| Subject: Re: Please scan your computers for viruses |
| From: Dave Trapnell |
| Date: 25/09/2003, 08:11 |
Here is my long-winded reply. It took me a while to figure
out how to get the "full" header. For the "good stuff" just
skip about halfway down.
"Robi" <r_buecheler@remove.yahoo.com> wrote:
Dave, can you post (or send me) the headers of one such message?
maybe I could shed a light to where they are coming from.
(that is, if they are not sent through open proxies)
Regards,
Robi
Thank you so much. I keep wondering if there is information
in the header that Eudora won't let me see. Eudora doesn't
have a raw button like Agent does.
Here goes:
The most common is the pseudo-Microsoft tech support patch,
which comes in several flavors. Here is an example:
(Items in parentheses are my comments.)
From: "Microsoft Corporation Technical Assistance"
<romlggqvkqxjus@advisor.msdn.net>
To: "MS Client" <client@advisor.msdn.net>
SUBJECT: Latest Network Security Pack
Date: Thu, 25 Sep 2003 11:41:46 +1200 (NZST)
(snip: Official-Looking Microsoft graphics here,
Then the text reads:)
MS Client
this is the latest version of security update, the
"September 2003, Cumulative Patch" update which fixes all
known security vulnerabilities affecting MS Internet
Explorer, MS Outlook and MS Outlook Express as well as three
newly discovered vulnerabilities. Install now to continue
keeping your computer secure from these vulnerabilities, the
most serious of which could allow an attacker to run
executable on your system. This update includes the
functionality of all previously released patches.
(If you believe that, I may know a large bridge for sale.)
(Followed by some more official-looking graphics with such
things as sytem requirements, the most important of which is
an extremely gullible human at the mouse. Then some more
blurb:)
Microsoft Product Support Services and Knowledge Base
articles can be found on the Microsoft Technical Support web
site. For security-related information about Microsoft
products, please visit the Microsoft Security Advisor web
site, or Contact Us.
(The above includes actual links to Microsoft)
Thank you for using Microsoft products.
Please do not reply to this message. It was sent from an
unmonitored e-mail address and we are unable to respond to
any replies.
(You got that right.)
The names of the actual companies and products mentioned
herein are the trademarks of their respective owners.
(More official-looking graphics, followed by the
inevitable:)
Norton AntiVirus Deleted1165.txt
(Which file now contains the new, as of today, virus name:
W32.Swen.A@mm virus
(and the original file name:)
Q378516.exe
End of copied email ****************************
The above is probably "too much information", as they say,
and not the right information at that. Therefore, I'm going
to try using Agent to collect the mail, which I've never
done before, and see if I can get more from the header that
way. While I wait for another to appear in my inbox, here's
a couple more from Eudora. This one is the "returned mail
notice", which also comes in several flavors:
FROM: "Postmaster" <fmailbot@puremail.com>
TO: "Network User" <user@emailserver.net>
SUBJECT: Returned Message
Date: Wed, 24 Sep 2003 22:12:58 -0400
(This one has a body that is short and sweet)
Undeliverable message to dhjldyhll@puremail.com
Message follows:
(and the inevitable)
Norton AntiVirus Deleted1170.txt
(where the virus used to be, which now contains, in this
case, the file name)
cdoliv.exe
End of copied email ****************************
This one has a little more in the header:
Date: Wed, 24 Sep 2003 21:20:12 +0200 (CEST)
X-KENId: 0000124EKEN042C2EE7
X-KENRelayed: 0000124EKEN042C2EE7@PC01
From: "Security Assistance" <gbpobzfl-kozspqb@technet.net>
Subject: Network Critical Patch
To: "Microsoft Consumer" <consumer_kdlbvvmlda@technet.net>
(more of the same old same old, and the filename:)
Upgrade54.exe
End of copied email ****************************
That's why some are bigger than others, they are the ones
with the graphics. Still waiting for a new one. The watchpot
does boil, only sometimes it takes a little longer. Found
one in the Spaminator, the virus has already been stripped
out. Let me just move it to the inbox and retrieve it with
Agent. Here goes... WOW there's a lot in that header Eudora
doesn't let you see:
Status: U
Return-Path: <ajletter@iprimus.com.au>
Received: from smtp02.syd.iprimus.net.au ([210.50.76.52])
by robin (EarthLink SMTP Server) with ESMTP id
1a26KU6jA3NZFjX0
for <dtresearch@earthlink.net>; Wed, 24 Sep 2003
03:20:19 -0700 (PDT)
Received: from nnoudhk (202.138.57.245) by
smtp02.syd.iprimus.net.au (7.0.018)
id 3F6F6FF0000D948E; Wed, 24 Sep 2003 20:15:35 +1000
Date: Wed, 24 Sep 2003 20:15:35 +1000 (added by
postmaster@iprimus.com.au)
Message-ID: <3F6F6FF0000D948E@> (added by
postmaster@iprimus.com.au)
FROM: "Microsoft Corporation Security Department"
<eonyjzzzgoebvw-jkyhxrx@bulletin.msdn.net>
TO: "Commercial Customer" <customer@bulletin.msdn.net>
SUBJECT: Network Update
Mime-Version: 1.0
(snip)
Microsoft Customer
(etc)
end of copied email *******************************
Hmmm. Australia. Huh. This is almost interesting. Y'know, if
the virus can actually go out and harvest adresses from the
news server, well, Giganews keeps non-binary groups for six
months or more, this could get old. Does it know how to use
the password also?
It seems maybe my post had some effect, The incomings have
slowed to a trickle. Here are some I obtained by browsing my
Eudora junk mailbox with notepad:
Status: U
Return-Path: <siiling@tm.net.my>
Received: from ipop1.tm.net.my ([202.188.95.15])
by merlin (EarthLink SMTP Server) with ESMTP id
1a2dsi5JB3NZFlq0
for <dtresearch@earthlink.net>; Wed, 24 Sep 2003
10:29:34 -0700 (PDT)
Received: from asdqyha (btu-204-87.tm.net.my
[210.195.204.87])
by ipop1.tm.net.my
(iPlanet Messaging Server 5.1 HotFix 1.6 (built Oct 18
2002))
with SMTP id <0HLP002ZB5YLL5@ipop1.tm.net.my> for
dtresearch@earthlink.net;
Wed, 24 Sep 2003 10:39:02 +0800 (SGT)
Date: Wed, 24 Sep 2003 10:37:36 +0800 (SGT)
Date-warning: Date header was inserted by ipop1.tm.net.my
From: ms net email service <smtpprogram@america.net>
Subject: bug report
To: " " < >
Message-id: <0HLP002ZI5YML5@ipop1.tm.net.my>
(Another:)
Status: U
Return-Path: <werribee_dp@dealers.nissan.com.au>
Received: from dealers.nissan.com.au ([203.36.135.11])
by vulture (EarthLink SMTP Server) with SMTP id
1a2dr54GR3NZFl50
for <dtresearch@earthlink.net>; Wed, 24 Sep 2003
10:28:19 -0700 (PDT)
Received: by dealers.nissan.com.au ( IA Mail Server Version:
3.2.4. Build: 1096 ) ) ; Wed, 24 Sep 2003 11:53:05 +1000
FROM: "MS Public Assistance" <ljfqcu@confidence.net>
TO: "Client" < >
SUBJECT: microsoft pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="nroheudpqkpq"
Date: Wed, 24 Sep 2003 11:53:18 +1000
Message-Id: <200309241028.1a2dr54GR3NZFl50@vulture>
(Another:)
Status: U
Return-Path: <acgomes@filadelfia.br>
Received: from server.filadelfia.br ([200.250.23.100])
by killdeer (EarthLink SMTP Server) with SMTP id
1a2czZ6w33NZFlr0
for <dtresearch@earthlink.net>; Wed, 24 Sep 2003
09:33:27 -0700 (PDT)
Received: (qmail 11588 invoked by uid 0); 23 Sep 2003
13:02:01 -0000
Received: from unknown (HELO kboxah) (172.16.2.67)
by gw-a.lan.filadelfia.br with SMTP; 23 Sep 2003 13:02:01
-0000
FROM: "Microsoft" <atbxzbu@support.msdn.com>
TO: "User" <fsxdzdo.emyvbsz@support.msdn.com>
SUBJECT: Newest Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="xcjbfevqwqsjrm"
Message-Id: <200309240933.1a2czZ6w33NZFlr0@killdeer>
Date: Wed, 24 Sep 2003 09:33:27 -0700 (PDT)
(Another:)
Status: U
Return-Path: <baltijos@transekspedicija.lt>
Received: from klaipeda.balt.net ([195.14.176.14])
by robin (EarthLink SMTP Server) with SMTP id
1a2cfG7hZ3NZFjX0
for <dtresearch@earthlink.net>; Wed, 24 Sep 2003
09:12:27 -0700 (PDT)
Received: (qmail 1915 invoked from network); 24 Sep 2003
16:08:08 -0000
Received: from unknown (HELO ineq) (195.14.179.26)
by klaipeda.balt.net with SMTP; 24 Sep 2003 16:08:08 -0000
FROM: "Network Security Department" <tvpgvqy@okfojkc.com>
TO: "Commercial Customer" <xaahuy_mnmvonbf@okfojkc.com>
SUBJECT: latest security patch
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="xqqtsqikukqrlh"
Message-Id: <200309240912.1a2cfG7hZ3NZFjX0@robin>
Date: Wed, 24 Sep 2003 09:12:27 -0700 (PDT)
(Another:)
Status: U
Return-Path: <baltijos@transekspedicija.lt>
Received: from klaipeda.balt.net ([195.14.176.14])
by robin (EarthLink SMTP Server) with SMTP id
1a2cff4ya3NZFjX0
for <dtresearch@earthlink.net>; Wed, 24 Sep 2003
09:12:00 -0700 (PDT)
Received: (qmail 2047 invoked from network); 24 Sep 2003
16:11:47 -0000
Received: from unknown (HELO hizoweq) (195.14.179.26)
by klaipeda.balt.net with SMTP; 24 Sep 2003 16:11:47 -0000
FROM: "Microsoft Security Center"
<kqgoibfxqu_umyd@advisor.net>
TO: "Commercial Customer" <customer@advisor.net>
SUBJECT: Internet Critical Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="rxabxqvywndieunf"
Message-Id: <200309240912.1a2cff4ya3NZFjX0@robin>
Date: Wed, 24 Sep 2003 09:12:00 -0700 (PDT)
End of copied email *********************************
Well, I guess that's enough for now. Maybe you can 'splain
me how to read these. Thanks for asking.
Dave.