Hi all,

Here is an example of a virus scanner suspecting me of
sending a virus email. (I get a lot of those... ;-)

Please note that the header at the top is the one of
the message from the virus scanner and the second
header (under "--- BEGIN HEADERS ---") is the original
mail containing the virus.

Go there to read on...

>Return-Path: <MAILER-DAEMON>
>Received: from mxzilla7.xs4all.nl (mxzilla7.xs4all.nl [194.109.6.18])
>        by maildrop6.xs4all.nl (8.12.9/8.12.6) with ESMTP id hBR8kRRV052847
>        for <[EMAIL PROTECTED]>; Sat, 27 Dec 2003 09:46:27 +0100 (CET)
>X-XS4ALL-DNSBL-Checked: mxzilla7.xs4all.nl checked 202.8.224.17 against DNS blacklists
>X-XS4ALL-Pad: empty
>Received: from mx2.mydestiny.net (mx2.mydestiny.net [202.8.224.17])
>        by mxzilla7.xs4all.nl (8.12.10/8.12.10) with ESMTP id hBR8kOCg098575
>        for <[EMAIL PROTECTED]>; Sat, 27 Dec 2003 09:46:25 +0100 (CET)
>Received: from av-mx.mydestiny.net (av-mx [202.8.224.59])
>        by mx2.mydestiny.net (Postfix) with ESMTP id 5E2F1BD86A
>        for <[EMAIL PROTECTED]>; Sat, 27 Dec 2003 16:50:26 +0800 (PHT)
>Received: from localhost (av-mx.mydestiny.net [127.0.0.1])
>        by av-mx.mydestiny.net (Postfix) with ESMTP id 6DD0E18764C
>        for <[EMAIL PROTECTED]>; Sat, 27 Dec 2003 16:46:19 +0800 (PHT)
>MIME-Version: 1.0
>Subject: VIRUS (W32/Valla.a) IN MAIL FROM YOU
>In-Reply-To: <[EMAIL PROTECTED]>
>Message-Id: <[EMAIL PROTECTED]>
>Content-Type: multipart/report; report-type=delivery-status;
>    boundary="----------=_1072514779-26371-1"
>From: Email-Content-Filter <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Date: Sat, 27 Dec 2003 16:46:19 +0800 (PHT)
>X-UIDL: _45M.kbU7_.maildrop6.xs4all.nl
>
>VIRUS ALERT
>
>Our content checker found
>    virus: W32/Valla.a
>in email presumably from you (<[EMAIL PROTECTED]>), to the following recipients:
>-> [EMAIL PROTECTED]
>-> [EMAIL PROTECTED]
>-> [EMAIL PROTECTED]
>
>Please check your system for viruses,
>or ask your system administrator to do so.
>
>Delivery of the email was stopped!
>
>
>For your reference, here are headers from your email:
>------------------------- BEGIN HEADERS -----------------------------
>Return-Path: <[EMAIL PROTECTED]>
>Received: from mx1.mydestiny.net (mx1 [202.8.224.3])
>        by av-mx.mydestiny.net (Postfix) with ESMTP
>        id 52EBE18758E; Sat, 27 Dec 2003 16:46:18 +0800 (PHT)
>Received: from smtp.mydestiny.net (cable-202-8-241-74.d-one.net [202.8.241.74])
>        by mx1.mydestiny.net (Postfix) with SMTP
>        id 7F59510BE2; Sat, 27 Dec 2003 16:44:07 +0800 (PHT)
>From: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED], [EMAIL PROTECTED],
>        [EMAIL PROTECTED]
>Subject: big_tit_brunette_017
>MIME-Version: 1.0
>X-Mailer: OstroSoft SMTP Control (4.0.19)
>Content-Type: multipart/mixed; boundary="--NextMimePart"
>Message-Id: <[EMAIL PROTECTED]>
>Date: Sat, 27 Dec 2003 16:44:07 +0800 (PHT)
>-------------------------- END HEADERS ------------------------------

At first sight, the email really seems to be coming
from me, because the 'From:' addres is [EMAIL PROTECTED]
(which is one of my aliasses) and it's even in the
'Return-Path:' header, however the message ID is not
something like [EMAIL PROTECTED] which would normally
be the case. In the second 'Received:' header one can
find the real origin of the email:
"from smtp.mydestiny.net (cable-202-8-241-74.d-one.net [202.8.241.74])"

Clearly someone with a cable modem at the given IP-address
has sent it to the SMTP (=mail-input) server of his provider.
(Or a virus on his PC has...)

It seems that this is the mailer that the virus used:
"X-Mailer: OstroSoft SMTP Control (4.0.19)"

(Often the mailer is integrated in the virus.)

Greetings,
Jaap


>Reporting-MTA: dns; av-mx.mydestiny.net
>Received-From-MTA: smtp; av-mx.mydestiny.net ([127.0.0.1])
>Arrival-Date: Sat, 27 Dec 2003 16:46:18 +0800 (PHT)
>
>Final-Recipient: rfc822; [EMAIL PROTECTED]
>Action: failed
>Status: 5.7.1
>Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, id=26371-03 - VIRUS: 
>W32/Valla.a
>Last-Attempt-Date: Sat, 27 Dec 2003 16:46:19 +0800 (PHT)
>
>Final-Recipient: rfc822; [EMAIL PROTECTED]
>Action: failed
>Status: 5.7.1
>Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, id=26371-03 - VIRUS: 
>W32/Valla.a
>Last-Attempt-Date: Sat, 27 Dec 2003 16:46:19 +0800 (PHT)
>
>Final-Recipient: rfc822; [EMAIL PROTECTED]
>Action: failed
>Status: 5.7.1
>Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, id=26371-03 - VIRUS: 
>W32/Valla.a
>Last-Attempt-Date: Sat, 27 Dec 2003 16:46:19 +0800 (PHT)
>Received: from mx1.mydestiny.net (mx1 [202.8.224.3])
>        by av-mx.mydestiny.net (Postfix) with ESMTP
>        id 52EBE18758E; Sat, 27 Dec 2003 16:46:18 +0800 (PHT)
>Received: from smtp.mydestiny.net (cable-202-8-241-74.d-one.net [202.8.241.74])
>        by mx1.mydestiny.net (Postfix) with SMTP
>        id 7F59510BE2; Sat, 27 Dec 2003 16:44:07 +0800 (PHT)
>From: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED], [EMAIL PROTECTED],
>        [EMAIL PROTECTED]
>Subject: big_tit_brunette_017
>MIME-Version: 1.0
>X-Mailer: OstroSoft SMTP Control (4.0.19)
>Content-Type: multipart/mixed; boundary="--NextMimePart"
>Message-Id: <[EMAIL PROTECTED]>
>Date: Sat, 27 Dec 2003 16:44:07 +0800 (PHT)



-- 
Author: Jaap van Ganswijk
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB CHIPDIR-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Reply via email to