| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <p06100340bb9bfba8b385@[192.168.1.104]> From: nazgul at somewhere.com (Kee Hinckley) Subject: Does Swen forge the sender? WARNING - LONG POST At 11:40 AM -0500 9/27/03, Paul Schmehl wrote: >1st header is a "bounce" to my work account. Unfortunately the >bouncing party didn't bother to include the original message >headers, but it's evident that they *thought* that I sent them the >virus. Since the "From" address was "Microsoft Security Support" ><dyfotwrltwosb_whweemsf@...letin.msn.com>, how does this get back to >me unless the "MAIL FROM" command was "pauls@...allas.edu"? Are you certain that's a bounce? It looks to me as though the sending machine cleaned the virus, but then let the message go out anyway. (A policy which must date from back in the days of macro viruses, when there actually was some useful content and the virus didn't send itself--seems pretty poor policy now.) > >Received: from null-pmn.utdallas.edu ([129.110.10.1]) by >utdevs02.campus.ad.utdallas.edu with Microsoft >SMTPSVC(5.0.2195.6713); > Sat, 27 Sep 2003 00:49:54 -0500 >Received: from localhost (localhost [127.0.0.1]) > by null-pmn.utdallas.edu (Postfix) with ESMTP id 404FE1A06B1 > for <pauls@...allas.edu>; Sat, 27 Sep 2003 00:50:04 -0500 (CDT) >Received: from mx0.utdallas.edu ([127.0.0.1]) >by localhost (ns0 [127.0.0.1]) (amavisd-new, port 10024) with LMTP >id 29640-01-56 for <pauls@...allas.edu>; >Sat, 27 Sep 2003 00:50:03 -0500 (CDT) >Received: from mail.cosmofilms.com (unknown [203.112.156.12]) > by mx0.utdallas.edu (Postfix) with ESMTP id F175A38A92 > for <pauls@...allas.edu>; Sat, 27 Sep 2003 00:46:09 -0500 (CDT) >Received: from mail.cosmofilms.com (localhost [127.0.0.1]) > by mail.cosmofilms.com (8.12.9/8.12.9) with ESMTP id h8R5jW2B005365 > for <pauls@...allas.edu>; Sat, 27 Sep 2003 11:17:10 +0530 >Received: from aygad (logistic.cosmofilms.com [192.9.200.210]) > by mail.cosmofilms.com (8.12.9/8.12.9) with SMTP id h8R5ij5w005085; > Sat, 27 Sep 2003 11:14:45 +0530 >Date: Sat, 27 Sep 2003 11:14:45 +0530 >Message-Id: <200309270544.h8R5ij5w005085@...l.cosmofilms.com> >From: "Microsoft Security Support" <dyfotwrltwosb_whweemsf@...letin.msn.com> >To: " " <zwhbfu_ajnkwdm@...letin.msn.com> >SUBJECT: Current Net Security Update >Mime-Version: 1.0 >Content-Type: multipart/mixed; boundary="yczwccphdsq" >Return-Path: webserv@...mofilms.com >X-OriginalArrivalTime: 27 Sep 2003 05:49:54.0912 (UTC) >FILETIME=[2D3B5600:01C384BB] > >--lodywg >Content-Type: text/html >Content-Transfer-Encoding: quoted-printable > ><HTML> ><HEAD></HEAD> ><BODY> ><iframe src=3D"cid:oygkdfqowfov" height=3D0 width=3D0></iframe> ><BR><BR><BR>Undelivered mail to <B>lajgfy@...foot.com</B> ><BR><BR><BR>Message follows:<BR><BR><BR><BR> ></BODY></HTML> > >--lodywg >Content-Type: audio/x-wav; name="ctlsz.scr" >Content-Transfer-Encoding: base64 >Content-Id: <oygkdfqowfov> > >------------------ Virus Warning Message (on mail.cosmofilms.com) > >Found virus WORM_SWEN.A in file Pack6579.exe >The uncleanable file is deleted. -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
Powered by blists - more mailing lists