Re: Simple e-mail virus scanner

To: Jay Kline <jay@teamfreeze.com>, debian-security@lists.debian.org
Subject: Re: Simple e-mail virus scanner
From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Date: Wed, 20 Aug 2003 21:25:10 +0200
Message-id: <[🔎] 200308202125.10050.kjetil@kjernsmo.net>
In-reply-to: <[🔎] 200308201003.10643@outlooksux>
References: <[🔎] 200308192256.29230.kjetil@kjernsmo.net> <[🔎] 200308201352.44279.yannick.vanosselaer@pi.be> <[🔎] 200308201003.10643@outlooksux>

On Wednesday 20 August 2003 17:05, Jay Kline wrote:
> > The mail server that send the bounce. This is called a double
> > bounce. Correct me if this is wrong ...
>
> Yes, it goes back to the server doing the sending. Its a double
> bounce when the bounce message itself bounces.  I dont know how this
> virus is proigating itself, but I would imagine that if it does the
> sending itself, rejecting at the initial smtp session would not
> result in a double bounce. However, if it uses some relay (that it
> either set up itself, or found on a network, etc) and used forged
> headers, then it will go to some unsusspecting person (of whoever is
> in the headers).

I've examined a few messages I've got now, and none of them had been 
through any relays. In fact, they had all been sent directly from 
dialups or *DSL users. 

Here are the headers of an example:

Return-path: <privacypolicy@corp.earthlink.net>
Envelope-to: aa0w@kjernsmo.net
Received: from mail by pooh.kjernsmo.net with spam-scanned (Exim 3.35 #1 
(Debian))
	id 19pYJ2-0007EM-00
	for <aa0w@kjernsmo.net>; Wed, 20 Aug 2003 21:07:40 +0200
Received: from ppp-67-67-194-5.dsl.austtx.swbell.net ([67.67.194.5] 
helo=WILLNCANDY)
	by pooh.kjernsmo.net with esmtp (Exim 3.35 #1 (Debian))
	id 19pYIZ-0007E7-00
	for <aa0w@kjernsmo.net>; Wed, 20 Aug 2003 21:07:14 +0200
From: <privacypolicy@corp.earthlink.net>
To: <aa0w@kjernsmo.net>
Subject: Re: Wicked screensaver
Date: Wed, 20 Aug 2003 14:07:06 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="_NextPart_000_000FCE03"
Message-Id: <E19pYIZ-0007E7-00@pooh.kjernsmo.net>

(BTW, don't send anything to the aa0w@kjernsmo.net address, ever. It is 
intended as a spamtrap... Unfortunately, viruses like this limit it's 
usefulness as spamtrap, that's one of the reasons I want to filter this 
before going to SpamAssassin)

OK, so if I get this correctly, a double bounce would result in that I 
get the bounce, but that that's unlikely to occur. But it is still not 
clear to me who gets the bounce, it would be the the sender on the 
envelope, but that's privacypolicy@corp.earthlink.net in this case, 
right....? And that's something I wouldn't want to happen... 

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/        OpenPGP KeyID: 6A6A0BBC

Reply to:

References:
- Simple e-mail virus scanner
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
- Re: Simple e-mail virus scanner
  - From: Yannick Van Osselaer <yannick.vanosselaer@pi.be>
- Re: Simple e-mail virus scanner
  - From: Jay Kline <jay@teamfreeze.com>

Prev by Date: Re: Debian Stable server hacked
Next by Date: Re: Simple e-mail virus scanner
Previous by thread: Re: Simple e-mail virus scanner
Next by thread: Re: Simple e-mail virus scanner
Index(es):
- Date
- Thread