sobig and MS headers
Peter Peters
P.G.M.Peters at utwente.nl
Tue Aug 19 16:12:59 IST 2003
On Tue, 19 Aug 2003 16:56:27 +0200, I wrote:
>|X-MailScanner: Found to be clean
>|X-UTwente-MailScanner: Found to be infected
>
>The best way around this problem is "personalize" the X-headers so you
>can see what happened. I have been able to find a rogue spamassassin
>once because I could link all X-headers but one to all machines but one.
MailScanner appends the header I believe.
The first real MTA adds a Message-ID because the virus doesn't. The
message-ID is added after the (fraudulent) X-MailScanner header. So that
header is present before it enters the first real MTA.
Other Received headers are snipped.
|Received: from w152190.ppp.dion.ne.jp ([210.198.152.190] helo=COMPUTER)
| by buitenpost.surfnet.nl with ESMTP (exPP)
| for cert-nl at surfnet.nl
| id 19p7xu-00057p-00; Tue, 19 Aug 2003 17:00:11 +0200
|From: <mattncali at prodigy.net>
|To: <cert-nl at surfnet.nl>
|Subject: {Virus?} Re: Approved
|Date: Wed, 20 Aug 2003 0:02:08 --0700
|X-MailScanner: Found to be clean
|Importance: Normal
|X-Mailer: Microsoft Outlook Express 6.00.2600.0000
|X-MSMail-Priority: Normal
|X-Priority: 3 (Normal)
|MIME-Version: 1.0
|Content-Type: multipart/mixed;
| boundary="_NextPart_000_05B0E385"
|Message-Id: <E19p7xu-00057p-00 at buitenpost.surfnet.nl>
|X-UTwente-MailScanner: Found to be infected
Look at the hosts name in the Message-ID and the Received: header.
--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ
More information about the MailScanner
mailing list