That header indicates that the message was sent from a PC infected by the
Hybris worm. On the infected PC Hybris watches for e-mail addresses in
the data stream. When it detects one, it sends it's signature
"Snowhite..." message with a file attachment that, if opened, infects the
recipient's PC. See http://www.F-Secure.com/v-descs/hybris.shtml for more
information.
The fact that the message was sent to your list address indicates that the
infected PC belongs to someone on your list. If your list is really set
up to accept messages only from list members, then the infected message
should have been bounced to the list owner, not sent through to the list.
If the message went to the list instead of bouncing to the list owner,
check two things:
1) Is the list really set up to bounce messages from non-subscribers?
Assuming for the sake of discussion the list is named "mylist", in your
"mylist.config" file you should have this:
restrict_post = mylist
If you don't, then your list isn't really set up to prevent non-member
submissions from reaching the list.
2) Check to see if some sick jokester has subscribed "hahaha@sexyfun.net"
to your list. If so, unsubscribe that address. Hybris always sends its
messages with that address on the "From:" line, so making sure that
address is not subscribed AND making sure your list is set up to bounce
non-subscriber submissions will stop Hybris-infected messages from
reaching your list.
On Fri, 29 Dec 2000, Ken Kramer wrote to Majordomo-users@GreatCircle.COM:
> How do I stop message from coming through MajorDomo from people that
> are not registered on the list. The program is setup for list members
> only, but one message keeps getting through with a virus attached.
> It does not appear to have any routing information. Here is the
> header from the message:
>
> Return-Path: <hahaha@sexyfun.net>
> Received: from phoebe.hosting4u.net ([209.15.2.13]) by p-trader.net ; Fri, 29 Dec 2000 10:32:23 -0600
> Received: (qmail 3630 invoked by alias); 29 Dec 2000 16:32:24 -0000
> Delivered-To: mars-ptrade-usa-list@phoebe.hosting4u.net
> Received: (qmail 3627 invoked by alias); 29 Dec 2000 16:32:24 -0000
> Date: 29 Dec 2000 16:32:24 -0000
> Cc: recipient list not shown: ;
> From: Hahaha <hahaha@sexyfun.net>
> Subject: [USA] Snowhite and the Seven Dwarfs - The REAL story!
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="--VE05AB89"
> Message-ID: <97810754101@mars.hosting4u.net>
> Sender: majordomo-owner@p-trader.net
> Precedence: bulk
> Reply-To: Hahaha <hahaha@sexyfun.net>
> X-Rcpt-To: <Moderator@P-Trader.Net>
> X-DPOP: DPOP Version 2.4a
> X-UIDL: 978107687.000
> Status: U
>
>
>
> Thanks for any help...
>
> Ken Kramer
--
Chip Old (Francis E. Old) E-Mail: fold@bcpl.net
Manager, BCPL Network Services Voice: 410-887-6180
Manager, BCPL.NET Internet Services FAX: 410-887-2091
Baltimore County Public Library ICBM: 39.39910 N
320 York Road 76.60300 W
Towson, Maryland 21204 U.S.A.
References:
|
|
