Date: Tue, 30 Jul 2002 00:11:59 +0000 From: "Matthew Hanson" <[EMAIL PROTECTED]> Subject: Re: [LIB] Vignette StoryServer 4 Sun Jul 28 08
>From: Raymond <[EMAIL PROTECTED]> > >Where did you get [EMAIL PROTECTED]? I got the original email with the >following header. > >Return-path: <[EMAIL PROTECTED]> >Envelope-to: [EMAIL PROTECTED] >Delivery-date: Mon, 29 Jul 2002 06:46:29 -0700 >Received: from [65.174.100.24] (helo=mail77.basiclink.com) >by mx.mailix.net with smtp (Exim 3.33 #1) >id 17ZAqy-0004vV-00 >for [EMAIL PROTECTED]; Mon, 29 Jul 2002 06:46:28 -0700 >Received: from mail77.basiclink.com (65.174.102.137) by BL24 (MailMax 4. 8. >3. 0) with ESMTP id 2782080 for [EMAIL PROTECTED]; Mon, 29 Jul 2002 06:44:40 >-0700 PDT >it would *seem* to me that it therefore spoofed [EMAIL PROTECTED] but in >fact came from [EMAIL PROTECTED] ... If you look again, the header info says the email was received FROM mail77.basiclink.com FOR [EMAIL PROTECTED], not FROM [EMAIL PROTECTED] The header for the "Vignette .." post I received from the list shows it was, "Received: from mail77.basiclink.com (65.174.102.137) by BL24 (MailMax 4. 8. 3. 0) with ESMTP id 2782080 for >>>[EMAIL PROTECTED]<<<; Mon, 29 Jul 2002 06:44:41 -0700 PDT Checking back through my posts from the list server, most of the posts I get are from mail77.basiclink.com for >>>[EMAIL PROTECTED]<<< But it's not consistent. One recent one was for [EMAIL PROTECTED] and one for [EMAIL PROTECTED] in the same section of the header. This seems to be a function of how the list posts are routed on a routine basis, and not indicative of a virus as far as I can see. I got a reply from Stephane who is monitoring mail to [EMAIL PROTECTED] for Dan while he's away. I don't know if she can, but I asked her to send me the source code for 3 spoofed posts to the list if they exist on the server. I'd like to see if those posts originated from the same SMTP server in Israel I've been receiving non-list infected mail from. I've been getting about 1 email every day to this Hotmail address, each with a W32/Klez.h@MM infected attachment. And ALL of the posts were posted via the SMTP server for NetVision's server in Israel: mxout1.netvision.net.il �I posted email to them at [EMAIL PROTECTED] a week back, but only got an automated reply. I posted another to them at [EMAIL PROTECTED] yesterday, and received a personal note from them today. They're very concerned, and are going to be looking into the problem. I'm wondering if anyone else on the list has received infect mail through them. One more thing. After reading my note to Dan, Stephane said that she went ahead and turned attachments off for the server. But I'm wondering if Dan has already set something up to detect virus infected attachments from being forwarded to the list. All spoofed posts to the list, first "from" Dan, then Neil, and now this "Vignette" with Dan's address again, have not contained any attachments. So I'm wondering if they were removed somewhere, whether or not they may originally have contained the W32/Klez.h@MM, and if they may originated from mxout1.netvision.net.il Matt _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com ************************************************************** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives -------TO UNSUBSCRIBE------- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe --------TO UNSUBSCRIBE DIGEST------ Do above but with this on subject line: cmd:unsubscribe digest **************************************************************
