LISTSERV - HP3000-L Archives

HP3000-L Archives

September 2003, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L September 2003, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	FW: Potential culprit found (re Virus detected...)
From:	"Emerson, Tom" <[log in to unmask]>
Reply To:	Emerson, Tom
Date:	Fri, 19 Sep 2003 11:18:19 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (34 lines)

While I've tossed a bunch of search-and-destroy terms into a filter to simply toss this matter aside, this particular one managed to sneak past -- dunno how accurate it is since I know many modern virus will attempt to "forge" the sender as someone else, thus throwing any bloodhounds off the trail.  It seems, however, that this "scanner" looks a little deeper:

>-----Original Message-----
>From: [log in to unmask]
>[mailto:[log in to unmask]]
>Sent: Friday, September 19, 2003 9:54 AM
>To: Emerson, Tom
>Subject: Virus detected in email (from [log in to unmask])
>
> V I R U S  A L E R T
> The Aramiska Arc virusscanner has detected the
> I-Worm.Swen
> virus in an email to you from:
> [log in to unmask]
[...]
> For your reference, here are the SMTP envelope originator and headers from your email:
> ------------------------- BEGIN HEADERS -----------------------------
> Received: from zkinfeux (ip-192-168-1-111.internal.rhclifting.com [192.168.1.111])
>       by ip-10-2-35-140.arc.aramiska.net (Postfix) with SMTP
>       id B9D5A15; Fri, 19 Sep 2003 16:54:06 +0000 (UTC)
> From: "Microsoft" <[log in to unmask]>
> To: "Commercial Consumer" <[log in to unmask]>
> SUBJECT: Newest Security Pack
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary="ukkcfzzvxtnp"
> Message-Id: <[log in to unmask]>
> Date: Fri, 19 Sep 2003 16:54:06 +0000 (UTC)
> -------------------------- END HEADERS ------------------------------

Note that the visible "From:" address is noted as Microsoft/<random>@newsletters.microsoft, which might as well be "[log in to unmask]" for all we care -- however the "received" header seems to indicate some more-or-less legitimate sources [actually, both 192.168.x.x and 10.y.y.y are "non-routable" addresses, BUT if this really did originate within "aramiska", then it is quite likely that the postfix mailer "knows" about those internal addresses]  Besides, I vaguely recognize the "tony@rhclifting" address as one I've seen around here...  [and apologies in advance to Tony if indeed the above "bloodhound" got fooled ;) ]

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU