Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Does Swen forge the sender? WARNING - LONG POST

From: Kee Hinckley <nazgul () somewhere com>
Date: Sat, 27 Sep 2003 22:47:20 -0400
At 11:40 AM -0500 9/27/03, Paul Schmehl wrote:
1st header is a "bounce" to my work account. Unfortunately the bouncing party didn't bother to include the original message headers, but it's evident that they *thought* that I sent them the virus. Since the "From" address was "Microsoft Security Support" <dyfotwrltwosb_whweemsf () bulletin msn com>, how does this get back to me unless the "MAIL FROM" command was "pauls () utdallas edu"?
Are you certain that's a bounce? It looks to me as though the sending machine cleaned the virus, but then let the message go out anyway. (A policy which must date from back in the days of macro viruses, when there actually was some useful content and the virus didn't send itself--seems pretty poor policy now.)
Received: from null-pmn.utdallas.edu ([129.110.10.1]) by utdevs02.campus.ad.utdallas.edu with Microsoft SMTPSVC(5.0.2195.6713); 
        Sat, 27 Sep 2003 00:49:54 -0500
Received: from localhost (localhost [127.0.0.1])
        by null-pmn.utdallas.edu (Postfix) with ESMTP id 404FE1A06B1
        for <pauls () utdallas edu>; Sat, 27 Sep 2003 00:50:04 -0500 (CDT)
Received: from mx0.utdallas.edu ([127.0.0.1])
by localhost (ns0 [127.0.0.1]) (amavisd-new, port 10024) with LMTP
id 29640-01-56 for <pauls () utdallas edu>;
Sat, 27 Sep 2003 00:50:03 -0500 (CDT)
Received: from mail.cosmofilms.com (unknown [203.112.156.12])
        by mx0.utdallas.edu (Postfix) with ESMTP id F175A38A92
        for <pauls () utdallas edu>; Sat, 27 Sep 2003 00:46:09 -0500 (CDT)
Received: from mail.cosmofilms.com (localhost [127.0.0.1])
        by mail.cosmofilms.com (8.12.9/8.12.9) with ESMTP id h8R5jW2B005365
        for <pauls () utdallas edu>; Sat, 27 Sep 2003 11:17:10 +0530
Received: from aygad (logistic.cosmofilms.com [192.9.200.210])
        by mail.cosmofilms.com (8.12.9/8.12.9) with SMTP id h8R5ij5w005085;
        Sat, 27 Sep 2003 11:14:45 +0530
Date: Sat, 27 Sep 2003 11:14:45 +0530
Message-Id: <200309270544.h8R5ij5w005085 () mail cosmofilms com>
From: "Microsoft Security Support" <dyfotwrltwosb_whweemsf () bulletin msn com>
To: " " <zwhbfu_ajnkwdm () bulletin msn com>
SUBJECT: Current Net Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="yczwccphdsq"
Return-Path: webserv () cosmofilms com
X-OriginalArrivalTime: 27 Sep 2003 05:49:54.0912 (UTC) FILETIME=[2D3B5600:01C384BB] 

--lodywg
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:oygkdfqowfov" height=3D0 width=3D0></iframe>
<BR><BR><BR>Undelivered mail to <B>lajgfy () bigfoot com</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--lodywg
Content-Type: audio/x-wav; name="ctlsz.scr"
Content-Transfer-Encoding: base64
Content-Id: <oygkdfqowfov>

------------------  Virus Warning Message (on mail.cosmofilms.com)

Found virus WORM_SWEN.A in file Pack6579.exe
The uncleanable file is deleted.



--
Kee Hinckley
http://www.messagefire.com/         Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: