[FLORA.org HelpDesk] tracking down the source of viruses
Al B.
to 6 a day. The lists are configured to accept only text
messages (no attachments, no html) so these all bounce to me
rather than going out to the lists. Nevertheless, this has
been going on for several weeks and it's getting tiresome.
It might be that the list addresses have been harvested and
they are being sent by some machine in country X somewhere.
I'm also wondering, however, if one of the list subscribers
has an infected machine and it is sending out these little
gifts.
I could perhaps track down the originator, if it is a
subscriber's computer, if I could get an ip address or
domain. I looked at the headers of the messages but, of
course, the header information only goes back to the
Majordomo server on Flora. Thus I can't get the information
I need to figure out where the actual original message came
from.
Is there some way I could get my hands on the complete header
information for messages coming into Spam Assassin and/or
MIMEDefang? ie before the header information from the
original message gets lost?
Thanks in advance for any help,
Al B.
YCCC List mom
-
Message part of the FLORA.org HelpDesk: http://www.flora.org/flora/help/
Russell McOrmond
On Fri, 27 Aug 2004, Al B. wrote:
> Is there some way I could get my hands on the complete header
> information for messages coming into Spam Assassin and/or
> MIMEDefang? ie before the header information from the
> original message gets lost?
I'm curious why is the original header information being lost? If this
is a message bounced to the moderator by "resend" then shouldn't it
contain all the headers it came in with?
There is an option in Majordomo that strips Received lines. I've never
used it so I don't know if it does this before deciding if it is going to
bounce to the moderator or after (IE: only if it is being sent to list
participants).
# purge_received [bool] (no) <resend>
# Remove all received lines before resending the message.
purge_received = no
Just checked -- seems all the @flora.org lists have this set to 'no'
already.
Let me know if there are more details of what headers are missing, or
what type of message this is that you are receiving.
--
Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
Petition for Users' Rights, Protect Internet creativity and innovation
Copyright, Patents, Free/Libre and Open Source Software, Open Access
Where does your MP stand? http://digital-copyright.ca/
Al B.
> I'm curious why is the original header information being lost? If this
> is a message bounced to the moderator by "resend" then shouldn't it
> contain all the headers it came in with?
Unfortunately I don't have many handy right now because I
have been deleting them. However, I have looked at some in
the past and the Received headers only went back to Flora.
Below is what I got for one that went through MIMEDefang.
Note there's 2 levels of header information there ... the
first headers for the message that was sent to me and then
the second headers that were included in the body of the
message sent to me. I've snipped out my address in there
that I try to keep non-public, but otherwise the header info
is intact.
There are ones that also come through to me with the
attachment still there (didn't get caught by MIMEDefang?). I
had a couple of those this morning but deleted them before I
decided that maybe I should try to see if I could track down
the source of these things. So I don't have any of those
around now. I'll take a look at the headers of the next one
I get like that and post the headers. My memory, however, is
that the Received headers only go back to Flora. But I'll
have to look again to double check that.
I seem to get a batch in the morning and then another in the
evening, so perhaps I'll get some more tonight. Go figure
... now I'm actually *looking* for these things! ;-)
Al B.
> Return-Path: <owner...@yccc.ca>
> Received: from mail.flora.ca (madras3.flora.ca [192.139.46.245])
> by in1.magma.ca (Magma's Mail Server) with ESMTP id i7GE0CUp029482
> for <address snipped out by Al B.>; Mon, 16 Aug 2004 10:00:19 -0400
> Received: from pune.flora.ca (pune.flora.ca [192.139.46.247])
> by mail.flora.ca (8.12.10/8.12.10) with ESMTP id i7GDcQgH010047
> for <trips-a...@yccc.ca>; Mon, 16 Aug 2004 09:38:26 -0400
> Received: from pune.flora.ca (localhost.localdomain [127.0.0.1])
> by pune.flora.ca (8.12.10/8.12.8) with ESMTP id i7GE08L4004273
> for <trips-a...@yccc.ca>; Mon, 16 Aug 2004 10:00:08 -0400
> Received: (from majordomo@localhost)
> by pune.flora.ca (8.12.10/8.12.10/Submit) id i7GE08Nb004271;
> Mon, 16 Aug 2004 10:00:08 -0400
> Date: Mon, 16 Aug 2004 10:00:08 -0400
> Message-Id: <200408161400....@pune.flora.ca>
> To: trips-a...@yccc.ca
> From: owner...@yccc.ca
> Subject: BOUNCE tr...@yccc.ca: taboo header: /^content-type:\s*multipart\//i global taboo header: /^Content\-Type\:\s+multipart/i Non-member submission from [ver...@hotmail.com]
> X-Scanned-By: MIMEDefang 2.42
> X-Spam-Status: X-Spam-Status: hits=0.8
>
> From owner...@yccc.ca Mon Aug 16 10:00:06 2004
> Received: from mail.flora.ca (madras3.flora.ca [192.139.46.245])
> by pune.flora.ca (8.12.10/8.12.8) with ESMTP id i7GE06L4004268
> for <yccc-...@pune.flora.ca>; Mon, 16 Aug 2004 10:00:06 -0400
> Received: from yccc.ca (CPE00022d1330d3-CM014250010528.cpe.net.cable.rogers.com [24.157.13.123])
> by mail.flora.ca (8.12.10/8.12.10) with ESMTP id i7GDcDgH010032
> for <tr...@yccc.ca>; Mon, 16 Aug 2004 09:38:13 -0400
> Message-Id: <200408161338....@mail.flora.ca>
> From: ver...@hotmail.com
> To: tr...@yccc.ca
> Subject: I have your password!
> Date: Mon, 16 Aug 2004 06:59:50 -0700
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----=_NextPart_000_0004_00005D27.00006CC7"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Spam-Score: 9.157 (*********) BAYES_60,FORGED_HOTMAIL_RCVD2,FROM_ENDS_IN_NUMS,MICROSOFT_EXECUTABLE,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME
> X-Scanned-By: MIMEDefang 2.42
>
> This is a multi-part message in MIME format...
>
> ------=_NextPart_000_0004_00005D27.00006CC7
> Content-Type: text/plain; name="warning1.txt"
> Content-Disposition: inline; filename="warning1.txt"
> Content-Transfer-Encoding: 7bit
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
>
> WARNING: This e-mail has been altered by MIMEDefang. Following this
> paragraph are indications of the actual changes made. For more
> information about your site's MIMEDefang policy, contact
> FLORA Community Consulting <sup...@flora.ca>. For more information about MIMEDefang, see:
>
> http://www.roaringpenguin.com/mimedefang/enduser.php3
>
> An attachment named birth.htm.scr was removed from this document as it
> constituted a security hazard. If you require this document, please contact
> the sender and arrange an alternate means of receiving it.
>
>
> ------=_NextPart_000_0004_00005D27.00006CC7
> Content-Type: text/plain;
> charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> you have a sexy body in the pic!
>
> ------=_NextPart_000_0004_00005D27.00006CC7
> Content-Type: text/plain; name="SpamAssassinReport.txt"
> Content-Disposition: inline; filename="SpamAssassinReport.txt"
> Content-Transfer-Encoding: 7bit
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
>
> Spam detection software, running on the system "madras.flora.ca", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or block
> similar future email. If you have any questions, see
> the administrator of that system for details.
>
> Content preview: you have a sexy body in the pic! [skipped
> application/octet-stream attachment] [...]
>
> Content analysis details: (9.2 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 0.3 NO_REAL_NAME From: does not include a real name
> 0.7 FROM_ENDS_IN_NUMS From: ends in numbers
> 1.8 BAYES_60 BODY: Bayesian spam probability is 60 to 70%
> [score: 0.6234]
> 0.1 MICROSOFT_EXECUTABLE RAW: Message includes Microsoft executable program
> 3.2 MSGID_FROM_MTA_SHORT Message-Id was added by a relay
> 1.9 FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:'
> 0.5 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
> 0.7 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
>
>
>
> ------=_NextPart_000_0004_00005D27.00006CC7--
Russell McOrmond
> There are ones that also come through to me with the
> attachment still there (didn't get caught by MIMEDefang?).
What types of attachments? From where? You need to provide more
details.
> > Received: from yccc.ca (CPE00022d1330d3-CM014250010528.cpe.net.cable.rogers.com [24.157.13.123])
> > by mail.flora.ca (8.12.10/8.12.10) with ESMTP id i7GDcDgH010032
> > for <tr...@yccc.ca>; Mon, 16 Aug 2004 09:38:13 -0400
This one came from Rogers. They aren't relaying through any other
server, and sending directly to mail.flora.ca which is one of the two
inbound mail servers here.
123.13.157.24.in-addr.arpa domain name pointer
CPE00022d1330d3-CM014250010528.cpe.net.cable.rogers.com.
--
Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
Petition for Users' Rights, Protect Internet creativity and innovation
Copyright, Patents, Free/Libre and Open Source Software, Open Access
Where does your MP stand? http://digital-copyright.ca/
Al B.
> What types of attachments? From where? You need to provide more
> details.
I just got two more but both of them had the binary stripped
by MIMEDefang. When I get another one with the (encoded)
attachment still intact, I'll provide more details here.
I've been deleting them as I get them, so I don't have any to
provide the details of. If I remember correctly, at least
some of them were zip files. I can't remember exactly what
address they were sent to. They *were* sent to an address
using @yccc.ca because they got deposited in my YCCC lists
admin mailbox and that would have only happened with messages
having a To: address ending in @yccc.ca
> > > Received: from yccc.ca (CPE00022d1330d3-CM014250010528.cpe.net.cable.rogers.com [24.157.13.123])
> > > by mail.flora.ca (8.12.10/8.12.10) with ESMTP id i7GDcDgH010032
> > > for <tr...@yccc.ca>; Mon, 16 Aug 2004 09:38:13 -0400
>
> This one came from Rogers. They aren't relaying through any other
> server, and sending directly to mail.flora.ca which is one of the two
> inbound mail servers here.
Hmm. The latest two came from elsewhere
> Received: from yccc.ca (d141-116-199.home.cgocable.net [24.141.116.199])
> by mail2.flora.ca (8.12.10/8.12.10) with ESMTP id i7RJFnf3020986
> for <ww...@yccc.ca>; Fri, 27 Aug 2004 15:15:50 -0400
The registrant for that domain is Cogeco Cable Canada Inc.
out of Burlington. Maybe I'm out of luck. It looks maybe
like the address may have been spread around and now it's
coming from multiple infected machines. Such a pain.
Thanks for the help.
I'll post further info about the binaries that are getting
through to me when I receive another one.
Al B.
Russell McOrmond
On Fri, 27 Aug 2004, Al B. wrote:
> If I remember correctly, at least some of them were zip files.
ZIP files aren't stripped. I guess while I have some sympathy for
Microsoft users running software which auto-runs (or makes too easy to
execute) malware attached in email, I have less sympathy for people who
will go out of their way to run a program that is inside of a ZIP file ;-)
The file extension types that are filtered are listed at:
http://www.flora.org/flora/help/flora-admin-help/1372
> I can't remember exactly what address they were sent to. They *were*
> sent to an address using @yccc.ca because they got deposited in my YCCC
> lists admin mailbox and that would have only happened with messages
> having a To: address ending in @yccc.ca
OK. I forgot we were talking about non-FLORA.org stuff. This shouldn't
matter for this specific situation as all mail for FLORA.ca customers
comes in mail.flora.ca and mail2.flora.ca as well (unless the customer
specifically asked to not have their mail sent through the filters).
;; ANSWER SECTION:
yccc.ca. 604800 IN MX 10 mail.flora.ca.
yccc.ca. 604800 IN MX 15 mail2.flora.ca.
> Hmm. The latest two came from elsewhere
I don't know this for certain, but it is quite possible that Microsoft
Viruses distribute address book lists as part of the virus distribution.
Previous viruses distributed private documents from the infected persons
hard disk.
At one point I asked any Microsoft users to not add me to their address
books. That doesn't help much now as these malware scan the entire disks
for email addresses so will find webpages in caches, or any email with
my address in it (from, CC's) still on that persons hard disk.
> I'll post further info about the binaries that are getting through to me
> when I receive another one.
The Received lines are the most informative. If you are the only
recipient at a given MX host they will list not only the path but also the
envelope-to.
--
Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
Petition for Users' Rights, Protect Internet creativity and innovation
Copyright, Patents, Free/Libre and Open Source Software, Open Access
Where does your MP stand? http://digital-copyright.ca/