[Dshield] Understanding Virus Email Origin

Jens E. Madsen Jr. sjj_maillists at higher-speed.net
Mon Apr 26 21:04:03 GMT 2004


Good day,

I have received several emails with this virus in it over the past
weekend. They were all caught and I checked to make sure they did not
get beyond my mail server.

This one appears to be from a friend and I am wondering if they are
infected, one of my systems is infected, or this is a joejob? It is
interesting to note that two messages had the receive addresses,
ne.client2.attbi.com and sccrmhc12.comcast.net.

Are the first two Received headers real or are they forged?

Should I be concerned? Should MyFriend be concerned?

Start of Header---------------------------------------
>From MyFriend at comcast.net  Sun Apr 25 14:17:04 2004
Return-Path: <MyFriend at comcast.net>
Delivered-To: me at localhost.mydomain.com
Received: from localhost (localhost [127.0.0.1])
	by mail.mydomain.com (Postfix) with ESMTP id 418D1B8C1
	for <me at localhost>; Sun, 25 Apr 2004 14:16:00 -0600 (MDT)
Status:  U
Received: from mail.earthlink.net [207.217.121.213]
	by localhost with POP3 (fetchmail-6.2.0)
	for me at localhost (single-drop); Sun, 25 Apr 2004 14:16:00 -0600 (MDT)
Received: from sccrmhc12.comcast.net ([204.127.202.56])
	by mamo (EarthLink SMTP Server) with ESMTP id 1bhQ145Ul3NZFk71
	for <me at earthlink.net>; Sun, 25 Apr 2004 13:14:18 -0700 (PDT)
Date: Sun, 25 Apr 2004 20:14:15 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum
requirements
X-Comment: Date has been added by Maillennium.
Received: from Znefrrdpk
(h00095b1b3634.ne.client2.attbi.com[24.91.71.42])
          by comcast.net (sccrmhc12) with SMTP
          id <20040425201414012002rtroe>; Sun, 25 Apr 2004 20:14:14
+0000
From: nooneIknow <nooneIknow at rtmc.net>
To: me at Earthlink.net
Subject: Not automatically take you to the registration
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary=Cy751hb1174zaw81d2EjkV1KQ352OA92
Message-Id: <200404251314.1bhQ145Ul3NZFk71 at mamo>
X-Virus-Status: Yes
X-Virus-Report: Worm.Klez.H FOUND
End of Header---------------------------------------------------

Thanks,
Jens




More information about the list mailing list