Jeff G. Posted October 31, 2004 Share Posted October 31, 2004 Hi. Why is Ironport-AV (presumably running Sophos Anti-Virus) sending worm poop and calling W32/Bagle-AU "W32/Bagle-AU'3'rd" when it knows very well that there is no legitimate content in messages infected with W32/Bagle-AU? "address1" and its successors are munged. Return-Path: <address1[at]concentric.net> Delivered-To: spamcop-net-address3[at]spamcop.net Received: (qmail 18621 invoked from network); 30 Oct 2004 14:26:45 -0000 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade6.cesmail.net with SMTP; 30 Oct 2004 14:26:45 -0000 Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 30 Oct 2004 10:26:43 -0400 X-Ironport-AV: i="3.86,111,1096862400"; v="W32/Bagle-AU'3'rd"; d="scan'96,217,208"; a="126037414:sNHsT173713712" Subject: [VIRUS REMOVED] Re: Received: (qmail 14234 invoked from network); 30 Oct 2004 14:26:42 -0000 Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 30 Oct 2004 14:26:42 -0000 Received: from pop3.concentric.net [207.155.252.39] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for address3[at]spamcop.net (single-drop); Sat, 30 Oct 2004 10:26:42 -0400 (EDT) Received: from taleb.org (unknown [193.251.144.192]) by irresistable.cnc.net (ConcentricHost(2.54) MX) with SMTP id E822F4C308 for <address2[at]concentric.net>; Sat, 30 Oct 2004 10:23:47 -0400 (EDT) Date: Sat, 30 Oct 2004 15:25:06 +0100 To: "address2" <address2[at]concentric.net> From: "address1" <address1[at]concentric.net> Message-ID: <wbbcggfwatwljxwnfsa[at]concentric.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------yccyorlcqsaxgfktnrwa" X-MFData: [v2.3 t0,7416] X-UIDL: 187686 X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade6 X-spam-Level: **** X-spam-Status: hits=4.2 tests=HTML_90_100,HTML_MESSAGE,HTML_SHORT_LENGTH, MIME_SUSPECT_NAME,MSGID_SPAM_LETTERS version=3.0.0 X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 207.155.252.39 193.251.144.192 ----------yccyorlcqsaxgfktnrwa Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit <html><body> <br> </body></html> ----------yccyorlcqsaxgfktnrwa MIME-Version: 1.0 Content-Type: text/plain; name="Price.scr"; charset="iso-8859-1" Content-Description: Removed Attachment Content-Disposition: attachment; filename="Removed Attachment.txt" Content-Transfer-Encoding: quoted-printable This attachment contained a virus and was stripped. Filename: Price.scr Content-Type: application/octet-stream Virus(es): W32/Bagle-AU ----------yccyorlcqsaxgfktnrwa-- Thanks! Link to comment Share on other sites More sharing options...
Wazoo Posted October 31, 2004 Share Posted October 31, 2004 Only suggestion would be along the rules of generalities. Yes, this particular virus/trojan thing genertes its own e-mail, does its own thing .. but, in general / historically, things weren't always so. Having to guess that whatever system IronPort is using does the rename/delete thing (which is indicated) and then passes the remainder of the message on in the (mistaken) belief that there might be some contant value in the remainder of this e-mail. This action taken as compared to having yet another sub-module written somewhere to take "special" action on a particular incident. Maybe this is something that will arrive sometime in the future, but .... Blame it on the concept that they don't want to be accused of blocking / discarding "important" e-mail??? Link to comment Share on other sites More sharing options...
michaelanglo Posted October 31, 2004 Share Posted October 31, 2004 Hi. Why is Ironport-AV (presumably running Sophos Anti-Virus) sending worm poop and calling W32/Bagle-AU "W32/Bagle-AU'3'rd" when it knows very well that there is no legitimate content in messages infected with W32/Bagle-AU? Is there evidence that it is Ironport that is adding [VIRUS REMOVED] to the subject and removing the attachment and not someone further upstream ? Link to comment Share on other sites More sharing options...
Wazoo Posted October 31, 2004 Share Posted October 31, 2004 I'd go with the header data bits that look like this; X-Ironport-AV: i="3.86,111,1096862400"; v="W32/Bagle-AU'3'rd"; d="scan'96,217,208"; a="126037414:sNHsT173713712" Link to comment Share on other sites More sharing options...
Jeff G. Posted November 1, 2004 Author Share Posted November 1, 2004 Is there evidence that it is Ironport that is adding [VIRUS REMOVED] to the subject and removing the attachment and not someone further upstream ? 19439[/snapback] The short answer is that there can't be anyone else doing those things. The long answer follows. If Ironport-AV on mailgate.cesmail.net didn't do those things, there's been a serious security breach. I average around 500 spam emails traveling the same route from spammer to Concentric to my SpamCop Email System INBOX or Held Mail Folder each day, so I am rather familiar with what those headers are supposed to look like. The spammers are only supposed to be able to affect what's the from and for sections of the ConcentricHost Received Header and what comes after it. Link to comment Share on other sites More sharing options...
Jeff G. Posted November 1, 2004 Author Share Posted November 1, 2004 Oh, gee, here's another one: Return-Path: <address1[at]concentric.net> Delivered-To: address3[at]spamcop.net Received: (qmail 26805 invoked from network); 31 Oct 2004 22:10:46 -0000 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade4.cesmail.net with SMTP; 31 Oct 2004 22:10:46 -0000 Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 31 Oct 2004 17:10:41 -0500 X-Ironport-AV: i="3.86,112,1096862400"; v="W32/Bagle-AU'3'rd"; d="scan'96,217,208"; a="126591830:sNHsT164491120" Subject: [VIRUS REMOVED] Re: Hi Received: (qmail 30337 invoked from network); 31 Oct 2004 22:10:40 -0000 Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 31 Oct 2004 22:10:40 -0000 Received: from pop3.concentric.net [207.155.248.100] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for address3[at]spamcop.net (single-drop); Sun, 31 Oct 2004 17:10:40 -0500 (EST) Received: from taleb.net (unknown [193.251.144.192]) by brilliant.cnc.net (ConcentricHost(2.54) MX) with SMTP id A9C70E0EC for <address2[at]concentric.net>; Sun, 31 Oct 2004 17:10:24 -0500 (EST) Date: Sun, 31 Oct 2004 22:11:56 +0100 To: "address2" <address2[at]concentric.net> From: "address1" <address1[at]concentric.net> Message-ID: <rkypqtjolcwzenvcovi[at]concentric.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------ylqeifbsdztexzvmyexz" X-MFData: [v2.3 t0,12296] X-UIDL: 188563 X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade4 X-spam-Level: **** X-spam-Status: hits=4.2 tests=HTML_90_100,HTML_MESSAGE,HTML_SHORT_LENGTH, MIME_SUSPECT_NAME,MSGID_SPAM_LETTERS version=3.0.0 X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 207.155.248.100 193.251.144.192 ----------ylqeifbsdztexzvmyexz Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit <html><body> <br> </body></html> ----------ylqeifbsdztexzvmyexz MIME-Version: 1.0 Content-Type: text/plain; name="Joke.exe"; charset="iso-8859-1" Content-Description: Removed Attachment Content-Disposition: attachment; filename="Removed Attachment.txt" Content-Transfer-Encoding: quoted-printable This attachment contained a virus and was stripped. Filename: Joke.exe Content-Type: application/octet-stream Virus(es): W32/Bagle-AU ----------ylqeifbsdztexzvmyexz-- Link to comment Share on other sites More sharing options...
michaelanglo Posted November 1, 2004 Share Posted November 1, 2004 The short answer is that there can't be anyone else doing those things. The long answer follows. If Ironport-AV on mailgate.cesmail.net didn't do those things, ther [...] 19446[/snapback] Oops. I hadn't noticed that Ironport-AV had indicated the virus name ! I was asking if (in your case) Concentric could have removed the virus and added to the subject. Link to comment Share on other sites More sharing options...
Jeff G. Posted November 2, 2004 Author Share Posted November 2, 2004 Oops. I hadn't noticed that Ironport-AV had indicated the virus name ! I was asking if (in your case) Concentric could have removed the virus and added to the subject. 19476[/snapback] Not given the vertical placement of the Subject header. Oh, and here's another:Return-Path: <address1[at]concentric.net> Delivered-To: spamcop-net-address3[at]spamcop.net Received: (qmail 29603 invoked from network); 2 Nov 2004 11:26:13 -0000 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade4.cesmail.net with SMTP; 2 Nov 2004 11:26:13 -0000 Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 02 Nov 2004 06:26:04 -0500 X-Ironport-AV: i="3.86,114,1096862400"; v="W32/Bagle-AU'3'rd"; d="scan'96,217,208"; a="127365271:sNHsT178523386" Subject: [VIRUS REMOVED] Re: Thank you! Received: (qmail 21425 invoked from network); 2 Nov 2004 11:25:00 -0000 Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 2 Nov 2004 11:25:00 -0000 Received: from pop3.concentric.net [207.155.252.37] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for address3[at]spamcop.net (single-drop); Tue, 02 Nov 2004 06:25:00 -0500 (EST) Received: from taleb.org (unknown [193.251.144.192]) by indefatigable.cnc.net (ConcentricHost(2.54) MX) with SMTP id EA20284936 for <address2[at]concentric.net>; Tue, 2 Nov 2004 06:07:29 -0500 (EST) Date: Tue, 02 Nov 2004 11:09:05 +0100 To: "address2" <address2[at]concentric.net> From: "address1" <address1[at]concentric.net> Message-ID: <ouvbpfzesuqgjxnavxt[at]concentric.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------phtarcfahgfnevsigdfl" X-MFData: [v2.3 t0,2656] X-UIDL: 189568 X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade4 X-spam-Level: *** X-spam-Status: hits=4.0 tests=HTML_MESSAGE,HTML_SHORT_LENGTH, MIME_SUSPECT_NAME,MSGID_SPAM_LETTERS version=3.0.0 X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 207.155.252.37 193.251.144.192 ----------phtarcfahgfnevsigdfl Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit <html><body> ) <br> </body></html> ----------phtarcfahgfnevsigdfl MIME-Version: 1.0 Content-Type: text/plain; name="Price.scr"; charset="iso-8859-1" Content-Description: Removed Attachment Content-Disposition: attachment; filename="Removed Attachment.txt" Content-Transfer-Encoding: quoted-printable This attachment contained a virus and was stripped. Filename: Price.scr Content-Type: application/octet-stream Virus(es): W32/Bagle-AU ----------phtarcfahgfnevsigdfl-- Link to comment Share on other sites More sharing options...
Jeff G. Posted November 2, 2004 Author Share Posted November 2, 2004 Yet another: Return-Path: <address1[at]concentric.net> Delivered-To: spamcop-net-address3[at]spamcop.net Received: (qmail 14859 invoked from network); 2 Nov 2004 15:17:29 -0000 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade1.cesmail.net with SMTP; 2 Nov 2004 15:17:29 -0000 Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 02 Nov 2004 10:17:18 -0500 X-Ironport-AV: i="3.86,115,1096862400"; v="W32/Bagle-AU'3'rd"; d="scan'96,217,208"; a="127451613:sNHsT172721482" Subject: [VIRUS REMOVED] Re: Received: (qmail 31639 invoked from network); 2 Nov 2004 15:17:18 -0000 Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 2 Nov 2004 15:17:18 -0000 Received: from pop3.concentric.net [207.155.252.70] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for address3[at]spamcop.net (single-drop); Tue, 02 Nov 2004 10:17:18 -0500 (EST) Received: from taleb.com (unknown [193.251.144.192]) by ardent.cnc.net (ConcentricHost(2.54) MX) with SMTP id 53CBDC9BE1 for <address2[at]concentric.net>; Tue, 2 Nov 2004 10:04:06 -0500 (EST) Date: Tue, 02 Nov 2004 15:05:21 +0100 To: "address2" <address2[at]concentric.net> From: "address1" <address1[at]concentric.net> Message-ID: <xqypbwxedejmodonylr[at]concentric.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------gfaprqkingejwbepubdu" X-MFData: [v2.3 t0,3569] X-UIDL: 189684 X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade1 X-spam-Level: **** X-spam-Status: hits=4.2 tests=HTML_90_100,HTML_MESSAGE,HTML_SHORT_LENGTH, MIME_SUSPECT_NAME,MSGID_SPAM_LETTERS version=3.0.0 X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 207.155.252.70 193.251.144.192 ----------gfaprqkingejwbepubdu Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit <html><body> <br> </body></html> ----------gfaprqkingejwbepubdu MIME-Version: 1.0 Content-Type: text/plain; name="Price.com"; charset="iso-8859-1" Content-Description: Removed Attachment Content-Disposition: attachment; filename="Removed Attachment.txt" Content-Transfer-Encoding: quoted-printable This attachment contained a virus and was stripped. Filename: Price.com Content-Type: application/octet-stream Virus(es): W32/Bagle-AU ----------gfaprqkingejwbepubdu-- Link to comment Share on other sites More sharing options...
btech Posted November 2, 2004 Share Posted November 2, 2004 I received an email like that the other day with "photo.zip" removed. Return-Path: <hr[at]rcmmail.com> Delivered-To: cesmail-net-x Received: (qmail 27570 invoked from network); 31 Oct 2004 16:11:09 -0000 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade6.cesmail.net with SMTP; 31 Oct 2004 16:11:09 -0000 Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 31 Oct 2004 11:11:10 -0500 X-Ironport-AV: i="3.86,112,1096862400"; v="W32/Mabutu-A'3'rd"; d="scan'96,48,208"; a="126470482:sNHsT230708154" Subject: [VIRUS REMOVED] I'm nude Received: (qmail 2060 invoked from network); 31 Oct 2004 16:11:08 -0000 Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 31 Oct 2004 16:11:08 -0000 Delivered-To: x Received: from mail.wearedepth.com [213.171.216.66] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for x (single-drop); Sun, 31 Oct 2004 11:11:08 -0500 (EST) Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (smtpin03l.livemail.co.uk [127.0.0.1]) by smtpin03l.livemail.co.uk (Postfix) with SMTP id AF79816D82B for <x>; Sun, 31 Oct 2004 16:00:55 +0000 (GMT) Received: from home (c-24-19-251-153.client.comcast.net [24.19.251.153]) by smtpin03l.livemail.co.uk (Postfix) with SMTP id CEF3B16D82B for <x>; Sun, 31 Oct 2004 16:00:52 +0000 (GMT) Message-ID: <2b94_________ee86[at]home> From: <hr[at]rcmmail.com> To: <x> Date: Sun, 31 Oct 2004 08:05:07 -0800 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="PxyXeDhLIgQpSYjVQifUHqyM" X-Original-To: x X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade6 X-spam-Level: X-spam-Status: hits=0.2 tests=NO_REAL_NAME version=3.0.0 X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 213.171.216.66 127.0.0.1 24.19.251.153 --PxyXeDhLIgQpSYjVQifUHqyM Content-Type: text/plain --PxyXeDhLIgQpSYjVQifUHqyM MIME-Version: 1.0 Content-Type: text/plain; name="photo.zip"; charset="iso-8859-1" Content-Description: Removed Attachment Content-Disposition: attachment; filename="Removed Attachment.txt" Content-Transfer-Encoding: quoted-printable This attachment contained a virus and was stripped. Filename: photo.zip Content-Type: application/x-zip-compressed Virus(es): W32/Mabutu-A --PxyXeDhLIgQpSYjVQifUHqyM-- I manually reported this one to the ISP, Comcast. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.