Hi I'm gonna move a little bit off-topic here, but given the impact of the MyDoom/Novarg/SCO virus, some other people may be interested in / may have already done something like this. Feel free to ignore this mail or respond to me directly instead of doing so to the list.
My bosses want to see some kind of statistics about from which domains is our mail server (qmail-ldap+qmail-scanner+Kaspersky) receiving MyDoom-infected mails. We've got heaps of infected mails in our quarantine directory, so we've got data, but what data can we use? - As the virus forges the From: address, we can't use that. - The Message-ID: header has a @domain. Is that reliable, or that header is forged too? - Some mails only have one "Received:" header. These are the cases when the virus uses its own internal SMTP engine to send the mail, so we can assume that the IP it comes from is that of an infected computer, right? And what about the "HELO domain" on that line? - Some other have several "Received:" headers, when the virus was able to relay the message via the user's ISP's SMTP server. Can we then assume that a) the from IP on the topmost Received header is that of an SMTP server which is relaying infected mails, and b) the bottommost line is that of the infected computer? In this case, what about the "HELO domain" on these lines? Anybody has greater insight on how this virus works? Any ideas? Thanks in advance, and sorry for the slight off-topic. O:-) -- Vicente Aguilar <[EMAIL PROTECTED]> Departamento de Sistemas Tlf.: 965 98 71 92 Recursos en la Red, S.L.U. http://www.renr.es ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
