[Dshield] Odd emails from apparently MS..

Micheal Patterson micheal at tsgincorporated.com
Wed Dec 17 20:57:49 GMT 2003


I've currently gotten a total of 5 messages this month that contained
various virus/trojans according to Clamav / F-Prot and Sophos that appear to
be from the MS postmaster. IP's and headers match. Has anyone else gotten
any of these? I even went and contacted abuse at microsoft.com about it but
their response was "this appears to be dns spoofing" which I disagree with.
IP spoofs perhaps, or one of their systems could indeed be breeched.
Regardless, the source ip's are now being blocked at my border. Headers from
the latest message are below, all previous messages are exactly the same
source hosts.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

----------------------


Here is the output of the scanner:

/var/amavis/amavis-16261868/parts/msg-14906-1.txt: OK
/var/amavis/amavis-16261868/parts/msg-14906-2.msg: OK
/var/amavis/amavis-16261868/parts/msg-14906-3.txt: OK
/var/amavis/amavis-16261868/parts/msg-14906-4.html: OK
/var/amavis/amavis-16261868/parts/msg-14906-5.pif: Worm.Torvil.D FOUND

----------- SCAN SUMMARY -----------
Known viruses: 11753
Scanned directories: 1
Scanned files: 5
Infected files: 1
Data scanned: 0.06 Mb
I/O buffer size: 131072 bytes
Time: 0.448 sec (0 m 0 s)

Here are the headers:

------------------------- BEGIN HEADERS -----------------------------
Return-Path: <>
Received: from mail6.microsoft.com (mail6.microsoft.com [131.107.3.126])
by mail.tsgincorporated.com (8.12.10/8.12.8) with ESMTP id hBHJUNNB014869
for <edited>; Wed, 17 Dec 2003 13:30:24 -0600 (CST)
Received: from inet-imc-05.redmond.corp.microsoft.com ([157.54.6.156]) by
mail6.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069);
Wed, 17 Dec 2003 11:19:24 -0800
From: postmaster at microsoft.com





More information about the list mailing list