Subject: | |
From: | |
Reply To: | Emerson, Tom |
Date: | Fri, 19 Sep 2003 11:18:19 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
While I've tossed a bunch of search-and-destroy terms into a filter to simply toss this matter aside, this particular one managed to sneak past -- dunno how accurate it is since I know many modern virus will attempt to "forge" the sender as someone else, thus throwing any bloodhounds off the trail. It seems, however, that this "scanner" looks a little deeper:
>-----Original Message-----
>From: [log in to unmask]
>[mailto:[log in to unmask]]
>Sent: Friday, September 19, 2003 9:54 AM
>To: Emerson, Tom
>Subject: Virus detected in email (from [log in to unmask])
>
> V I R U S A L E R T
> The Aramiska Arc virusscanner has detected the
> I-Worm.Swen
> virus in an email to you from:
> [log in to unmask]
[...]
> For your reference, here are the SMTP envelope originator and headers from your email:
> ------------------------- BEGIN HEADERS -----------------------------
> Received: from zkinfeux (ip-192-168-1-111.internal.rhclifting.com [192.168.1.111])
> by ip-10-2-35-140.arc.aramiska.net (Postfix) with SMTP
> id B9D5A15; Fri, 19 Sep 2003 16:54:06 +0000 (UTC)
> From: "Microsoft" <[log in to unmask]>
> To: "Commercial Consumer" <[log in to unmask]>
> SUBJECT: Newest Security Pack
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary="ukkcfzzvxtnp"
> Message-Id: <[log in to unmask]>
> Date: Fri, 19 Sep 2003 16:54:06 +0000 (UTC)
> -------------------------- END HEADERS ------------------------------
Note that the visible "From:" address is noted as Microsoft/<random>@newsletters.microsoft, which might as well be "[log in to unmask]" for all we care -- however the "received" header seems to indicate some more-or-less legitimate sources [actually, both 192.168.x.x and 10.y.y.y are "non-routable" addresses, BUT if this really did originate within "aramiska", then it is quite likely that the postfix mailer "knows" about those internal addresses] Besides, I vaguely recognize the "tony@rhclifting" address as one I've seen around here... [and apologies in advance to Tony if indeed the above "bloodhound" got fooled ;) ]
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
|
|