It originated at adsl-66-120-254-18.dsl.lsan03.pacbell.net [66.120.254.18]. That host said 'helo Jillian.org' when it connected but that means nothing. In fact that hostname does not exist.
How can it put your domain in the From: line? By just doing it. Random From: lines are pretty standard in virus mail.
(The other two Received headers look pretty strange to me with all those nonexistent hostnames-- but maybe they are normal. I cannot explain those.)
So what about Mimedefang?
Joseph Brennan Academic Technologies Group, Academic Information Systems (AcIS) Columbia University in the City of New York
--On Thursday, July 22, 2004 10:32 AM -0400 Vivek Kumar <[EMAIL PROTECTED]> wrote:
Hi all,
Look at the following header information. THe user got this mail but it was never sent by one internal user (harv) to SAMMY. They also said that it contained virus. Now I think that this mail was generated from jillian.org. Now what all can I diagnose from this. How the mail is generated from outside domain using internal user name etc. ?? Any help or diagnosis is highly appreciated.
Thanks
Vivek
Received: from localhost.localdomain (191.0.0.1 [191.0.0.1]) by virtual02.gorave.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 3RNHWNKC; Wed, 21 Jul 2004 14:21:21 -0400 Received: from advanceserver (advanceserver [127.0.0.1]) by localhost.localdomain (8.12.11/8.12.10) with ESMTP id i6LIKiaL012792 for <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >; Wed, 21 Jul 2004 14:20:44 -0400 Received: from Jillian.org (adsl-66-120-254-18.dsl.lsan03.pacbell.net [66.120.254.18]) by gorave.net (VaMailArmor-2.0.2-6) id 12753-5A1C3251; Wed, 21 Jul 2004 14:20:42 -0400 Date: Wed, 21 Jul 2004 11:30:35 -0800 To: "SAMMY" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > From: "Harv" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > Subject: Virus Found in message "Re:" Message-ID: <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------oijkoluwnkhliypsdsda" X-AntiVirus: checked by Vexira MailArmor (version: 2.0.2-6; VAE: 6.26.0.3; VDF: 6.26.0.38; host: advanceserver) X-Spam-Status: No, hits=2.7 required=8.0 tests=AWL,BASE64_ENC_TEXT,HTML_20_30,MIME_HTML_ONLY,RCVD_IN_ORBS version=2.55 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-Scanned-By: MIMEDefang 2.38
----------oijkoluwnkhliypsdsda Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: base64
----------oijkoluwnkhliypsdsda--
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
