Jump to content

Ironport-AV sending worm poop?


Jeff G.

Recommended Posts

Hi. Why is Ironport-AV (presumably running Sophos Anti-Virus) sending worm poop and calling W32/Bagle-AU "W32/Bagle-AU'3'rd" when it knows very well that there is no legitimate content in messages infected with W32/Bagle-AU?

"address1" and its successors are munged.

Return-Path: <address1[at]concentric.net>

Delivered-To: spamcop-net-address3[at]spamcop.net

Received: (qmail 18621 invoked from network); 30 Oct 2004 14:26:45 -0000

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)

  by blade6.cesmail.net with SMTP; 30 Oct 2004 14:26:45 -0000

Received: from mailgate.cesmail.net (216.154.195.36)

  by c60.cesmail.net with SMTP; 30 Oct 2004 10:26:43 -0400

X-Ironport-AV: i="3.86,111,1096862400";

   v="W32/Bagle-AU'3'rd";

   d="scan'96,217,208"; a="126037414:sNHsT173713712"

Subject: [VIRUS REMOVED] Re:

Received: (qmail 14234 invoked from network); 30 Oct 2004 14:26:42 -0000

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

by mailgate.cesmail.net with SMTP; 30 Oct 2004 14:26:42 -0000

Received: from pop3.concentric.net [207.155.252.39]

by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)

for address3[at]spamcop.net (single-drop);

Sat, 30 Oct 2004 10:26:42 -0400 (EDT)

Received: from taleb.org (unknown [193.251.144.192])

by irresistable.cnc.net (ConcentricHost(2.54) MX) with SMTP id

E822F4C308

for <address2[at]concentric.net>; Sat, 30 Oct 2004 10:23:47 -0400 (EDT)

Date: Sat, 30 Oct 2004 15:25:06 +0100

To: "address2" <address2[at]concentric.net>

From: "address1" <address1[at]concentric.net>

Message-ID: <wbbcggfwatwljxwnfsa[at]concentric.net>

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="--------yccyorlcqsaxgfktnrwa"

X-MFData: [v2.3 t0,7416]

X-UIDL: 187686

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade6

X-spam-Level: ****

X-spam-Status: hits=4.2 tests=HTML_90_100,HTML_MESSAGE,HTML_SHORT_LENGTH,

MIME_SUSPECT_NAME,MSGID_SPAM_LETTERS version=3.0.0

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 207.155.252.39 193.251.144.192

----------yccyorlcqsaxgfktnrwa

Content-Type: text/html; charset="us-ascii"

Content-Transfer-Encoding: 7bit

<html><body>

:)

<br>

</body></html>

----------yccyorlcqsaxgfktnrwa

MIME-Version: 1.0

Content-Type: text/plain; name="Price.scr"; charset="iso-8859-1"

Content-Description: Removed Attachment

Content-Disposition: attachment; filename="Removed Attachment.txt"

Content-Transfer-Encoding: quoted-printable

This attachment contained a virus and was stripped.

Filename: Price.scr

Content-Type: application/octet-stream

Virus(es): W32/Bagle-AU

----------yccyorlcqsaxgfktnrwa--

Thanks!

Link to comment
Share on other sites

Only suggestion would be along the rules of generalities. Yes, this particular virus/trojan thing genertes its own e-mail, does its own thing .. but, in general / historically, things weren't always so. Having to guess that whatever system IronPort is using does the rename/delete thing (which is indicated) and then passes the remainder of the message on in the (mistaken) belief that there might be some contant value in the remainder of this e-mail. This action taken as compared to having yet another sub-module written somewhere to take "special" action on a particular incident. Maybe this is something that will arrive sometime in the future, but .... Blame it on the concept that they don't want to be accused of blocking / discarding "important" e-mail???

Link to comment
Share on other sites

Hi.  Why is Ironport-AV (presumably running Sophos Anti-Virus) sending worm poop and calling W32/Bagle-AU "W32/Bagle-AU'3'rd" when it knows very well that there is no legitimate content in messages infected with W32/Bagle-AU?

Is there evidence that it is Ironport that is adding [VIRUS REMOVED] to the subject and removing the attachment and not someone further upstream ?

Link to comment
Share on other sites

Is there evidence that it is Ironport that is adding [VIRUS REMOVED] to the subject and removing the attachment and not someone further upstream ?

19439[/snapback]

The short answer is that there can't be anyone else doing those things. The long answer follows. If Ironport-AV on mailgate.cesmail.net didn't do those things, there's been a serious security breach. I average around 500 spam emails traveling the same route from spammer to Concentric to my SpamCop Email System INBOX or Held Mail Folder each day, so I am rather familiar with what those headers are supposed to look like. The spammers are only supposed to be able to affect what's the from and for sections of the ConcentricHost Received Header and what comes after it.
Link to comment
Share on other sites

Oh, gee, here's another one:

Return-Path: <address1[at]concentric.net>

Delivered-To: address3[at]spamcop.net

Received: (qmail 26805 invoked from network); 31 Oct 2004 22:10:46 -0000

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)

  by blade4.cesmail.net with SMTP; 31 Oct 2004 22:10:46 -0000

Received: from mailgate.cesmail.net (216.154.195.36)

  by c60.cesmail.net with SMTP; 31 Oct 2004 17:10:41 -0500

X-Ironport-AV: i="3.86,112,1096862400";

v="W32/Bagle-AU'3'rd";

d="scan'96,217,208"; a="126591830:sNHsT164491120"

Subject: [VIRUS REMOVED] Re: Hi

Received: (qmail 30337 invoked from network); 31 Oct 2004 22:10:40 -0000

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

by mailgate.cesmail.net with SMTP; 31 Oct 2004 22:10:40 -0000

Received: from pop3.concentric.net [207.155.248.100]

by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)

for address3[at]spamcop.net (single-drop);

Sun, 31 Oct 2004 17:10:40 -0500 (EST)

Received: from taleb.net (unknown [193.251.144.192])

by brilliant.cnc.net (ConcentricHost(2.54) MX) with SMTP id A9C70E0EC

for <address2[at]concentric.net>; Sun, 31 Oct 2004 17:10:24 -0500 (EST)

Date: Sun, 31 Oct 2004 22:11:56 +0100

To: "address2" <address2[at]concentric.net>

From: "address1" <address1[at]concentric.net>

Message-ID: <rkypqtjolcwzenvcovi[at]concentric.net>

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="--------ylqeifbsdztexzvmyexz"

X-MFData: [v2.3 t0,12296]

X-UIDL: 188563

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade4

X-spam-Level: ****

X-spam-Status: hits=4.2 tests=HTML_90_100,HTML_MESSAGE,HTML_SHORT_LENGTH,

MIME_SUSPECT_NAME,MSGID_SPAM_LETTERS version=3.0.0

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 207.155.248.100 193.251.144.192

----------ylqeifbsdztexzvmyexz

Content-Type: text/html; charset="us-ascii"

Content-Transfer-Encoding: 7bit

<html><body>

:)

<br>

</body></html>

----------ylqeifbsdztexzvmyexz

MIME-Version: 1.0

Content-Type: text/plain; name="Joke.exe"; charset="iso-8859-1"

Content-Description: Removed Attachment

Content-Disposition: attachment; filename="Removed Attachment.txt"

Content-Transfer-Encoding: quoted-printable

This attachment contained a virus and was stripped.

Filename: Joke.exe

Content-Type: application/octet-stream

Virus(es): W32/Bagle-AU

----------ylqeifbsdztexzvmyexz--

Link to comment
Share on other sites

The short answer is that there can't be anyone else doing those things.  The long answer follows.  If Ironport-AV on mailgate.cesmail.net didn't do those things, ther

[...]

19446[/snapback]

Oops. I hadn't noticed that Ironport-AV had indicated the virus name !

I was asking if (in your case) Concentric could have removed the virus and added to the subject.

Link to comment
Share on other sites

Oops. I hadn't noticed that Ironport-AV had indicated the virus name !

I was asking if (in your case) Concentric could have removed the virus and added to the subject.

19476[/snapback]

Not given the vertical placement of the Subject header. Oh, and here's another:
Return-Path: <address1[at]concentric.net>

Delivered-To: spamcop-net-address3[at]spamcop.net

Received: (qmail 29603 invoked from network); 2 Nov 2004 11:26:13 -0000

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)

  by blade4.cesmail.net with SMTP; 2 Nov 2004 11:26:13 -0000

Received: from mailgate.cesmail.net (216.154.195.36)

  by c60.cesmail.net with SMTP; 02 Nov 2004 06:26:04 -0500

X-Ironport-AV: i="3.86,114,1096862400";

v="W32/Bagle-AU'3'rd";

d="scan'96,217,208"; a="127365271:sNHsT178523386"

Subject: [VIRUS REMOVED] Re: Thank you!

Received: (qmail 21425 invoked from network); 2 Nov 2004 11:25:00 -0000

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

by mailgate.cesmail.net with SMTP; 2 Nov 2004 11:25:00 -0000

Received: from pop3.concentric.net [207.155.252.37]

by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)

for address3[at]spamcop.net (single-drop);

Tue, 02 Nov 2004 06:25:00 -0500 (EST)

Received: from taleb.org (unknown [193.251.144.192])

by indefatigable.cnc.net (ConcentricHost(2.54) MX) with SMTP id

EA20284936

for <address2[at]concentric.net>; Tue,  2 Nov 2004 06:07:29 -0500 (EST)

Date: Tue, 02 Nov 2004 11:09:05 +0100

To: "address2" <address2[at]concentric.net>

From: "address1" <address1[at]concentric.net>

Message-ID: <ouvbpfzesuqgjxnavxt[at]concentric.net>

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="--------phtarcfahgfnevsigdfl"

X-MFData: [v2.3 t0,2656]

X-UIDL: 189568

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade4

X-spam-Level: ***

X-spam-Status: hits=4.0 tests=HTML_MESSAGE,HTML_SHORT_LENGTH,

MIME_SUSPECT_NAME,MSGID_SPAM_LETTERS version=3.0.0

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 207.155.252.37 193.251.144.192

----------phtarcfahgfnevsigdfl

Content-Type: text/html; charset="us-ascii"

Content-Transfer-Encoding: 7bit

<html><body>

:))

<br>

</body></html>

----------phtarcfahgfnevsigdfl

MIME-Version: 1.0

Content-Type: text/plain; name="Price.scr"; charset="iso-8859-1"

Content-Description: Removed Attachment

Content-Disposition: attachment; filename="Removed Attachment.txt"

Content-Transfer-Encoding: quoted-printable

This attachment contained a virus and was stripped.

Filename: Price.scr

Content-Type: application/octet-stream

Virus(es): W32/Bagle-AU

----------phtarcfahgfnevsigdfl--

Link to comment
Share on other sites

Yet another:

Return-Path: <address1[at]concentric.net>

Delivered-To: spamcop-net-address3[at]spamcop.net

Received: (qmail 14859 invoked from network); 2 Nov 2004 15:17:29 -0000

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)

  by blade1.cesmail.net with SMTP; 2 Nov 2004 15:17:29 -0000

Received: from mailgate.cesmail.net (216.154.195.36)

  by c60.cesmail.net with SMTP; 02 Nov 2004 10:17:18 -0500

X-Ironport-AV: i="3.86,115,1096862400";

v="W32/Bagle-AU'3'rd";

d="scan'96,217,208"; a="127451613:sNHsT172721482"

Subject: [VIRUS REMOVED] Re:

Received: (qmail 31639 invoked from network); 2 Nov 2004 15:17:18 -0000

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

by mailgate.cesmail.net with SMTP; 2 Nov 2004 15:17:18 -0000

Received: from pop3.concentric.net [207.155.252.70]

by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)

for address3[at]spamcop.net (single-drop);

Tue, 02 Nov 2004 10:17:18 -0500 (EST)

Received: from taleb.com (unknown [193.251.144.192])

by ardent.cnc.net (ConcentricHost(2.54) MX) with SMTP id 53CBDC9BE1

for <address2[at]concentric.net>; Tue,  2 Nov 2004 10:04:06 -0500 (EST)

Date: Tue, 02 Nov 2004 15:05:21 +0100

To: "address2" <address2[at]concentric.net>

From: "address1" <address1[at]concentric.net>

Message-ID: <xqypbwxedejmodonylr[at]concentric.net>

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="--------gfaprqkingejwbepubdu"

X-MFData: [v2.3 t0,3569]

X-UIDL: 189684

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade1

X-spam-Level: ****

X-spam-Status: hits=4.2 tests=HTML_90_100,HTML_MESSAGE,HTML_SHORT_LENGTH,

MIME_SUSPECT_NAME,MSGID_SPAM_LETTERS version=3.0.0

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 207.155.252.70 193.251.144.192

----------gfaprqkingejwbepubdu

Content-Type: text/html; charset="us-ascii"

Content-Transfer-Encoding: 7bit

<html><body>

:)

<br>

</body></html>

----------gfaprqkingejwbepubdu

MIME-Version: 1.0

Content-Type: text/plain; name="Price.com"; charset="iso-8859-1"

Content-Description: Removed Attachment

Content-Disposition: attachment; filename="Removed Attachment.txt"

Content-Transfer-Encoding: quoted-printable

This attachment contained a virus and was stripped.

Filename: Price.com

Content-Type: application/octet-stream

Virus(es): W32/Bagle-AU

----------gfaprqkingejwbepubdu--

Link to comment
Share on other sites

I received an email like that the other day with "photo.zip" removed.

Return-Path: <hr[at]rcmmail.com>

Delivered-To: cesmail-net-x

Received: (qmail 27570 invoked from network); 31 Oct 2004 16:11:09 -0000

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)

by blade6.cesmail.net with SMTP; 31 Oct 2004 16:11:09 -0000

Received: from mailgate.cesmail.net (216.154.195.36)

by c60.cesmail.net with SMTP; 31 Oct 2004 11:11:10 -0500

X-Ironport-AV: i="3.86,112,1096862400";

  v="W32/Mabutu-A'3'rd";

  d="scan'96,48,208"; a="126470482:sNHsT230708154"

Subject: [VIRUS REMOVED] I'm nude

Received: (qmail 2060 invoked from network); 31 Oct 2004 16:11:08 -0000

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

       by mailgate.cesmail.net with SMTP; 31 Oct 2004 16:11:08 -0000

Delivered-To: x

Received: from mail.wearedepth.com [213.171.216.66]

       by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)

       for x (single-drop);

       Sun, 31 Oct 2004 11:11:08 -0500 (EST)

Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21

       (smtpin03l.livemail.co.uk [127.0.0.1])

       by smtpin03l.livemail.co.uk (Postfix) with SMTP id AF79816D82B

       for <x>; Sun, 31 Oct 2004 16:00:55 +0000 (GMT)

Received: from home (c-24-19-251-153.client.comcast.net [24.19.251.153])

       by smtpin03l.livemail.co.uk (Postfix) with SMTP id CEF3B16D82B

       for <x>; Sun, 31 Oct 2004 16:00:52 +0000 (GMT)

Message-ID: <2b94_________ee86[at]home>

From: <hr[at]rcmmail.com>

To: <x>

Date: Sun, 31 Oct 2004 08:05:07 -0800

Mime-Version: 1.0

Content-Type: multipart/mixed; boundary="PxyXeDhLIgQpSYjVQifUHqyM"

X-Original-To: x

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade6

X-spam-Level:

X-spam-Status: hits=0.2 tests=NO_REAL_NAME version=3.0.0

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 213.171.216.66 127.0.0.1 24.19.251.153

--PxyXeDhLIgQpSYjVQifUHqyM

Content-Type: text/plain

--PxyXeDhLIgQpSYjVQifUHqyM

MIME-Version: 1.0

Content-Type: text/plain; name="photo.zip"; charset="iso-8859-1"

Content-Description: Removed Attachment

Content-Disposition: attachment; filename="Removed Attachment.txt"

Content-Transfer-Encoding: quoted-printable

This attachment contained a virus and was stripped.

       Filename: photo.zip

       Content-Type: application/x-zip-compressed

       Virus(es): W32/Mabutu-A

--PxyXeDhLIgQpSYjVQifUHqyM--

I manually reported this one to the ISP, Comcast.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...