Bugger ... Re: [LINK] Hi
Ash Nallawalla
nospam at crm911.com
Tue Jan 20 02:07:10 EST 2004
> From: Jim Birch
> 1. I wouldn't be totally sure it didn't come from your machine. The
> first mail server to handle the message was bat.melbpc.org.au
> Who is
> allowed to relay to the net via that server? First guess is this is
> you or someone else who talks to Link at your domain
> (melbpc.org.au) as the infected machine knows Link's email address.
No, as Reagan pointed out, our server is the last in his chain. I have seen a few
of these today - clearly someone has harvested web addresses because some are
aliases that are never used as From addresses. They are then fed into the worm's
mechanism so that infected PCs send mail on behalf of someone else.
Here are the truncated headers from some I saw:
Received: from humblepie (unknown [203.21.64.17])
Received: from 51j-is01 (203-134-120-074.cust.mel.iprimus.net.au [203.134.120.74])
Received: from peter (2.149.221.203.comindico.com.au [203.221.149.2])
Received: from PC0004357 (unknown [203.16.56.89])
Received: from 51j-is01 (203-134-120-074.cust.mel.iprimus.net.au [203.134.120.74])
Received: from MELGARYD1 (unknown [203.43.24.113])
Ash
More information about the Link
mailing list