Welcome to HostingForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Virus origin

  
   Web Hosting Problem Solving Community! (Home) -> Webmaster RSS
Next:  Apache question  
Author Message
user3187

External


Since: Nov 21, 2004
Posts: 18



(Msg. 1) Posted: Sun Nov 21, 2004 1:49 pm
Post subject: Virus origin
Archived from groups: alt>computer>security, others (more info?)
I've installed Amavis/AntiVir on my Linux system and this seems to be doing
a good job of intercepting nasties. But I have a question about the
information supplied by these packages.

I know that malware programs typically spoof the 'From' header, so I'm
ignoring that. However, I'm intrigued by the 'Received:' headers. Amavis
highlights the earliest 'Received:' header in the chain. Here's an example:

According to the 'Received:' trace, the message originated at:
   host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
helo=frenchentree.com)

Now, that 'helo=frenchentree.com' interests me. That's a site for which my
wife (to whom all these virus-bearing messages were addressed) has just
started working. We've had a bunch of these and there are other indications
that the guy she's working for might actually be the source of the malware.

So, the question is, do malware programs also somehow spoof the HELO? Or is
this actual proof that the malware originated from the frenchentree.com
domain? I need to know before I give the guy a bollocking and tell him to
sort out his system.

--
@+

 >> Stay informed about: Virus origin 
Back to top
Login to vote
mnc

External


Since: Oct 30, 2004
Posts: 25



(Msg. 2) Posted: Sun Nov 21, 2004 1:49 pm
Post subject: Re: Virus origin [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
In article <uff672-2sq.ln1.RemoveThis@anon.com>, srm <user.RemoveThis@nospam.org> wrote:
 > I know that malware programs typically spoof the 'From' header, so I'm
 > ignoring that. However, I'm intrigued by the 'Received:' headers. Amavis
 > highlights the earliest 'Received:' header in the chain.

....which could be fake.

 > Here's an example:
 >
 > According to the 'Received:' trace, the message originated at:
 >    host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
 > helo=frenchentree.com)
 >
 > Now, that 'helo=frenchentree.com' interests me. That's a site for which my
 > wife (to whom all these virus-bearing messages were addressed) has just
 > started working. We've had a bunch of these and there are other indications
 > that the guy she's working for might actually be the source of the malware.
 >
 > So, the question is, do malware programs also somehow spoof the HELO?

Yes, all the time. Quite often they pick something that matches the target
address's domain.

miguel
--
Hit The Road! Photos from 32 countries on 5 continents: <a style='text-decoration: underline;' href="http://travel.u.nu" target="_blank">http://travel.u.nu</a><!-- ~MESSAGE_AFTER~ -->

 >> Stay informed about: Virus origin 
Back to top
Login to vote
user3187

External


Since: Nov 21, 2004
Posts: 18



(Msg. 3) Posted: Sun Nov 21, 2004 9:32 pm
Post subject: Re: Virus origin [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Miguel Cruz wrote:

 > Yes, all the time. Quite often they pick something that matches the target
 > address's domain.

Okay - thanks to everyone for the replies. It may be coincidence, then.

--
@+<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Virus origin 
Back to top
Login to vote
Display posts from previous:   
   Web Hosting Problem Solving Community! (Home) -> Webmaster All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]