sobig and MS headers

Furnish, Trever G TGFurnish at HERFF-JONES.COM
Tue Aug 19 17:04:30 IST 2003


Or quarantine a copy of the virus message, decode it, and 'strings virusfile
| grep -i mailscanner'...

> -----Original Message-----
> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> Sent: Tuesday, August 19, 2003 10:29 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: sobig and MS headers
>
>
> Can a few people please do a bit of investigation for me into header
> tracking and see if this definitely is a case of headers being faked?
> I would be very interested if I am famous/notorious enough
> that the virus
> writers are trying to get at me.
>
> To verify the point about what headers are used for what, the
> headers are
> only used in 1 place.
>
> When you have a clean message that you are about to sign
>          "Sign Clean Messages = yes"
> the presence of the main MailScanner header
>          "Mail Header = X-MailScanner:"
> is checked. If it is already present, and
>          "Sign Messages Already Processed = no"
> then the inline signature will not be added.
>
> This is so that each message leaving your site is only signed once, no
> matter however many of your MailScanner systems it passes
> through on its
> way out of your site.
>
> At 15:56 19/08/2003, you wrote:
> >On Tue, 19 Aug 2003 10:42:22 -0400, you wrote:
> >
> > >> 4) The email has previously passed through a Mailscanner
> at another site
> > >> without an up-to-date set of virus identitiy files?
> > >
> > >Nope.  I just took a closer look at the headers.  The
> email was sent
> > >internal to our domain and the only servers it passed
> through that were
> > >running MS were our internal relays.  I admin them all, so I know.
> > >
> > >Looks to be a faked MailScanner header.
> >
> >At first I didn't see them. But suddenly I got a few like below:
> >
> >|X-MailScanner: Found to be clean
> >|X-UTwente-MailScanner: Found to be infected
> >
> >The best way around this problem is "personalize" the
> X-headers so you
> >can see what happened. I have been able to find a rogue spamassassin
> >once because I could link all X-headers but one to all
> machines but one.
> >
> >--
> >Peter Peters, senior netwerkbeheerder
> >Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
> >Universiteit Twente,  Postbus 217,  7500 AE  Enschede
> >telefoon: 053 - 489 2301, fax: 053 - 489 2383,
> http://www.utwente.nl/civ
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>



More information about the MailScanner mailing list