[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Does Swen forge the sender? WARNING - LONG POST

At 11:40 AM -0500 9/27/03, Paul Schmehl wrote:
1st header is a "bounce" to my work account. Unfortunately the bouncing party didn't bother to include the original message headers, but it's evident that they *thought* that I sent them the virus. Since the "From" address was "Microsoft Security Support" <dyfotwrltwosb_whweemsf@xxxxxxxxxxxxxxxx>, how does this get back to me unless the "MAIL FROM" command was "pauls@xxxxxxxxxxxx"?

Are you certain that's a bounce? It looks to me as though the sending machine cleaned the virus, but then let the message go out anyway. (A policy which must date from back in the days of macro viruses, when there actually was some useful content and the virus didn't send itself--seems pretty poor policy now.)


Received: from null-pmn.utdallas.edu ([129.110.10.1]) by utdevs02.campus.ad.utdallas.edu with Microsoft SMTPSVC(5.0.2195.6713);
Sat, 27 Sep 2003 00:49:54 -0500
Received: from localhost (localhost [127.0.0.1])
by null-pmn.utdallas.edu (Postfix) with ESMTP id 404FE1A06B1
for <pauls@xxxxxxxxxxxx>; Sat, 27 Sep 2003 00:50:04 -0500 (CDT)
Received: from mx0.utdallas.edu ([127.0.0.1])
by localhost (ns0 [127.0.0.1]) (amavisd-new, port 10024) with LMTP
id 29640-01-56 for <pauls@xxxxxxxxxxxx>;
Sat, 27 Sep 2003 00:50:03 -0500 (CDT)
Received: from mail.cosmofilms.com (unknown [203.112.156.12])
by mx0.utdallas.edu (Postfix) with ESMTP id F175A38A92
for <pauls@xxxxxxxxxxxx>; Sat, 27 Sep 2003 00:46:09 -0500 (CDT)
Received: from mail.cosmofilms.com (localhost [127.0.0.1])
by mail.cosmofilms.com (8.12.9/8.12.9) with ESMTP id h8R5jW2B005365
for <pauls@xxxxxxxxxxxx>; Sat, 27 Sep 2003 11:17:10 +0530
Received: from aygad (logistic.cosmofilms.com [192.9.200.210])
by mail.cosmofilms.com (8.12.9/8.12.9) with SMTP id h8R5ij5w005085;
Sat, 27 Sep 2003 11:14:45 +0530
Date: Sat, 27 Sep 2003 11:14:45 +0530
Message-Id: <200309270544.h8R5ij5w005085@xxxxxxxxxxxxxxxxxxx>
From: "Microsoft Security Support" <dyfotwrltwosb_whweemsf@xxxxxxxxxxxxxxxx>
To: " " <zwhbfu_ajnkwdm@xxxxxxxxxxxxxxxx>
SUBJECT: Current Net Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="yczwccphdsq"
Return-Path: webserv@xxxxxxxxxxxxxx
X-OriginalArrivalTime: 27 Sep 2003 05:49:54.0912 (UTC) FILETIME=[2D3B5600:01C384BB]

--lodywg
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:oygkdfqowfov"; height=3D0 width=3D0></iframe>
<BR><BR><BR>Undelivered mail to <B>lajgfy@xxxxxxxxxxx</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--lodywg
Content-Type: audio/x-wav; name="ctlsz.scr"
Content-Transfer-Encoding: base64
Content-Id: <oygkdfqowfov>

------------------ Virus Warning Message (on mail.cosmofilms.com)

Found virus WORM_SWEN.A in file Pack6579.exe
The uncleanable file is deleted.



--
Kee Hinckley
http://www.messagefire.com/         Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html