Re: Returned Mails

[JEREMY Anderson <jeremy () 2monkeys org>]

The telltale item which you need to look at is to open up the original 
email (usually bundled as an attachment in the bounce), and look at the 
Received: header(s) in this email.

If you see your server's IP address in the Received headers, it is 
possible that your machine has been infected.  If you see other IP 
addresses, NetSky just poached your email from an associates' box and 
resent mails under your name.  That happens all the time, and is, of 
course, meaningless.

On Mon, 26 Apr 2004, Guru4u Support wrote:

> Hi,
>
> This is probably a stupid question but I could do with some confirmation 
> of what I think is happening. I've been receiving a lot of 'return' emails claiming 
> they have been returned as I have a virus. Example below:
>
>
> A virus was found in a message sent by this
> account.
>
> --- Scan information follows ---
>
> Result: Virus Detected
> Virus Name: W32.Netsky.C@mm
> File Attachment: posting.txt.com
> Attachment Status: deleted
>
> --- Original message information follows ---
>
> From: *************@guru4u.co.uk
> To: ********.com
> Date: Fri, 23 Apr 2004 23:32:12 +0100
> Subject: SPAM: the truth?
> Received: from netcel.com ([80.42.154.232])
>  by nospam.netcel.com (SAVSMTP 3.1.0.29) with SMTP id M2004042323185126674
>  for ********.com>; Fri, 23 Apr 2004 23:18:52 +0100
>
>
>
> I have up to now guessed these were down to 'someone' else's pc infected 
> with netsky or mydoom but after a lull I have been bombarded with loads 
> of such mails over the course of the day.
>
> I would just like some reassurance that this is indeed due to other 
> people infected boxes rather mine. I have of course run several full 
> system scans with Norton av with the latest definitions etc and do use a 
> firewall, Spybot etc.
>
> I've googled and this starts to confirm my suspicions but isn't authorative.
>
> Thanks in advance,
>
> Guru
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------