Hi all, Here is an example of a virus scanner suspecting me of sending a virus email. (I get a lot of those... ;-)
Please note that the header at the top is the one of the message from the virus scanner and the second header (under "--- BEGIN HEADERS ---") is the original mail containing the virus. Go there to read on... >Return-Path: <MAILER-DAEMON> >Received: from mxzilla7.xs4all.nl (mxzilla7.xs4all.nl [194.109.6.18]) > by maildrop6.xs4all.nl (8.12.9/8.12.6) with ESMTP id hBR8kRRV052847 > for <[EMAIL PROTECTED]>; Sat, 27 Dec 2003 09:46:27 +0100 (CET) >X-XS4ALL-DNSBL-Checked: mxzilla7.xs4all.nl checked 202.8.224.17 against DNS blacklists >X-XS4ALL-Pad: empty >Received: from mx2.mydestiny.net (mx2.mydestiny.net [202.8.224.17]) > by mxzilla7.xs4all.nl (8.12.10/8.12.10) with ESMTP id hBR8kOCg098575 > for <[EMAIL PROTECTED]>; Sat, 27 Dec 2003 09:46:25 +0100 (CET) >Received: from av-mx.mydestiny.net (av-mx [202.8.224.59]) > by mx2.mydestiny.net (Postfix) with ESMTP id 5E2F1BD86A > for <[EMAIL PROTECTED]>; Sat, 27 Dec 2003 16:50:26 +0800 (PHT) >Received: from localhost (av-mx.mydestiny.net [127.0.0.1]) > by av-mx.mydestiny.net (Postfix) with ESMTP id 6DD0E18764C > for <[EMAIL PROTECTED]>; Sat, 27 Dec 2003 16:46:19 +0800 (PHT) >MIME-Version: 1.0 >Subject: VIRUS (W32/Valla.a) IN MAIL FROM YOU >In-Reply-To: <[EMAIL PROTECTED]> >Message-Id: <[EMAIL PROTECTED]> >Content-Type: multipart/report; report-type=delivery-status; > boundary="----------=_1072514779-26371-1" >From: Email-Content-Filter <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Date: Sat, 27 Dec 2003 16:46:19 +0800 (PHT) >X-UIDL: _45M.kbU7_.maildrop6.xs4all.nl > >VIRUS ALERT > >Our content checker found > virus: W32/Valla.a >in email presumably from you (<[EMAIL PROTECTED]>), to the following recipients: >-> [EMAIL PROTECTED] >-> [EMAIL PROTECTED] >-> [EMAIL PROTECTED] > >Please check your system for viruses, >or ask your system administrator to do so. > >Delivery of the email was stopped! > > >For your reference, here are headers from your email: >------------------------- BEGIN HEADERS ----------------------------- >Return-Path: <[EMAIL PROTECTED]> >Received: from mx1.mydestiny.net (mx1 [202.8.224.3]) > by av-mx.mydestiny.net (Postfix) with ESMTP > id 52EBE18758E; Sat, 27 Dec 2003 16:46:18 +0800 (PHT) >Received: from smtp.mydestiny.net (cable-202-8-241-74.d-one.net [202.8.241.74]) > by mx1.mydestiny.net (Postfix) with SMTP > id 7F59510BE2; Sat, 27 Dec 2003 16:44:07 +0800 (PHT) >From: [EMAIL PROTECTED] >To: [EMAIL PROTECTED], [EMAIL PROTECTED], > [EMAIL PROTECTED] >Subject: big_tit_brunette_017 >MIME-Version: 1.0 >X-Mailer: OstroSoft SMTP Control (4.0.19) >Content-Type: multipart/mixed; boundary="--NextMimePart" >Message-Id: <[EMAIL PROTECTED]> >Date: Sat, 27 Dec 2003 16:44:07 +0800 (PHT) >-------------------------- END HEADERS ------------------------------ At first sight, the email really seems to be coming from me, because the 'From:' addres is [EMAIL PROTECTED] (which is one of my aliasses) and it's even in the 'Return-Path:' header, however the message ID is not something like [EMAIL PROTECTED] which would normally be the case. In the second 'Received:' header one can find the real origin of the email: "from smtp.mydestiny.net (cable-202-8-241-74.d-one.net [202.8.241.74])" Clearly someone with a cable modem at the given IP-address has sent it to the SMTP (=mail-input) server of his provider. (Or a virus on his PC has...) It seems that this is the mailer that the virus used: "X-Mailer: OstroSoft SMTP Control (4.0.19)" (Often the mailer is integrated in the virus.) Greetings, Jaap >Reporting-MTA: dns; av-mx.mydestiny.net >Received-From-MTA: smtp; av-mx.mydestiny.net ([127.0.0.1]) >Arrival-Date: Sat, 27 Dec 2003 16:46:18 +0800 (PHT) > >Final-Recipient: rfc822; [EMAIL PROTECTED] >Action: failed >Status: 5.7.1 >Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, id=26371-03 - VIRUS: >W32/Valla.a >Last-Attempt-Date: Sat, 27 Dec 2003 16:46:19 +0800 (PHT) > >Final-Recipient: rfc822; [EMAIL PROTECTED] >Action: failed >Status: 5.7.1 >Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, id=26371-03 - VIRUS: >W32/Valla.a >Last-Attempt-Date: Sat, 27 Dec 2003 16:46:19 +0800 (PHT) > >Final-Recipient: rfc822; [EMAIL PROTECTED] >Action: failed >Status: 5.7.1 >Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, id=26371-03 - VIRUS: >W32/Valla.a >Last-Attempt-Date: Sat, 27 Dec 2003 16:46:19 +0800 (PHT) >Received: from mx1.mydestiny.net (mx1 [202.8.224.3]) > by av-mx.mydestiny.net (Postfix) with ESMTP > id 52EBE18758E; Sat, 27 Dec 2003 16:46:18 +0800 (PHT) >Received: from smtp.mydestiny.net (cable-202-8-241-74.d-one.net [202.8.241.74]) > by mx1.mydestiny.net (Postfix) with SMTP > id 7F59510BE2; Sat, 27 Dec 2003 16:44:07 +0800 (PHT) >From: [EMAIL PROTECTED] >To: [EMAIL PROTECTED], [EMAIL PROTECTED], > [EMAIL PROTECTED] >Subject: big_tit_brunette_017 >MIME-Version: 1.0 >X-Mailer: OstroSoft SMTP Control (4.0.19) >Content-Type: multipart/mixed; boundary="--NextMimePart" >Message-Id: <[EMAIL PROTECTED]> >Date: Sat, 27 Dec 2003 16:44:07 +0800 (PHT) -- Author: Jaap van Ganswijk INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB CHIPDIR-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
