > > for <[EMAIL PROTECTED]>; Fri, 9 Apr 2004 07:56:49 -0400 which clearly states that the sender was connected from [65.103.249.155] (but not "unicode.org" which is faked in the SMTP HELO string), that the sarasvati.unicode.org resolves itself as slkcapanas11poola155.slkc.uswest.net. This is a home subscriber of uswest.net, which is infected by a virus, and the virus on his host has copied some other information found in its mailbox folders to generate the SMTP HELO string, and the "From:" header (not shown here) which was authorized by sarasvati, because it only checks that this (faked) email address is a subscriber to the list. The main reason why this will occur is that the infected PC belongs to a user that has subscribed to this list, and that allowed the virus to collect previous traffic received from the list in order to harvest it. If sarasvati logs are inspected, may be it will be possible to detect which USWEST.NET user at this IP has already sent a non-viral message with a normal signature. This may help discovering which subscriber is really infected. However if the subscriber never posted messages to the list, but just subscribed to it to receive messages passively, the sarasvati logs won't help here. For such infection, it is very likely that the infected PC is also sending its spew to many other areas collected from an unsecured mail archive, and so it may be useful to to report that user to its ISP. However, as this is a virus and not really a spam, most abuse desks ignore those alerts. So the best thing is that the sarasvati server implements a anti-virus filter on incoming messages, and maintains it updated with new viral signatures. This happens sometimes on almost all legitimate mailing lists. Someone using a mailing list should have a antivirus ready, because unfiltered mailing lists are the most valuable resource for virus to spread their spew very fast to lots of people, with a minimum number of messages. I do think that the sarasvati server has such an antivirus tool, but its virus definitions file is out of date and did let this one pass through...
