Full Disclosure mailing list archives
Does Swen forge the sender? WARNING - LONG POST
From: Paul Schmehl <pauls () utdallas edu>
Date: Sat, 27 Sep 2003 11:40:32 -0500
In deference to the experts, Joe and Nick, rather than argue about what Swen does, I'll just post some headers and ask for a *brief* explanation of them.
1st header is a "bounce" to my work account. Unfortunately the bouncing party didn't bother to include the original message headers, but it's evident that they *thought* that I sent them the virus. Since the "From" address was "Microsoft Security Support" <dyfotwrltwosb_whweemsf () bulletin msn com>, how does this get back to me unless the "MAIL FROM" command was "pauls () utdallas edu"?
Received: from null-pmn.utdallas.edu ([129.110.10.1]) by utdevs02.campus.ad.utdallas.edu with Microsoft SMTPSVC(5.0.2195.6713);
Sat, 27 Sep 2003 00:49:54 -0500 Received: from localhost (localhost [127.0.0.1]) by null-pmn.utdallas.edu (Postfix) with ESMTP id 404FE1A06B1 for <pauls () utdallas edu>; Sat, 27 Sep 2003 00:50:04 -0500 (CDT) Received: from mx0.utdallas.edu ([127.0.0.1]) by localhost (ns0 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 29640-01-56 for <pauls () utdallas edu>; Sat, 27 Sep 2003 00:50:03 -0500 (CDT) Received: from mail.cosmofilms.com (unknown [203.112.156.12]) by mx0.utdallas.edu (Postfix) with ESMTP id F175A38A92 for <pauls () utdallas edu>; Sat, 27 Sep 2003 00:46:09 -0500 (CDT) Received: from mail.cosmofilms.com (localhost [127.0.0.1]) by mail.cosmofilms.com (8.12.9/8.12.9) with ESMTP id h8R5jW2B005365 for <pauls () utdallas edu>; Sat, 27 Sep 2003 11:17:10 +0530 Received: from aygad (logistic.cosmofilms.com [192.9.200.210]) by mail.cosmofilms.com (8.12.9/8.12.9) with SMTP id h8R5ij5w005085; Sat, 27 Sep 2003 11:14:45 +0530 Date: Sat, 27 Sep 2003 11:14:45 +0530 Message-Id: <200309270544.h8R5ij5w005085 () mail cosmofilms com> From: "Microsoft Security Support" <dyfotwrltwosb_whweemsf () bulletin msn com> To: " " <zwhbfu_ajnkwdm () bulletin msn com> SUBJECT: Current Net Security Update Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="yczwccphdsq" Return-Path: webserv () cosmofilms comX-OriginalArrivalTime: 27 Sep 2003 05:49:54.0912 (UTC) FILETIME=[2D3B5600:01C384BB]
--lodywg Content-Type: text/html Content-Transfer-Encoding: quoted-printable <HTML> <HEAD></HEAD> <BODY> <iframe src=3D"cid:oygkdfqowfov" height=3D0 width=3D0></iframe> <BR><BR><BR>Undelivered mail to <B>lajgfy () bigfoot com</B> <BR><BR><BR>Message follows:<BR><BR><BR><BR> </BODY></HTML> --lodywg Content-Type: audio/x-wav; name="ctlsz.scr" Content-Transfer-Encoding: base64 Content-Id: <oygkdfqowfov> ------------------ Virus Warning Message (on mail.cosmofilms.com) Found virus WORM_SWEN.A in file Pack6579.exe The uncleanable file is deleted. ---------------------------------------------------------The second message is a "bounce" from Swen itself. Interesting that it has an attachment which does not show up in Outllook Express because I force plain text for all incoming messages. If I understand what you are saying correctly the infected party should be "mdrake8 () bellsouth net", correct? That *does* appear to be the case, since the mail originated at bellsouth.
X-Apparently-To: pschmehl () sbcglobal net via web80308.mail.yahoo.com; 27 Sep 2003 04:00:27 -0700 (PDT)
X-YahooFilteredBulk: 205.152.59.72 Return-Path: <mdrake8 () bellsouth net> Received: from vmd-ext.prodigy.net (207.115.63.89) by mta818.mail.yahoo.com with SMTP; 27 Sep 2003 04:00:25 -0700 (PDT) X-Originating-IP: [205.152.59.72]Received: from imf24aec.mail.bellsouth.net (imf24aec.mail.bellsouth.net [205.152.59.72])
by vmd-ext.prodigy.net (8.12.9/8.12.3) with ESMTP id h8RB0OeJ069304 for <pschmehl () sbcglobal net>; Sat, 27 Sep 2003 07:00:24 -0400 Received: from menospxe ([65.81.163.202]) by imf24aec.mail.bellsouth.net (InterMail vM.5.01.05.27 201-253-122-126-127-20021220) with SMTP id <20030927110014.JDHB1810.imf24aec.mail.bellsouth.net@menospxe>; Sat, 27 Sep 2003 07:00:14 -0400 FROM: "Admin" <smtpautomat () bigfoot com> TO: "Network User" <receiver () mxserver com> SUBJECT: Bug Report Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="lodywg" Message-Id: <20030927110014.JDHB1810.imf24aec.mail.bellsouth.net@menospxe> Date: Sat, 27 Sep 2003 07:00:19 -0400The third message is an actual copy of Swen sent directly to my home address. (I can't get any at work since we bounce them all.) Again this appears to be from pratsc () terra es who's computer is infected.
X-Apparently-To: pschmehl () sbcglobal net via web80308.mail.yahoo.com; 27 Sep 2003 07:38:21 -0700 (PDT)
X-YahooFilteredBulk: 213.4.129.129 Return-Path: <pratsc () terra es>Received: from mailapps1-ext.prodigy.net (EHLO mailapps1-int.prodigy.net) (207.115.63.107)
by mta807.mail.yahoo.com with SMTP; 27 Sep 2003 07:38:20 -0700 (PDT) X-Header-Overseas: Mail.from.Overseas.source.213.4.129.129 X-Header-Maps: blocked.by.Prodigy.dialups.list.213.4.129.129 X-Originating-IP: [213.4.129.129] Received: from tsmtp5.mail.isp (smtp.terra.es [213.4.129.129]) by mailapps1-int.prodigy.net (8.12.9/8.12.3) with ESMTP id h8REcIld776526 for <pschmehl () sbcglobal net>; Sat, 27 Sep 2003 10:38:18 -0400 Date: Sat, 27 Sep 2003 10:38:18 -0400 Message-Id: <200309271438.h8REcIld776526 () mailapps1-int prodigy net> Received: from tmvav ([213.97.150.28]) by tsmtp5.mail.isp(terra.es) with SMTP id HLVN7N01.FO3; Sat, 27 Sep 2003 16:35:47 +0200
FROM: "Microsoft Security Center" <rumkxowkdyane_fheumvnb () confidence net> TO: "Commercial Partner" <partner-chzzawgyg () confidence net> SUBJECT: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="kbeceexggkugyd" --kbeceexggkugyd Content-Type: multipart/related; boundary="foudxvmnxeo"; type="multipart/alternative" --foudxvmnxeo Content-Type: multipart/alternative; boundary="mxdpvsxsnxqyeaia" --mxdpvsxsnxqyeaia Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Microsoft Partner this is the latest version of security update, the "September 2003, Cumulative Patch" update which resolves all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to continue keeping your computer secure. This update includes the functionality = of all previously released patches. So how does the first bounce get to me? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Does Swen forge the sender? WARNING - LONG POST Paul Schmehl (Sep 27)
- Re: Does Swen forge the sender? WARNING - LONG POST Nick FitzGerald (Sep 27)
- Re: Does Swen forge the sender? WARNING - LONG POST Kee Hinckley (Sep 27)