sobig and MS headers

[Julian Field]

Can a few people please do a bit of investigation for me into header
tracking and see if this definitely is a case of headers being faked?
I would be very interested if I am famous/notorious enough that the virus
writers are trying to get at me.

To verify the point about what headers are used for what, the headers are
only used in 1 place.

When you have a clean message that you are about to sign
         "Sign Clean Messages = yes"
the presence of the main MailScanner header
         "Mail Header = X-MailScanner:"
is checked. If it is already present, and
         "Sign Messages Already Processed = no"
then the inline signature will not be added.

This is so that each message leaving your site is only signed once, no
matter however many of your MailScanner systems it passes through on its
way out of your site.

At 15:56 19/08/2003, you wrote:
>On Tue, 19 Aug 2003 10:42:22 -0400, you wrote:
>
> >> 4) The email has previously passed through a Mailscanner at another site
> >> without an up-to-date set of virus identitiy files?
> >
> >Nope.  I just took a closer look at the headers.  The email was sent
> >internal to our domain and the only servers it passed through that were
> >running MS were our internal relays.  I admin them all, so I know.
> >
> >Looks to be a faked MailScanner header.
>
>At first I didn't see them. But suddenly I got a few like below:
>
>|X-MailScanner: Found to be clean
>|X-UTwente-MailScanner: Found to be infected
>
>The best way around this problem is "personalize" the X-headers so you
>can see what happened. I have been able to find a rogue spamassassin
>once because I could link all X-headers but one to all machines but one.
>
>--
>Peter Peters, senior netwerkbeheerder
>Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
>Universiteit Twente,  Postbus 217,  7500 AE  Enschede
>telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support