Re: OT: Inundated with bogus(?) warnings I'm infected

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2006-09-14 at 13:05 -0500, Mike McCarty wrote:
> Ok, here's an example. I turned on all headers. The actual message
> in this case is one that my ISP caught, and clobbered the attachment
> which the ISP claims contains a copy of a virus. In cases like this,
> the attachment is 0 bytes long. The message sent to me purports
> to be a delivery failure. I know for a fact that I did not send
> any such message. As pointed out by others, this may be the results
> of yet another party who is infected, and who is unknowingly spoofing my
> e-mail address. It has been more than a year since I last booted
> Windows XP on my machine, and when I do boot it I am never connected
> to the net. I have never set up XP on this machine to be able to
> send or receive email.
> 
> -M-E-S-S-A-G-E---B-E-G-I-N-S-
> Your AT&T Yahoo! Mail Virus Protection detected the virus 
> 'W32.Mydoom.M@mm' in the file 'Document.pif', attached to the enclosed 
> email message. We scanned the file using Norton AntiVirus but were 
> unable to clean it. Therefore, we removed the content of the attachment 
> from the message. Please contact the message sender if you want to 
> receive the attachment. They must clean the file and resend it before we 
> can deliver it to you safely.
> 
> 
> 
> AT&T Yahoo! Mail successfully cleans most infected attachments, which 
> protects you from viruses.
> 
> 
> 
> 
> Subject: Delivery reports about your e-mail
> From: "Mail Administrator" <MAILER-DAEMON@xxxxxxxxxxxxx>
> Date: Wed, 13 Sep 2006 14:23:40 +0000
> To: mike.mccarty@xxxxxxxxxxxxx
> X-Apparently-To: mike.mccarty@xxxxxxxxxxxxx via 216.252.101.37; Wed, 13 
> Sep 2006 11:07:33 -0700
> X-Originating-IP: [162.39.117.147]
> Authentication-Results:
> mta101.sbc.mail.mud.yahoo.com from=sbcglobal.net; domainkeys=neutral (no 
> sig)
> Received: from 207.115.57.79 (EHLO ylpvm48.prodigy.net) (207.115.57.79) 
> by mta101.sbc.mail.mud.yahoo.com with SMTP; Wed, 13 Sep 2006 11:07:33 -0700

I'm guessing that SBC are outsourcing some of their mail handling to
Yahoo! - is that right?

207.115.57.79 is within the network that SBC's inbound mail servers use,
so since the mail was addressed to you at sbcglobal.net, it looks like a
valid Received: header and that the mail is then forwarded to Yahoo! for
virus scanning etc.

So this one looks genuine to me.

> X-Originating-IP: [162.39.117.147]
> Received: from sbcglobal.net (h147.117.39.162.ip.alltel.net 
> [162.39.117.147]) by ylpvm48.prodigy.net (8.13.6 inb/8.13.6) with ESMTP 
> id k8DI7NKK019802 for <mike.mccarty@xxxxxxxxxxxxx>; Wed, 13 Sep 2006 
> 14:07:31 -0400

This is the only remaining Received: header so it stands to reason that
the source identified here (h147.117.39.162.ip.alltel.net
[162.39.117.147]) is where the infection is. A further giveaway is that
the sender pretended to be sbcglobal.net (i.e. your domain), in order to
try to throw people off the scent when identifying the source; this is a
typical trick employed by spammers, yet it gives them away so easily to
people that understand Received: headers.

Since this is almost certainly a dynamic IP address, there's not a lot
further you can do to identify the actual person that's infected short
of forwarding the message to abuse@xxxxxxxxxx and let them figure out
who was connected at that time.

Paul.



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux