sobig and MS headers
Julian Field
mailscanner at ecs.soton.ac.uk
Tue Aug 19 17:25:35 IST 2003
Tried that already, it's compressed so you can't see anything.
At 17:04 19/08/2003, you wrote:
>Or quarantine a copy of the virus message, decode it, and 'strings virusfile
>| grep -i mailscanner'...
>
> > -----Original Message-----
> > From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> > Sent: Tuesday, August 19, 2003 10:29 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: sobig and MS headers
> >
> >
> > Can a few people please do a bit of investigation for me into header
> > tracking and see if this definitely is a case of headers being faked?
> > I would be very interested if I am famous/notorious enough
> > that the virus
> > writers are trying to get at me.
> >
> > To verify the point about what headers are used for what, the
> > headers are
> > only used in 1 place.
> >
> > When you have a clean message that you are about to sign
> > "Sign Clean Messages = yes"
> > the presence of the main MailScanner header
> > "Mail Header = X-MailScanner:"
> > is checked. If it is already present, and
> > "Sign Messages Already Processed = no"
> > then the inline signature will not be added.
> >
> > This is so that each message leaving your site is only signed once, no
> > matter however many of your MailScanner systems it passes
> > through on its
> > way out of your site.
> >
> > At 15:56 19/08/2003, you wrote:
> > >On Tue, 19 Aug 2003 10:42:22 -0400, you wrote:
> > >
> > > >> 4) The email has previously passed through a Mailscanner
> > at another site
> > > >> without an up-to-date set of virus identitiy files?
> > > >
> > > >Nope. I just took a closer look at the headers. The
> > email was sent
> > > >internal to our domain and the only servers it passed
> > through that were
> > > >running MS were our internal relays. I admin them all, so I know.
> > > >
> > > >Looks to be a faked MailScanner header.
> > >
> > >At first I didn't see them. But suddenly I got a few like below:
> > >
> > >|X-MailScanner: Found to be clean
> > >|X-UTwente-MailScanner: Found to be infected
> > >
> > >The best way around this problem is "personalize" the
> > X-headers so you
> > >can see what happened. I have been able to find a rogue spamassassin
> > >once because I could link all X-headers but one to all
> > machines but one.
> > >
> > >--
> > >Peter Peters, senior netwerkbeheerder
> > >Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
> > >Universiteit Twente, Postbus 217, 7500 AE Enschede
> > >telefoon: 053 - 489 2301, fax: 053 - 489 2383,
> > http://www.utwente.nl/civ
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
More information about the MailScanner
mailing list