[Mailman-Users] Re: Virus Just Got Through on TOTALLYMODERATED list.
Jeff Groves
jgroves at krenim.org
Sat Feb 5 20:05:35 CET 2005
Mark Sapiro wrote:
> Brad Knowles wrote:
>
>
>>At 1:49 AM -0500 2005-02-04, Dan Mahoney, System Admin wrote:
>>
>>
>>> I checked the vette log. The message isn't even in there. Some of the
>>> auto-replies to it are (i.e. "message rejected, it's a virus"). And
>>> the message shows in the pipermail archives.
>>
>> In that case, are you sure that the message passed through your
>>system? Maybe the virus spoofed more than just your moderators
>>address....
>>
>>
>>> Here's the full headers of the thing:
>>>
>>> Return-Path: <vgc-announce-bounces+varoots=gushi.org at vagrassroots.org>
>>> Received: from prime.gushi.org (localhost [IPv6:::1])
>>> by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701
>>> for <varoots at gushi.org>; Thu, 27 Jan 2005 22:50:56 -0500 (EST)
>>> Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net
>>> [68.83.208.54])
>>> by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233
>>> for <vgc-announce at vagrassroots.org>;
>>> Thu, 27 Jan 2005 21:15:35 -0500 (EST)
>>
>> I only see two Received: headers here. This is not nearly
>>enough. There's a lot of data that appears to be missing.
>
>
>
> I think the two Received: headers could be enough considering the worm
> probably has it's own SMTP engine. The way to answer this for sure is
> to see if it is in the 'post' log.
>
I agree with Mark and would go even further that it is all you need to know. The
pcp08579508pcs.alxndr01.va.comcast.net address, which is indicative of a Comcast end-user in
Alexandria, Virginia, is plenty to know that the user that had the address at the particular
time (Thu, 27 Jan 2005 21:15:35 -0500 (EST)) was infected with some type of worm.
Jeff G.
--
Law of Procrastination:
Procrastination avoids boredom; one never has
the feeling that there is nothing important to do.
More information about the Mailman-Users
mailing list