Handling mass-mailing worms, was: Does Lirva send from a genuine address?

Richard Siddall richard.siddall at ELIRION.NET
Mon Jan 13 13:59:49 GMT 2003

Julian Field wrote:
> I can see us all slowly coming to the situation that we turn off sender
> warnings altogether some time in the next year or so. Trouble is, this is
> going to make the virus situation worse than ever as there will be
> (practically) no way of finding the infected machines spewing out these
> messages.

I have noticed that viruses received from AOL include an
X-Apparently-From: header, which presumably the AOL mail server is
inserting when receiving mail from the SMTP server built into the virus.

I haven't verified whether you can contact the owner of the infected
machine using the email address in this header.

On a side note, it's a pity the virus scanner manufacturers don't
include information on how to handle the virus in the detection report.

For mass-mailing viruses, the best approach may be to report the virus
to a distributed intrusion service like Dshield or myNetWatchman.  They
can aggregate all the reports and contact the ISP's abuse department.
(Unfortunately, this may be as close to the infected machine as you can
get without the ISP's authentication records.)


        Richard Siddall

More information about the MailScanner mailing list