Header breakdown of MS and Sobig
Thomas DuVally
thomas_duvally at BROWN.EDU
Tue Aug 19 17:23:49 IST 2003
Below is a header of a sobig infected e-mail. I annotated to show which
systems it passes though so all can see that it really is the virus
adding the X-MailScanner header.
> Microsoft Mail Internet Headers Version 2.0
> Received: from draco.services.brown.edu ([128.148.19.208]) by
> XX.brown.edu with Microsoft SMTPSVC(5.0.2195.5329);
> Tue, 19 Aug 2003 11:50:01 -0400
Exchange server getting it from our MX relay - not running MS
> Received: from SSA02 ([216.243.17.125])
External system infected w/Sobig.F
> by draco.services.brown.edu (Switch-3.1.0/Switch-3.1.0/) with
> ESMTP id h7JFmQOx012290
> for <postmaster at brown.edu>; Tue, 19 Aug 2003 11:48:26 -0400
> (EDT)
Our MX relay running MS with modified signature
> Message-Id: <200308191548.h7JFmQOx012290 at draco.services.brown.edu>
> From: <mseventos at microsoft.com.ve>
> To: <postmaster at brown.edu>
> Subject: Re: Details
> Date: Tue, 19 Aug 2003 11:45:06 --0400
> X-MailScanner: Found to be clean
Forged signature
> Importance: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MSMail-Priority: Normal
> X-Priority: 3 (Normal)
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="_NextPart_000_136203C7"
> X-Brown-MailScanner: Found to be infected
Sig added by our MX relay.
> Return-Path: mseventos at microsoft.com.ve
> X-OriginalArrivalTime: 19 Aug 2003 15:50:01.0850 (UTC)
--
Thomas J. DuVally
Lead Systems Prog.
CIS, Brown Univ.
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6
More information about the MailScanner
mailing list