sobig and MS headers

Tue Aug 19 17:37:51 IST 2003

On Tuesday 19 August 2003 4:28 pm, Julian Field wrote:

> Can a few people please do a bit of investigation for me into header
> tracking and see if this definitely is a case of headers being faked?
> I would be very interested if I am famous/notorious enough that the virus
> writers are trying to get at me.

Yes, I can confirm this too.

Here are the original headers of an email as it arrived on my server, before 
it got scanned by my MailScanner:

 Received: from coll.pair.com (coll.pair.com [209.68.1.53])
        by Beryl.Rockstone.co.uk (8.11.4/8.11.4) with SMTP id h7JGEYr12229
        for <traveleshop at lindawatts.co.uk>; Tue, 19 Aug 2003 17:14:34 +0100
 Message-Id: <200308191614.h7JGEYr12229 at Beryl.Rockstone.co.uk>
 Received: (qmail 9747 invoked by uid 22276); 19 Aug 2003 16:14:34 -0000
 Delivered-To: rachael-traveleshop:com-WebMaster at TravelEShop.com
 Received: (qmail 9552 invoked from network); 19 Aug 2003 16:14:19 -0000
 Received: from mailgate.bvca.co.uk (HELO MARY-JANE) (62.49.96.186)
   by coll.pair.com with SMTP; 19 Aug 2003 16:14:19 -0000
 From: <hitheredavehume at hotmail.com>
 To: <WebMaster at TravelEShop.com>
 Subject: Re: Re: My details
 Date: Tue, 19 Aug 2003 17:12:53 +0100
 X-MailScanner: Found to be clean
 Importance: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
 X-MSMail-Priority: Normal
 X-Priority: 3 (Normal)
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
        boundary="_NextPart_000_01CEAFFF"

As you can see, the order in which the headers appear clearly show that the 
"X-MailScanner: Found to be clean" was included by the sender, not appended 
by a mail server somewhere along the way :)

Well done Julian?

Antony.

-- 

If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.