Recently, Somebody Somewhere wrote these words
> On Thursday 19 January 2006 02:14, Declan Moriarty wrote:
> > I just thought I'd ask the experts on these headers.
> >
> > Received: from ns3.fatcity.com ([66.27.56.210])
> > by hub01.mail.esat.net with esmtp (Exim 3.36 #4)
> > id 1EzI0I-0006bj-00
> > for [EMAIL PROTECTED]; Wed, 18 Jan 2006 18:25:54 +0000
> > Received: from ns3.fatcity.com (localhost.localdomain [127.0.0.1])
> > by ns3.fatcity.com (8.12.8/8.12.8) with ESMTP id
> > k0IIU1gA012654
> > for <[EMAIL PROTECTED]>; Wed, 18 Jan 2006 10:30:02 -0800
> > Received: (from [EMAIL PROTECTED])
> > by ns3.fatcity.com (8.12.8/8.12.5/Submit) id
> > k0IIAQBi009340
> > for [EMAIL PROTECTED]; Wed, 18 Jan 2006 10:10:27 -0800
> > Received: by fatcity.com (13-Dec-2005/v1.0g-b80/bab) via
> > fatcity.com id 00
> > 5FE923; Wed, 18 Jan 2006 10:02:20 -0800
> > Message-ID: <[EMAIL PROTECTED]>
> > Date: Wed, 18 Jan 2006 10:02:20 -0800
> > To: Multiple recipients of list CHIPDIR-L <[email protected]>
> >
> >
> > It is a windows virus. To me it looks like it's mimicking the mail
> > server and presenting this (8.12.8/8.12.5/Submit) as an IP. That's
> > hardly kosher, but fatcity runs a fairly tight ship, and I
> > wouldn't expect a security breach there.
>
> 8.12.8/8.12.8 and 8.12.8/8.12.5 are versions of Sendmail.
>
> A buggy spam filter in a certain version (or versions) of RAV Antivirus
> can cause exactly this behaviour. Are there X-RAV headers further down
> that you did not include?
>
> http://groups.google.com/group/news.admin.net-abuse.email/browse_frm/thread/0f20a761740a3b4d/b02260c9886a996c
> _______________________________________
> ..
> Received: (from [EMAIL PROTECTED])
> by mathserv.math.ohio-state.edu (8.12.8/8.12.5/Submit) id
> h2AEi31s027608
> for [EMAIL PROTECTED]; Mon, 10 Mar 2003 09:44:03
> -0500
> ..
>
> We found the culprit. It turns out to be RAV Antivirus. When we
> upgraded sendmail, it turned out to be necessary to reconfigure
> RAV. Accidentally we turned on RAV's spam filtering -- not a good
> idea. RAV's spam filter reenqueues mail that it processes on the
> server. Due to bugs in RAV's spam filter, sometimes Received header
> lines get deleted. This is what happened here.
> _______________________________________
>
> --
> Irish Linux Users' Group mailing list
> Email: [EMAIL PROTECTED]
> Options (including unsubscribe) here:
> http://mail.linux.ie/mailman/listinfo/ilug
>
Thank you!
That sounds like someone remembering his pain. It also shows me I
got the header analysis wildly wrong. There are no RAV headers in
the mail, but there also _was_ a windows executable, and a number
of dodgy looking jpgs. The mail definitely was not from the name
on the 'From' who is the list moderator.
I am pretty sure all headers would be stripped, except ListGuru
headers. It is trying to send files like WinZip.BHX,
Attachments00.HQX, eBook.PIF, & Video_part.mim which also
get stripped (no 8 bit content allowed on that list).
There appears to be the Worm.Win32.VB.bi out there, which affects
computer's security settings. So RAV may not have been so out of
the park after all.
ListGuru, btw, is their proprietary thing for handling lists.
--
With best Regards,
Declan Moriarty.
--
Author: Declan Moriarty
INET: [EMAIL PROTECTED]
Fat City Hosting, San Diego, California -- http://www.fatcity.com
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB CHIPDIR-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
