[Esd-l] RE: Odd behavior with the new outbreak - Followup

John D. Hardin jhardin at impsec.org
Sat Aug 23 06:56:40 PDT 2003


On Fri, 22 Aug 2003, Chris Rothbauer wrote:

> I was able to replicate it by doing the following....
> 
> I retrieved an infected file out of quarantine, sent an email to a
> recipient at the complaining gateway, via my own smtp relay. So I
> am playing the role of "Bob" playing the role of me. The path of
> the message is from my relay, to the complaining server, then back
> into my filters to exchange. there are absolutely no tags
> (X-Spam-Status, etc.) in the incoming portion of the header. I
> then popped it down to get all the headers in tact.
> 
> On going through this for email addresses/IPs/domains, I realized
> it's just a standard NDR sending me the original email as an
> attachment so odds are there aren't any funky encodings going on.
> Notice that there are no spamassassin or sanitizer tags in the
> header at my receiving portion. This message id
> (yadayadayada at HERB_BDC) is in my logs, however.
> 
> Here you go (altered to protect the innocent) .....
> 
> Received: by myserver.mydomain.com 
> 	id <01C368CB.3AD9703C at myserver.mydomain.com>; Fri, 22 Aug 2003 11:34:17 -0500
> MIME-Version: 1.0
> Content-Type: multipart/report;
> 	report-type=delivery-status;
> 	boundary="----_=_NextPart_001_01C368CB.3AD9703C"
> content-class: urn:content-classes:dsn
> X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
> Subject: Undeliverable: your server is sending me viruses
> Date: Fri, 22 Aug 2003 11:34:17 -0500
> Message-ID: <094FB038FF88D611B5A800A0CCE034D7346283 at HERB_BDC>
> X-MS-Has-Attach: yes
> X-MS-TNEF-Correlator: 
> Thread-Topic: your server is sending me viruses
> Thread-Index: AcNozXVfxrcq6znLSxyUNvWPdNW/JgAAjqHg
> From: "System Administrator" <postmaster at mydomain.com>
> To: "Chris Rothbauer" <me at mydomain.com>

The header order looks unusual, but that *shouldn't* prevent
sanitizing...

> ------_=_NextPart_001_01C368CB.3AD9703C
> Content-Type: message/rfc822
> Content-Transfer-Encoding: 7bit

The sanitizer should sanitize attached rfc822 messages.
> 
> Received:  from myrelay.myhomedomain.net (myrelay.myisp.net [x.x.x.x]) by herb_bdc.hisdomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id RLHXBG0A; Fri, 22 Aug 2003 12:50:06 -0400
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> 	boundary="----_=_NextPart_002_01C368CD.7068B300"
> Received:  from mydesktop ([x.x.x.x]) by myrelay.myhomedomain.net (8.12.8/8.12.5) with SMTP id h7MGkDCq003422 for <him at hisdomain.com>; Fri, 22 Aug 2003 11:46:14 -0500
> X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
> content-class: urn:content-classes:message
> Subject: your server is sending me viruses
> Date: Fri, 22 Aug 2003 11:28:19 -0500
> Message-ID: <000d01c368ca$68aa9c80$470119ac at stitch>
> X-MS-Has-Attach: yes
> X-MS-TNEF-Correlator: 
> Thread-Topic: your server is sending me viruses
> Thread-Index: AcNozXVfxrcq6znLSxyUNvWPdNW/Jg==
> From: "Chris Rothbauer" <me at mydomain.com>
> To: <him at hisdomain.com>
> Reply-To: "Chris Rothbauer" <me at mydomain.com>
>

The fact that there aren't any X-Security headers saying that is was
sanitized means that the MIME scanner is confused.

Can you send me the email address of the server that's sending this in
private mail? I'd like to get it to send me a reply as well.

Thanks.


--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
   70 days until Matrix Revolutions



More information about the esd-l mailing list