At 10:35 AM 1/4/2006, Derek Lamparty wrote:
I am getting hammered by worm.sober.u-3. What are the
characteristics of
this worm? Can it spoof ip addresses in the mail server
logs?
The IP listed as the client in your mail log is very likely
accurate. It's both difficult (but not impossible) and
unreliable to spoof IPs for an SMTP session; no known
viruses or spammers do this.
IP's listed in the Received: mail headers are unreliable
except for the topmost entry added by your own server.
I was trying
to track some of the viruses back to the origination point
(there are a lot
of them) to let our members know that they might have a
virus. I contacted
a couple and they said that their networks are clean.
If you're looking at the IP in your mail log, the virus may
be relayed through them, or may be bounces they generate.
Some poorly designed antivirus products accept viruses and
then return the email - with the live virus attached! - to
the forged envelope sender.
Some poorly designed mail systems accept mail for invalid
recipients, then return the message to the forged envelope
sender.
Adding SPF records for your domain may or may not help this
backscatter problem.
--
Noel Jones
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
