Home page logo

nanog logo nanog mailing list archives

Re: Weird email messages with "re:movie" and "re:application" in the subject line..
From: "Steven M. Bellovin" <smb () research att com>
Date: Wed, 25 Jun 2003 23:37:56 -0400

In message <200306260325.h5Q3PP5U025759 () nic-naa net>, Eric Brunner-Williams in 
Portland Maine writes:

W32/sobig.e () MM per McAffee.....

I seem to have done one better ... according to a M$ host in Level3-land,
the Unix box right in front of me sent the mail in question.

Someone at L3 needs to call home. The only L3 turd in my mail log is their

Jun 25 18:21:11 nic-naa sm-mta[24589]: h5PMLB5U024589: from=<administrator () Lev
el3.com>, size=1711, class=0, nrcpts=1, msgid=<012d01c33b68$2bd14b40$d706010a@
corp.global.level3.com>, proto=ESMTP, daemon=MTA, relay=machine77.Level3.com []

And I've gotten bounces from mail allegedly from me.  It's not L3's 
fault; this particular worm forges From: lines on its email.

Another day, another worm.

                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com (2nd edition of "Firewalls" book)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]