[59345] in North American Network Operators' Group
RE: Weird email messages with "re:movie" and "re:application" in
daemon@ATHENA.MIT.EDU (Mark Segal)
Wed Jun 25 23:34:59 2003
From: Mark Segal <MSegal@Corporate.FCIBroadband.com>
To: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Wed, 25 Jun 2003 23:33:36 -0400
Errors-To: owner-nanog-outgoing@merit.edu
Here the best link I have seen so far... Thanks to kevin day..
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html
My guess is they might need to upgrade it to more than 55-999 infections :).
mark
--
Mark Segal
Director, Network Planning
FCI Broadband
Tel: 905-284-4070
Fax: 416-987-4701
http://www.fcibroadband.com
Futureway Communications Inc. is now FCI Broadband
-----Original Message-----
From: Eric Brunner-Williams in Portland Maine [mailto:brunner@nic-naa.net]
Sent: June 25, 2003 11:25 PM
To: Larry Rosenman
Cc: Mark Segal; 'nanog@merit.edu'; brunner@nic-naa.net
Subject: Re: Weird email messages with "re:movie" and "re:application" in
the subject line..
> W32/sobig.e@MM per McAffee.....
I seem to have done one better ... according to a M$ host in Level3-land,
the Unix box right in front of me sent the mail in question.
Someone at L3 needs to call home. The only L3 turd in my mail log is their
inbound...
Jun 25 18:21:11 nic-naa sm-mta[24589]: h5PMLB5U024589:
from=<administrator@Level3.com>, size=1711, class=0, nrcpts=1,
msgid=<012d01c33b68$2bd14b40$d706010a@corp.global.level3.com>, proto=ESMTP,
daemon=MTA, relay=machine77.Level3.com [209.244.4.106]
Cheers,
Eric
------- Forwarded Message
Return-Path: administrator@Level3.com
Delivery-Date: Wed Jun 25 18:21:11 2003
Return-Path: <administrator@Level3.com>
Received: from f1ee40-19.idc1.level3.com (machine77.Level3.com
[209.244.4.106])
by nic-naa.net (8.12.9/8.12.9) with ESMTP id h5PMLB5U024589
for <brunner@nic-naa.net>; Wed, 25 Jun 2003 18:21:11 -0400 (EDT)
Received: from idc1exc0001.corp.global.level3.com (localhost [127.0.0.1])
by f1ee40-19.idc1.level3.com (8.8.8p2+Sun/8.8.8) with SMTP id
WAA02577
for <brunner@nic-naa.net>; Wed, 25 Jun 2003 22:21:50 GMT
Received: from idc1exc0005.corp.global.level3.com ([10.1.6.215]) by
idc1exc0001.corp.global.level3.com with Microsoft SMTPSVC(5.0.2195.4905);
Wed, 25 Jun 2003 16:21:49 -0600
Received: from mail pickup service by idc1exc0005.corp.global.level3.com
with Microsoft SMTPSVC;
Wed, 25 Jun 2003 16:21:49 -0600
thread-index: AcM7aCvRcfOY+VcOT2aAnuNoWHZmCQ==
Thread-Topic: [MailServer Notification]Alert to Sender: File Attachment
Blocked
From: <Administrator@machine77.level3.com>
Sender: <Administrator@machine77.level3.com>
To: <brunner@nic-naa.net>
Subject: [MailServer Notification]Alert to Sender: File Attachment Blocked
Date: Wed, 25 Jun 2003 16:21:49 -0600
Message-ID: <012d01c33b68$2bd14b40$d706010a@corp.global.level3.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Exchange 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300
X-OriginalArrivalTime: 25 Jun 2003 22:21:49.0631 (UTC)
FILETIME=[2BF044F0:01C33B68]
ScanMail for Microsoft Exchange has blocked an attachment.
Sender = brunner@nic-naa.net
Recipient(s) = ops@genuity.com
Subject = Re: Movie
Scanning time = 06/25/2003 16:21:49
Action on file blocking:
The attachment your_details.zi matches the file blocking settings. ScanMail
has Deleted it.
Attachment blocked due to extension match of .bat, .eml, .nws, .pif, .scr,
.src, .shs, .vbe, .vbs, .com, or .exe.
------- End of Forwarded Message
