[Top] [All Lists]

Re: Let's be friends

To: npenney <>
Subject: Re: Let's be friends
From: Eric Murray <>
Date: Wed, 6 Aug 2003 11:56:34 -0700
OK, for those of you who are interested in mail geekery, I
just got one of those worms we have been talking about.
The interesting headers are below, excaped with a leading '>'
to prevent their being interpreted.

>Received: from ( [])
>        by (8.12.5/8.12.5) with ESMTP id h76IW2S7014935
>        for <>; Wed, 6 Aug 2003 11:32:05 -0700

This Received line is my server accepting the mail from is for purposes of
receiving mail:

ericm(pts/9)> dig mx

;; ANSWER SECTION:         1H IN MX        9

>Received: (from majordom@localhost)
>        by (8.12.5/8.12.5) id h76HwYBd026222
>        for shop-talk-qwerty; Wed, 6 Aug 2003 11:58:34 -0600

This Received line is generated on by majordomo
sending out the mail to the list.

>From: npenney <>

This is probably forged.  As I wrote earlier, its just characters,
you could put anything in there.

There's no more Received lines, so majordomo is
set to truncate Received lines on list mail.  If it wasn't
there would be an indication of where the mail originated.

>Subject: Let's be friends

Common Subject line of the Klez virus.

>Message-Id: <>

This Message-Id might indicate that the originator was
on the network.  But Message-Ids are often inserted
by SMTP gateways and if they are not, they can be forged by the
sender just like From: lines can.

>X-Converted-To-Plain-Text: from multipart/alternative by demime 0.99d.1
>X-Converted-To-Plain-Text: Alternative section used was text/html

These mean that demime deleted a MIME attachment.

///  unsubscribe/change address requests to  or try
///  Archives at

<Prev in Thread] Current Thread [Next in Thread>