Some data.
I did "grep [EMAIL PROTECTED],.proto= syslog" on one of our incoming mail hosts. The file had 46,000 msgid= strings.
The Bagle virus does this. We are catching these already with a test on the HELO string-- it says "helo columbia.edu" when sending, and we don't allow that unless we have smtp auth (some clients do it).
There a very consistent pattern to Bagle mail. Insert your own domain name there:
msgid=<[EMAIL PROTECTED]> msgid=<[EMAIL PROTECTED]> msgid=<[EMAIL PROTECTED]> msgid=<[EMAIL PROTECTED]> msgid=<[EMAIL PROTECTED]>
So... exclude Bagle and what else is there...
msgid=<[EMAIL PROTECTED]>
This comes from Yahoo Groups. The sender was [EMAIL PROTECTED] (actually not xx but two other letters!). This looks legit. I see some others. This seems to be how Yahoo Groups constructs message ids.
msgid=<[EMAIL PROTECTED]> msgid=<[EMAIL PROTECTED]>
Mydoom virus.
msgid=<05/26/2004|[EMAIL PROTECTED]|14627>
Good grief. The recipient is [EMAIL PROTECTED] Probably legit. Sending host in morningstar.com.
msgid=<[EMAIL PROTECTED]>
From a Verizon mail server. Sender address is [EMAIL PROTECTED] and it
appears to be one of our users sending mail from an ISP. Some clients construct the Message-ID using the default domain name. This is an important example but I have to admit it is the only one I can find in this syslog file, so it appears to be unusual.
Joseph Brennan Academic Technologies Group, Academic Information Systems (AcIS) Columbia University in the City of New York
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
