[Declude.JunkMail] Postmaster Account, Virus, and Logs Help

Wed, 13 Feb 2002 06:10:14 -0800 

1. I picked up the following in my syslog. Does anyone know what is
happening?

LIST 1
RETR 1
DELE 1
LIST 2
RETR 2
DELE 2
LIST 3
RETR 3
DELE 3

...it continues up through number 80 plus.

2. I am currently investigating why the postmaster account, for one of
the domains we host, sent an e-mail with a virus attached to itself at
the same Postmaster account? Declude virus appears to have caught the
W32/NewApt.worm.gen@MM virus that was attached during pre-scan within
the html body of the message. The header is below...

Received: from mail.thedomain.com [216.201.29.172] by Thedomain.com
  (SMTPD32-6.06) id A2F8C25012A; Tue, 12 Feb 2002 16:11:04 -0600
From: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Thedomain VIRUS WARNING: YOU APPEAR TO HAVE A VIRUS!
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0007_01AF0E92.A4E9CDO0"
Message-Id: <[EMAIL PROTECTED]>
X-Declude-Sender: [EMAIL PROTECTED] []
X-Declude-Spoolname: D92f812a.SMD
X-Note: CompBiz.Net scanned e-mail for spam with Declude JunkMail.
X-Note: Failed Tests .
X-Sender: Mail From: [EMAIL PROTECTED]
X-Note: This E-mail was sent from  ([216.201.29.172]).
X-Note: Total spam weight of this E-mail is 0.

3. I am looking through the syslog and other logs trying to ID what and
where exactly happened and difficult to figure out??

4. This is what I pick up in the log searching for the Spool file
name...

02:12 16:13 SMTPD(0C25012A) [216.201.29.172] f:\imail\spool\D92f812a.SMD
97962

5. This is what I find when searching for 0C25012A...

LIST 10
RETR 10
02:12 16:11 SMTPD(0C25012A) [216.30.105.167] connect 216.201.29.172 port
2055
DELE 10
LIST 11
02:12 16:11 SMTPD(0C25012A) [216.201.29.172] HELO mail.thedomain.com
RETR 11
DELE 11
LIST 12
02:12 16:11 SMTPD(0C25012A) [216.201.29.172] MAIL FROM:
<[EMAIL PROTECTED]>
RETR 12
DELE 12
02:12 16:11 SMTPD(0C25012A) [216.201.29.172] RCPT TO:
[EMAIL PROTECTED]
LIST 13
RETR 13
DELE 13

Thanks.

-Don

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Reply via email to