[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <44863870.1064662832@[192.168.2.119]>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: Does Swen forge the sender? WARNING - LONG POST
In deference to the experts, Joe and Nick, rather than argue about what
Swen does, I'll just post some headers and ask for a *brief* explanation of
them.
1st header is a "bounce" to my work account. Unfortunately the bouncing
party didn't bother to include the original message headers, but it's
evident that they *thought* that I sent them the virus. Since the "From"
address was "Microsoft Security Support"
<dyfotwrltwosb_whweemsf@...letin.msn.com>, how does this get back to me
unless the "MAIL FROM" command was "pauls@...allas.edu"?
Received: from null-pmn.utdallas.edu ([129.110.10.1]) by
utdevs02.campus.ad.utdallas.edu with Microsoft SMTPSVC(5.0.2195.6713);
Sat, 27 Sep 2003 00:49:54 -0500
Received: from localhost (localhost [127.0.0.1])
by null-pmn.utdallas.edu (Postfix) with ESMTP id 404FE1A06B1
for <pauls@...allas.edu>; Sat, 27 Sep 2003 00:50:04 -0500 (CDT)
Received: from mx0.utdallas.edu ([127.0.0.1])
by localhost (ns0 [127.0.0.1]) (amavisd-new, port 10024) with LMTP
id 29640-01-56 for <pauls@...allas.edu>;
Sat, 27 Sep 2003 00:50:03 -0500 (CDT)
Received: from mail.cosmofilms.com (unknown [203.112.156.12])
by mx0.utdallas.edu (Postfix) with ESMTP id F175A38A92
for <pauls@...allas.edu>; Sat, 27 Sep 2003 00:46:09 -0500 (CDT)
Received: from mail.cosmofilms.com (localhost [127.0.0.1])
by mail.cosmofilms.com (8.12.9/8.12.9) with ESMTP id h8R5jW2B005365
for <pauls@...allas.edu>; Sat, 27 Sep 2003 11:17:10 +0530
Received: from aygad (logistic.cosmofilms.com [192.9.200.210])
by mail.cosmofilms.com (8.12.9/8.12.9) with SMTP id h8R5ij5w005085;
Sat, 27 Sep 2003 11:14:45 +0530
Date: Sat, 27 Sep 2003 11:14:45 +0530
Message-Id: <200309270544.h8R5ij5w005085@...l.cosmofilms.com>
From: "Microsoft Security Support" <dyfotwrltwosb_whweemsf@...letin.msn.com>
To: " " <zwhbfu_ajnkwdm@...letin.msn.com>
SUBJECT: Current Net Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="yczwccphdsq"
Return-Path: webserv@...mofilms.com
X-OriginalArrivalTime: 27 Sep 2003 05:49:54.0912 (UTC)
FILETIME=[2D3B5600:01C384BB]
--lodywg
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:oygkdfqowfov" height=3D0 width=3D0></iframe>
<BR><BR><BR>Undelivered mail to <B>lajgfy@...foot.com</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>
--lodywg
Content-Type: audio/x-wav; name="ctlsz.scr"
Content-Transfer-Encoding: base64
Content-Id: <oygkdfqowfov>
------------------ Virus Warning Message (on mail.cosmofilms.com)
Found virus WORM_SWEN.A in file Pack6579.exe
The uncleanable file is deleted.
---------------------------------------------------------
The second message is a "bounce" from Swen itself. Interesting that it has
an attachment which does not show up in Outllook Express because I force
plain text for all incoming messages. If I understand what you are saying
correctly the infected party should be "mdrake8@...lsouth.net", correct?
That *does* appear to be the case, since the mail originated at bellsouth.
X-Apparently-To: pschmehl@...global.net via web80308.mail.yahoo.com; 27 Sep
2003 04:00:27 -0700 (PDT)
X-YahooFilteredBulk: 205.152.59.72
Return-Path: <mdrake8@...lsouth.net>
Received: from vmd-ext.prodigy.net (207.115.63.89)
by mta818.mail.yahoo.com with SMTP; 27 Sep 2003 04:00:25 -0700 (PDT)
X-Originating-IP: [205.152.59.72]
Received: from imf24aec.mail.bellsouth.net (imf24aec.mail.bellsouth.net
[205.152.59.72])
by vmd-ext.prodigy.net (8.12.9/8.12.3) with ESMTP id h8RB0OeJ069304
for <pschmehl@...global.net>; Sat, 27 Sep 2003 07:00:24 -0400
Received: from menospxe ([65.81.163.202]) by imf24aec.mail.bellsouth.net
(InterMail vM.5.01.05.27 201-253-122-126-127-20021220) with SMTP
id <20030927110014.JDHB1810.imf24aec.mail.bellsouth.net@...ospxe>;
Sat, 27 Sep 2003 07:00:14 -0400
FROM: "Admin" <smtpautomat@...foot.com>
TO: "Network User" <receiver@...erver.com>
SUBJECT: Bug Report
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="lodywg"
Message-Id: <20030927110014.JDHB1810.imf24aec.mail.bellsouth.net@...ospxe>
Date: Sat, 27 Sep 2003 07:00:19 -0400
The third message is an actual copy of Swen sent directly to my home
address. (I can't get any at work since we bounce them all.) Again this
appears to be from pratsc@...ra.es who's computer is infected.
X-Apparently-To: pschmehl@...global.net via web80308.mail.yahoo.com; 27 Sep
2003 07:38:21 -0700 (PDT)
X-YahooFilteredBulk: 213.4.129.129
Return-Path: <pratsc@...ra.es>
Received: from mailapps1-ext.prodigy.net (EHLO mailapps1-int.prodigy.net)
(207.115.63.107)
by mta807.mail.yahoo.com with SMTP; 27 Sep 2003 07:38:20 -0700 (PDT)
X-Header-Overseas: Mail.from.Overseas.source.213.4.129.129
X-Header-Maps: blocked.by.Prodigy.dialups.list.213.4.129.129
X-Originating-IP: [213.4.129.129]
Received: from tsmtp5.mail.isp (smtp.terra.es [213.4.129.129])
by mailapps1-int.prodigy.net (8.12.9/8.12.3) with ESMTP id h8REcIld776526
for <pschmehl@...global.net>; Sat, 27 Sep 2003 10:38:18 -0400
Date: Sat, 27 Sep 2003 10:38:18 -0400
Message-Id: <200309271438.h8REcIld776526@...lapps1-int.prodigy.net>
Received: from tmvav ([213.97.150.28]) by tsmtp5.mail.isp
(terra.es) with SMTP id HLVN7N01.FO3; Sat, 27 Sep 2003 16:35:47
+0200
FROM: "Microsoft Security Center" <rumkxowkdyane_fheumvnb@...fidence.net>
TO: "Commercial Partner" <partner-chzzawgyg@...fidence.net>
SUBJECT:
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="kbeceexggkugyd"
--kbeceexggkugyd
Content-Type: multipart/related; boundary="foudxvmnxeo";
type="multipart/alternative"
--foudxvmnxeo
Content-Type: multipart/alternative; boundary="mxdpvsxsnxqyeaia"
--mxdpvsxsnxqyeaia
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Microsoft Partner
this is the latest version of security update, the
"September 2003, Cumulative Patch" update which resolves
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express.
Install now to continue keeping your computer secure.
This update includes the functionality =
of all previously released patches.
So how does the first bounce get to me?
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
Powered by blists - more mailing lists