[Esd-l] X-Unsent: header as way of recognizing mass mailing worms

Brett Glass brett at lariat.org
Wed Nov 28 12:03:00 PST 2001


I've recently noticed that only transmissions by worms (Badtrans.B and 
Nimda.E) seem to contain an X-Unsent: header. Because it's characteristic 
of several worms, it may be that worm writers are re-using code that 
inserts it. It might be useful to have a local recipe that checks for 
this header and quarantines.

--Brett



More information about the esd-l mailing list