DavidT Posted August 1, 2004 Share Posted August 1, 2004 I've got an explanation...IMO, the headers represent a message that was infected with the Netsky worm, but that has had it's infection stripped by Norton AntiVirus. The headers also tell us that the infected message was sent from a dynamic IP address, either dialup, DSL, or cable connected. This IP has been reported many times by SpamCop users over the last few months: "In the past 75.8 days, it has been listed 28 times for a total of 53.8 days" But as I look at the History, I'm pretty sure that those are all worm-related Subjects, so none of these reports should have been filed in the first place, because the system is NOT supposed to be used to report infected email, which isn't really spam! So no, I don't think that the system is being fooled. Some SpamCop user who receives their mail at the Chello system is reporting another Chello user's IP because it's sending them infected messages. BTW, I Googled, and came up with a blog entry (in Dutch) that deals with this situation...perhaps "john1000" can help us by translating? Here's the link: http://www.euroblog.nl/wp-trackback.php/27 dt Link to comment Share on other sites More sharing options...
DavidT Posted August 1, 2004 Share Posted August 1, 2004 Can you say .. yet another mis-configured anti-virus product that's sending out bad data to the (assumedly) "Forged" addresses in the header? 14408[/snapback] No...in this case, it appears that an individual user's installation of Norton AV is doing exactly what it's supposed to do, which is to strip out infections as the messages arrive. The ".txt" artifact is a Dutch version of what Norton AV handled messages look like on my machine, so I'm sure that my analysis (see my previous reply) is correct. dt Link to comment Share on other sites More sharing options...
john1000 Posted August 1, 2004 Author Share Posted August 1, 2004 well naturaly my norton trashes the effected parts but should that be of any influence ? And whats a "mis-configured anti-virus product " As for the "all worm-related Subjects, so none of these reports should have been filed in the first place, because the system is NOT supposed to be used to report infected email, which isn't really spam" Ive submitted all his mails,... i got atleast 25 and 6 or 7 was with attachment. So that means DavidT that they were not all infected mails and as you suggest should not be reported... But if it was so ....where ever a mail comes from,a lot of spammers are spamming using some kind of server to send it all. so who's server ? Probably one with a zero security. If your still following this.........with this all in mind.....reporting every spam mail should also help finding hacked servers. but as i understand....to be sure i have to wait untill a normal spammail comes without attachments,i will post it when it comes... Link to comment Share on other sites More sharing options...
DavidT Posted August 1, 2004 Share Posted August 1, 2004 well naturaly my norton trashes the effected parts but should that be of any influence? I don't understand your question. I explained that the example you gave us was an infected email message that your Norton had rendered harmless. SpamCop properly parsed the headers, but this kind of message should NOT be reported (see below). And whats a "mis-configured anti-virus product " I didn't say that....Wazoo did, but I think he was confused. Ive submitted all his mails,... i got atleast 25 and 6 or 7 was with attachment. So that means DavidT that they were not all infected mails and as you suggest should not be reported... I don't just suggest it...it is in the official SpamCop FAQ here: On what type of email should I (not) use SpamCop? where you'll see: "virus infected emails are not spam regardless of whether you know the originating party or not" But if it was so ....where ever a mail comes from,a lot of spammers are spamming using some kind of server to send it all. so who's server ? Wait....in the example you've given us, there are lots of worm-infected messages coming from that IP address...but that's not "a server" -- in the case of "worms" like this, the worm has it's own "SMTP engine" built into it, and so it makes direct connections with the MX of the recipient's system. So, that's why the headers were so sparse, because the infected computer didn't go through any normal oubtound mail servers. but as i understand....to be sure i have to wait untill a normal spammail comes without attachments,i will post it when it comes... OK...post the tracking link when you have one and we will try to answer any questions you have about it. dt Link to comment Share on other sites More sharing options...
Wazoo Posted August 1, 2004 Share Posted August 1, 2004 I didn't say that....Wazoo did, but I think he was confused. What!?!?! Me without a clue!?!?! hehehehe ... yep, I should turn this thing off today .. dropped off a computer last nite, found my Mom in pain, apparently tripped over soething while mowing the yard .. spent about 3 hours last night in the emergency room with her ... turns out that she's allergic to the pain meds they gave her to get her through the night ... woke up this morning with her hollering through the window to wake me up, (dog had gotten excited during a thunderstorm, knocked over a stack of computers, which knocked a phone off its base ...) turns out Dad was headed off to get her new presciption and had been involved in a car accident .... I haven't been all that focused here with all the phone calls here to find out their status (they've unplugged their phone <g>) .... apologies for the mistakes ... Link to comment Share on other sites More sharing options...
john1000 Posted August 1, 2004 Author Share Posted August 1, 2004 well never mind it all,i understand... il post again when i get a clean mail.... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.