At 08:13 AM 1/8/2003, you wrote:
On Tuesday, January 7, 2003, at 06:59 PM, David Lucas wrote:I get "returned email" that has a virus in it. Here is the header info *************************** Full headers are: Return-Path: <$g>Received: from mail.cdbyrd.net (pool-151-197-184-41.phil.east.verizon.net [151.197.184.41])by www.yetiservices.com (8.10.2/8.10.2) with SMTP id h07LcLO18231 for <cs@xxxxxxxxxx>; Tue, 7 Jan 2003 15:38:21 -0600[snip]My server is called www.yetiservices.com I have a client cdbyrd.net We do NOT have a mail server called mail.cdbyrd.net. We are both located in the Dallas/Fort Worth are in Texas, not Philly. Neither of us use verizon.netIs this person using a computer that has mail.cdbyrd.net set up on it to send email? Obviously when it is returned, it resolves back to my server, which never sent the email to start with.I don't think so. The first part of the "Received:" line is the name the sending system gave as its EHLO/HELO when it connected to www.yetiservices. net. So there is/was a computer at 151.197.184.41 (Verizon dialup or DSL in southeastern PA) which CLAIMED to be mail.cdbyrd.net when it connected.
This is my point. I control cdbyrd.net and it isn't there. How can someone use my domain?
IMHO this is enough reason to suspect that the "bounce" message is a fake bounce - social engineering to get someone to open the viral message. I could be wrong, of course.Is there anything I can do about this?Install something like The Sanitizer. See <http://www.impsec.org/email-tools/procmail-security.html> for the Sanitizer, or <http://bluebird.sinauer.com/~morse/cobalt/index.htm> for a very brief overview and a few links.
I am not looking at weeding out these emails, per se, I want to know if I can stop this person from sending email with my domain. I understand people spoof return addresses and the such all the time, but I get back emails all the time that say we sent them and didn't, but the sender is never really us. This looks like we actually sent it, as if we have an authorized server at 151.197.184.41 and we don't.
pjm _____________________________________ cobalt-users mailing list cobalt-users@xxxxxxxxxxxxxxx To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to: http://list.cobalt.com/mailman/listinfo/cobalt-users -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.