[ale] Virus and email header question
Emil P. Man
mailinglists at synban.com
Sun May 2 15:08:46 EDT 2004
John Clark wrote:
>I have been getting repeated virus emails from, ostensibly from one of my
>customers. The kicker is, she's a mac user and the viruses being sent are
>of the PC variety. Given that I use Macs and Linux I am not terribly
>troubled about the virus part.
>
>However, two things concern me. First, the subject lines are all in
>regards to site updates. This could mean that they have simply done their
>homework and know that I host a site for her. The other thing is the headers:
>
>------------------ RFC822 Header Follows ------------------
>Return-Path: <cvaleallen at earthlink.net>
>Delivered-To: 8-shogun at 12ftguru.com
>Received: (qmail 475 invoked from network); 1 May 2004 13:13:21 -0000
>Received: from node-c-0aaa.a2000.nl (HELO f3f9i9.net) (62.194.10.170)
> by server1.jimmyether.com with SMTP; 1 May 2004 13:13:21 -0000
>
>
First of all here, you will see received from node-c-0aaa.a200.nl and
the IP... It seems that your Qmail MTA got the e-mail from that IP addy.
I have also received e-mail from "myself" and from my own domain before,
saying that I am experiencing problems with my MTA something that I
wasn't aware of... lol.. It's a worm that has been circulating around
for a while. I wouldn't be worried about it. Bob Toxen knows the
specifics of this worm, I am not that familiar with it, but I know it's
a Windows worm and that I have received it several times. Mostly from
windows people that have me on their outlook contact list.
Also I did a whois on the IP above from The Netherlands. I am guessing
that his machine is infected and his MTA is wide open and sending out
e-mails that you are receiving. Actually just nmaped his machine and he
probably fixed his MTA issue now.
EMIL
----cut here-----
More information about the Ale
mailing list