brose at MED.WAYNE.EDU
Wed Jan 28 23:51:00 GMT 2004
In this example, the virus source was med.wayne.edu [188.8.131.52].
Med.wayne.edu is in the 146.9-netblock.
Received: from media.cfhosting.net [184.108.40.206] by cfpop.cfhosting.net
(SMTPD32-8.02) id AB3F23480150; Tue, 27 Jan 2004 14:25:51 -0500
Received: from med.wayne.edu [220.127.116.11] by media.cfhosting.net
(SMTPD32-8.02) id AB4B827011A; Tue, 27 Jan 2004 14:26:03 -0500
From: claudia at med.wayne.edu
To: serg at telementor.org
Date: Tue, 27 Jan 2004 12:26:01 -0700
Message-Id: <200401271426515.SM04916 at med.wayne.edu>
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Chris Yuzik
Sent: Wednesday, January 28, 2004 6:46 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: MyDoom Countermeasures
Rose, Bobby wrote:
>You would think that the AV vendors would have posted this info when
>they deconstructed it. It also uses the domain name of the email
>address that it's sending to as the source system hostname.
Are you sure about this? I'm seeing a lot of messages coming in that
don't look like that's the case.
Can you provide an example so I know I'm looking at the right stuff?
> I had a
>postmaster using Declude AV software email me about the virus coming
>from us and I pointed out that the system hostname of the source
>machine being used wouldn't resolve to the IP address of the source
>machine. I guess he wasn't doing reverse lookups.
More information about the MailScanner