sobig virus

Joe Stuart jstuart at EDENPR.K12.MN.US
Wed Aug 20 18:08:47 IST 2003 

I was wrong it did not go through mailscanner Uly told me that some of
the newer viruses are using lower mx records so we did some
investigating and it turns out that the company that handles our
external dns had an old entry for a backup mailserver that should not
have been there that the virus was relaying through. Thanks Uly for
that. and yeah the X-MailScanner was the reason I thought it was getting
through thanks for pointing that out..

Joe


>>> mbowman at UDCOM.COM 08/20/03 12:02PM >>>
I am getting a lot of these too. My understanding its because the
e-mail
is being sent to a machine that doesn't have MailScanner. Perhaps the
culprits are port scanning 25 and are emailing the servers directly
and
avoiding the Primary MX (which in our case has mailscanner running)

Matthew





Julian Field <mailscanner at ECS.SOTON.AC.UK>
Sent by: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
08/20/2003 12:22 PM
Please respond to MailScanner mailing list


        To:     MAILSCANNER at JISCMAIL.AC.UK
        cc:
        Subject:        Re: sobig virus


At 17:09 20/08/2003, you wrote:
>Here is one from mine. that went through
>
>Received: from S0030213072
>         (mul2.dsl.visi.com [209.98.144.89])
>         by edenpr.k12.mn.us; Wed, 20 Aug 2003 11:01:20 -0500
>From: <kenrep at on.aibn.com>
>To: <rgrassel at edenpr.k12.mn.us>
>Subject: Re: Wicked screensaver
>Date: Wed, 20 Aug 2003 10:59:53 --0500
>X-MailScanner: Found to be clean
>Importance: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2600.0000
>X-MSMail-Priority: Normal
>X-Priority: 3 (Normal)
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>         boundary="_NextPart_000_245BAC29"
>
>This is a multipart message in MIME format
>
>--_NextPart_000_245BAC29
>Content-Type: text/plain;
>         charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>
>Please see the attached file for details.
>--_NextPart_000_245BAC29
>Content-Type: application/octet-stream;
>         name="details.pif"
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment;
>         filename="details.pif"

So if it got through MailScanner, where are the headers showing it?
(And I
don't mean the "X-MailScanner: Found to be clean" that was in the
original
virus sent to you).
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list