On 03-Jun-03 Peter Dalgaard BSA wrote: > It's really difficult to tell who the culprit is because all we're > seeing are autoreplies from someones system to an infected mail that > purported to be from r-help. > > The original message headers might be able to tell us who is infected > (which may or may not be someone on the list, depending on where the > virus is grabbing its From: headers from).
I don't think there's much mileage in trying to trace origins. The only clue you're going to get from the autoreply is who it was originally "To:", and if you do receive an "original" directly (as I have done quite a few times) then also who it was "From:"; both addresses are faked by the Sobig.C virus, being harvested from email addresses found on the originating system. So such messages limit the field to people who have these addresses in their system. It's possible that you may just manage to guess who it is from this information, but in general this still leaves far too big a field of possibilities. Have a look, for instance, at the appropriate entries --> Sobig --> Sobig.A (Sobig) --> Sobig.B (Palyh) --> Sobig.C under http://www.datafellows.com/v-descs/s.shtml to learn about the modus operandi of the various versions of Sobig. The "Message-Id:" header is unlikely to be much help either: While mailer software originating a message is supposed to insert such a header at the time, these viruses generally don't; and if a mail arrives at a mail-hub without a "Message-Id:" then the mail-hub will insert its own. The "helo=..." is useless: this is faked at the time of sending during the SMTP dialogue that the virus initiates itself (bypassing the user's own mail-transfer system). The only thing I can suggest is for Windows users on the list to grab the latest virus updates for their anti-virus software, and check their own systems. And in reassurance to Kurt Sys: A Linux system will not be vulnerable to this virus since it can only get its teeth into a Windows system. The message you got (and quoted to the list) you received from R-help (as I did), since xtra.co.nz thought it had received a virus from r-help, and replied to the list. Ted. -------------------------------------------------------------------- E-Mail: (Ted Harding) <[EMAIL PROTECTED]> Fax-to-email: +44 (0)870 167 1972 Date: 03-Jun-03 Time: 11:38:40 ------------------------------ XFMail ------------------------------ ______________________________________________ [EMAIL PROTECTED] mailing list https://www.stat.math.ethz.ch/mailman/listinfo/r-help