on Wed, Dec 27, 2000 at 11:09:23PM +0100, Peczoli Zoltan (pocok@pcdome.hu) wrote: > Hi, > > Some of my system users periodically receive an Win95.Hybris.Gen.dr > infected EXE file. I tried to trace down the sender, but unfortunately i'm > pretty lame interpreting the mail header. It goes like this: > > Envelope-to: somebody@mydomain.com > Received: from [212.108.236.133] (helo=d4t2e9) > by mydomain.com with smtp (Exim 3.16 #1 (Debian)) > id 149C7D-0000vQ-00 > for <somebody@mydomain.com>; Thu, 21 Dec 2000 21:15:04 +0100 > MIME-Version: 1.0 > Content-Type: multipart/mixed; boundary="--VE74123GD23SXEF4TEZW167" > Message-Id: <E149C7D-0000vQ-00@mydomain.com> > From: Remote Mail Delivery System <> > Bcc: > Date: Thu, 21 Dec 2000 21:15:04 +0100 > Status: > X-PMFLAGS: 570949760 0 1 P29A60.CNM > > 1. What is the 'Envelope-to' line? Bullshit. > 2. What was the route of this mail? It looks that my system relayed the > given host's outgoing mail. It's impossible, I've told exim not to do so > (I think :) If you're 212.108.236.133, then yes, it appears you're relaying. It's the "Received:" lines you want to trace. I'm finding this to be near s0-mezokovesd.elender.hu. That you? There are several spam tracing FAQs, here's one: http://ddi.digital.net/~gandalf/spamfaq.html > It's very annoying to get this exe file every month, so if I cannot find > out who the sender is, it would be great to block these letters. How can I > do this? Procmail or specific IP blocks in your MTA. > Thanx: > Pocok > > PS. Please forgive me if I'm too off-topic, I think other admins may find > the replys useful if this virus occurs to them. You might want to try one of the various mail newsgroups. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ Evangelist, Zelerate, Inc. http://www.zelerate.org What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
Attachment:
pgpswlGDDMDDg.pgp
Description: PGP signature