nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Weird email messages with "re:movie" and "re:application" in the subject line..

From: Mark Segal <MSegal () Corporate FCIBroadband com>
Date: Wed, 25 Jun 2003 23:33:36 -0400

Here the best link I have seen so far... Thanks to kevin day..

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e () mm html


My guess is they might need to upgrade it to more than 55-999 infections :).

mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-----Original Message-----
From: Eric Brunner-Williams in Portland Maine [mailto:brunner () nic-naa net] 
Sent: June 25, 2003 11:25 PM
To: Larry Rosenman
Cc: Mark Segal; 'nanog () merit edu'; brunner () nic-naa net
Subject: Re: Weird email messages with "re:movie" and "re:application" in
the subject line.. 




W32/sobig.e@MM per McAffee.....


I seem to have done one better ... according to a M$ host in Level3-land,
the Unix box right in front of me sent the mail in question.

Someone at L3 needs to call home. The only L3 turd in my mail log is their
inbound...

Jun 25 18:21:11 nic-naa sm-mta[24589]: h5PMLB5U024589:
from=<administrator () Level3 com>, size=1711, class=0, nrcpts=1,
msgid=<012d01c33b68$2bd14b40$d706010a () corp global level3 com>, proto=ESMTP,
daemon=MTA, relay=machine77.Level3.com [209.244.4.106]

Cheers,
Eric
------- Forwarded Message

Return-Path: administrator () Level3 com
Delivery-Date: Wed Jun 25 18:21:11 2003
Return-Path: <administrator () Level3 com>
Received: from f1ee40-19.idc1.level3.com (machine77.Level3.com
[209.244.4.106])
        by nic-naa.net (8.12.9/8.12.9) with ESMTP id h5PMLB5U024589
        for <brunner () nic-naa net>; Wed, 25 Jun 2003 18:21:11 -0400 (EDT)
Received: from idc1exc0001.corp.global.level3.com (localhost [127.0.0.1])
        by f1ee40-19.idc1.level3.com (8.8.8p2+Sun/8.8.8) with SMTP id
WAA02577
        for <brunner () nic-naa net>; Wed, 25 Jun 2003 22:21:50 GMT
Received: from idc1exc0005.corp.global.level3.com ([10.1.6.215]) by
idc1exc0001.corp.global.level3.com with Microsoft SMTPSVC(5.0.2195.4905);
         Wed, 25 Jun 2003 16:21:49 -0600
Received: from mail pickup service by idc1exc0005.corp.global.level3.com
with Microsoft SMTPSVC;
         Wed, 25 Jun 2003 16:21:49 -0600
thread-index: AcM7aCvRcfOY+VcOT2aAnuNoWHZmCQ==
Thread-Topic: [MailServer Notification]Alert to Sender:  File Attachment
Blocked
From: <Administrator () machine77 level3 com>
Sender: <Administrator () machine77 level3 com>
To: <brunner () nic-naa net>
Subject: [MailServer Notification]Alert to Sender:  File Attachment Blocked
Date: Wed, 25 Jun 2003 16:21:49 -0600
Message-ID: <012d01c33b68$2bd14b40$d706010a () corp global level3 com>
MIME-Version: 1.0
Content-Type: text/plain;
        charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Exchange 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300
X-OriginalArrivalTime: 25 Jun 2003 22:21:49.0631 (UTC)
FILETIME=[2BF044F0:01C33B68]

ScanMail for Microsoft Exchange has blocked an attachment.

Sender = brunner () nic-naa net
Recipient(s) = ops () genuity com
Subject = Re: Movie
Scanning time = 06/25/2003 16:21:49

Action on file blocking:
The attachment your_details.zi matches the file blocking settings. ScanMail
has Deleted it. 

Attachment blocked due to extension match of .bat, .eml, .nws, .pif, .scr,
.src, .shs, .vbe, .vbs, .com, or .exe.

------- End of Forwarded Message
Previous By Date Next
Previous By Thread Next

Current thread: