[Dshield] Understanding Virus Email Origin

Jens E. Madsen Jr. sjj_maillists at higher-speed.net
Mon Apr 26 21:04:03 GMT 2004

Good day,

I have received several emails with this virus in it over the past
weekend. They were all caught and I checked to make sure they did not
get beyond my mail server.

This one appears to be from a friend and I am wondering if they are
infected, one of my systems is infected, or this is a joejob? It is
interesting to note that two messages had the receive addresses,
ne.client2.attbi.com and sccrmhc12.comcast.net.

Are the first two Received headers real or are they forged?

Should I be concerned? Should MyFriend be concerned?

Start of Header---------------------------------------
>From MyFriend at comcast.net  Sun Apr 25 14:17:04 2004
Return-Path: <MyFriend at comcast.net>
Delivered-To: me at localhost.mydomain.com
Received: from localhost (localhost [])
	by mail.mydomain.com (Postfix) with ESMTP id 418D1B8C1
	for <me at localhost>; Sun, 25 Apr 2004 14:16:00 -0600 (MDT)
Status:  U
Received: from mail.earthlink.net []
	by localhost with POP3 (fetchmail-6.2.0)
	for me at localhost (single-drop); Sun, 25 Apr 2004 14:16:00 -0600 (MDT)
Received: from sccrmhc12.comcast.net ([])
	by mamo (EarthLink SMTP Server) with ESMTP id 1bhQ145Ul3NZFk71
	for <me at earthlink.net>; Sun, 25 Apr 2004 13:14:18 -0700 (PDT)
Date: Sun, 25 Apr 2004 20:14:15 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum
X-Comment: Date has been added by Maillennium.
Received: from Znefrrdpk
          by comcast.net (sccrmhc12) with SMTP
          id <20040425201414012002rtroe>; Sun, 25 Apr 2004 20:14:14
From: nooneIknow <nooneIknow at rtmc.net>
To: me at Earthlink.net
Subject: Not automatically take you to the registration
MIME-Version: 1.0
Content-Type: multipart/alternative;
Message-Id: <200404251314.1bhQ145Ul3NZFk71 at mamo>
X-Virus-Status: Yes
X-Virus-Report: Worm.Klez.H FOUND
End of Header---------------------------------------------------


More information about the list mailing list