Re: good morning

From: Philippe Verdy (verdy_p@wanadoo.fr)
Date: Mon Apr 12 2004 - 14:49:34 EDT

  • Next message: Rick McGowan: "Re: good morning"

    RE: good morningMike Ayers wrote:
    > > This mail (containing a virus: shower_response.exe) was sent to me
    > > through unicode@unicode.org:
    > >
    > > Received: from 209.235.17.55 (EHLO unicode.org) (209.235.17.55)
    > > by mta150.mail.dcn.yahoo.com with SMTP; Fri, 09 Apr 2004
    > > 05:17:31 -0700
    > > Received: from sarasvati.unicode.org (localhost.localdomain
    > > [127.0.0.1])
    > > by unicode.org (8.11.6/8.11.6) with ESMTP id i39BupS08634;
    > > Fri, 9 Apr 2004 07:56:51 -0400
    > > Received: with ECARTIS (v1.0.0; list unicode); Fri, 09 Apr
    > > 2004 07:56:50 -0400 (EDT)
    > > Received: from unicode.org (slkcapanas11poola155.slkc.uswest.net
    > > [65.103.249.155])
    > > by unicode.org (8.11.6/8.11.6) with ESMTP id i39BunS08623
    > > for <unicode@unicode.org>; Fri, 9 Apr 2004 07:56:49 -0400

    > You have not included the full set of headers here. It is common
    > practice for spammers and virus propogaters (yes, there are people
    > who deliberately spread infection, apparently as a hobby) to prepend
    > fake pathing information to hide the start of the real transfers. It is
    > also now common to use stolen IDs, such as mailing lists or individuals,
    > in the sender fields.

    It's true that a spammer can inject fake "Received:" lines in their mail but
    they won't be able to fake the supplementary "Received:" lines added on
    the top by the SMTP server to which they send their spews.

    We don't need full headers in fact to track spammers, as the only realiable info
    is the "Received:" line generated here by the unicode mailing list server that
    has received and processed this email.

    So the relevant header line is:
    > > Received: from unicode.org (slkcapanas11poola155.slkc.uswest.net
    > > [65.103.249.155])
    > > by unicode.org (8.11.6/8.11.6) with ESMTP id i39BunS08623
    > > for <unicode@unicode.org>; Fri, 9 Apr 2004 07:56:49 -0400

    which clearly states that the sender was connected from [65.103.249.155] (but
    not "unicode.org" which is faked in the SMTP HELO string), that the
    sarasvati.unicode.org resolves itself as slkcapanas11poola155.slkc.uswest.net.
    This is a home subscriber of uswest.net, which is infected by a virus, and the
    virus on his host has copied some other information found in its mailbox folders
    to generate the SMTP HELO string, and the "From:" header (not shown here) which
    was authorized by sarasvati, because it only checks that this (faked) email
    address is a subscriber to the list.

    The main reason why this will occur is that the infected PC belongs to a user
    that has subscribed to this list, and that allowed the virus to collect previous
    traffic received from the list in order to harvest it.
    If sarasvati logs are inspected, may be it will be possible to detect which
    USWEST.NET user at this IP has already sent a non-viral message with a normal
    signature. This may help discovering which subscriber is really infected.
    However if the subscriber never posted messages to the list, but just subscribed
    to it to receive messages passively, the sarasvati logs won't help here.

    For such infection, it is very likely that the infected PC is also sending its
    spew to many other areas collected from an unsecured mail archive, and so it may
    be useful to to report that user to its ISP. However, as this is a virus and not
    really a spam, most abuse desks ignore those alerts. So the best thing is that
    the sarasvati server implements a anti-virus filter on incoming messages, and
    maintains it updated with new viral signatures.

    This happens sometimes on almost all legitimate mailing lists. Someone using a
    mailing list should have a antivirus ready, because unfiltered mailing lists are
    the most valuable resource for virus to spread their spew very fast to lots of
    people, with a minimum number of messages. I do think that the sarasvati server
    has such an antivirus tool, but its virus definitions file is out of date and
    did let this one pass through...



    This archive was generated by hypermail 2.1.5 : Mon Apr 12 2004 - 15:27:42 EDT