shop-talk
[Top] [All Lists]

Re: Let's be friends

To: npenney <npenney@mde.state.md.us>
Subject: Re: Let's be friends
From: Eric Murray <ericm@lne.com>
Date: Wed, 6 Aug 2003 11:56:34 -0700
OK, for those of you who are interested in mail geekery, I
just got one of those worms we have been talking about.
The interesting headers are below, excaped with a leading '>'
to prevent their being interpreted.


>Received: from 42dbca82.dsl.aros.net (42dbca82.dsl.aros.net [66.219.202.130])
>        by gw.lne.com (8.12.5/8.12.5) with ESMTP id h76IW2S7014935
>        for <ericm@lne.com>; Wed, 6 Aug 2003 11:32:05 -0700


This Received line is my server accepting the mail from team.net.
42dbca82.dsl.aros.net is autox.team.net. for purposes of
receiving mail:

ericm(pts/9)> dig autox.team.net mx @ns.amaranth.net.
[..]

;; ANSWER SECTION:
autox.team.net.         1H IN MX        9 42dbca82.dsl.aros.net.


>Received: (from majordom@localhost)
>        by 42dbca82.dsl.aros.net (8.12.5/8.12.5) id h76HwYBd026222
>        for shop-talk-qwerty; Wed, 6 Aug 2003 11:58:34 -0600


This Received line is generated on autox.team.net by majordomo
sending out the mail to the list.

>From: npenney <npenney@mde.state.md.us>

This is probably forged.  As I wrote earlier, its just characters,
you could put anything in there.

There's no more Received lines, so autox.team.net majordomo is
set to truncate Received lines on list mail.  If it wasn't
there would be an indication of where the mail originated.

>To: shop-talk@autox.team.net
>Subject: Let's be friends

Common Subject line of the Klez virus.
http://www.viruslist.com/eng/viruslist.html?id=4292

>Message-Id: <20030806175830.ZMIR1453.priv-edtnes28.telusplanet.net@Zvz>

This Message-Id might indicate that the originator was
on the telusplanet.net network.  But Message-Ids are often inserted
by SMTP gateways and if they are not, they can be forged by the
sender just like From: lines can.

>X-Converted-To-Plain-Text: from multipart/alternative by demime 0.99d.1
>X-Converted-To-Plain-Text: Alternative section used was text/html

These mean that demime deleted a MIME attachment.

///  unsubscribe/change address requests to majordomo@autox.team.net  or try
///  http://www.team.net/mailman/listinfo
///  Archives at http://www.team.net/archive/shop-talk


<Prev in Thread] Current Thread [Next in Thread>