[RC5] Virus alert !

waldo kitty wkitty42 at alltel.net
Fri Oct 11 00:59:17 EDT 2002


you can rely on the TOPmost received line to tell where the mail came
from to your mail server... i didn't say anything about the originating
machine or user... sorry, yes, maybe "sender" might imply that but that
is not what i was attempting to imply... in any case, with bugbear, it
uses its own SMTP engine and since it is located on the infected user's
machine, guess what info you do have at hand <<wink>>

BTW: i surprised one of my old clients yesterday when i called them 5
minutes after they deleted a "wierd" email... i called them because
their machine had just sent me bugbear... i recognised the name of the
machine and the ip number... let's just say that they were very shocked
and surprised that i was able to tell that from the email headers...
they admitted that their machine was behaving strangly in those last few
minutes and i was able to pick up a quick clean up job since they were
unable to do anything much with bugbear running...

Jason Hartzell wrote:
> 
> And that header may not tell you who the malicious individual or group is.
> If they have found an SMTP server with an open relay, which is how most SPAM
> is transfered anyway...
> 
> Personally I recieved three of the Jeff Lawson infected e-mails over the
> night. NAV for Exchange works pretty well....
> 
> -----Original Message-----
> From: waldo kitty
> To: rc5 at lists.distributed.net
> Sent: 10/10/02 5:57 AM
> Subject: Re: [RC5] Virus alert !
> 
> you cannot rely on the from header to know who sent bugbear... the ONLY
> header you can trust to tell you where it came from is the very first
> Received line that contains the machine name and ip address of the
> sender... this very first received line cannot be forged as it is put in
> by your mail server...
> 
> PlasmaHH at gmx.net wrote:
> >
> > Hi all,
> >
> > this is important. I have just received an email with the New
> > Mail-Worm "Bugbear" attached. Someone (Probably Jeff Lawson) on
> > the list has been infected with this worm. So be carefull, keep
> > your virus-scanner up to date, and don't open attachments, the
> > attached file was an .xls.scr file...
> >
> >
> >
> > --
> > +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> > NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
> >
> > --
> > To unsubscribe, send 'unsubscribe rc5' to
> majordomo at lists.distributed.net
> > rc5-digest subscribers replace rc5 with rc5-digest
> 
> --
>        _\/
>       (@@)                      Waldo Kitty, Waldo's Place USA
> __ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
> _|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
> ____|_____|_____|_____|_____|_____|_____ ftp://ftp.wpusa.dynip.com
> _|_Eat_SPAM_to_email_me!_YUM!__|_____|_____ wkitty42 (at) alltel.net
> 
> --
> To unsubscribe, send 'unsubscribe rc5' to
> majordomo at lists.distributed.net
> rc5-digest subscribers replace rc5 with rc5-digest
> --
> To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
> rc5-digest subscribers replace rc5 with rc5-digest

-- 
       _\/
      (@@)                      Waldo Kitty, Waldo's Place USA
__ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
_|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
____|_____|_____|_____|_____|_____|_____ ftp://ftp.wpusa.dynip.com
_|_Eat_SPAM_to_email_me!_YUM!__|_____|_____ wkitty42 (at) alltel.net


--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list