[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] email virus help
- Subject: Re: [cobalt-users] email virus help
- From: Parker Morse <morse@xxxxxxxxxxx>
- Date: Wed Jan 8 06:16:02 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
On Tuesday, January 7, 2003, at 06:59 PM, David Lucas wrote:
I get "returned email" that has a virus in it.
Here is the header info
***************************
Full headers are:
Return-Path: <$g>
Received: from mail.cdbyrd.net (pool-151-197-184-41.phil.east.verizon.net
[151.197.184.41])
by www.yetiservices.com (8.10.2/8.10.2) with SMTP id h07LcLO18231
for <cs@xxxxxxxxxx>; Tue, 7 Jan 2003 15:38:21 -0600
[snip]
My server is called www.yetiservices.com
I have a client cdbyrd.net
We do NOT have a mail server called mail.cdbyrd.net.
We are both located in the Dallas/Fort Worth are in Texas, not Philly.
Neither of us use verizon.net
Is this person using a computer that has mail.cdbyrd.net set up on it to
send email?
Obviously when it is returned, it resolves back to my server, which never
sent the email to start with.
I don't think so. The first part of the "Received:" line is the name the
sending system gave as its EHLO/HELO when it connected to www.yetiservices.
net. So there is/was a computer at 151.197.184.41 (Verizon dialup or DSL
in southeastern PA) which CLAIMED to be mail.cdbyrd.net when it connected.
IMHO this is enough reason to suspect that the "bounce" message is a fake
bounce - social engineering to get someone to open the viral message. I
could be wrong, of course.
Is there anything I can do about this?
Install something like The Sanitizer. See
<http://www.impsec.org/email-tools/procmail-security.html> for the
Sanitizer, or <http://bluebird.sinauer.com/~morse/cobalt/index.htm> for a
very brief overview and a few links.
pjm