Hallo,
langsam habe ich die Nase voll, es werden immer mehr Viren-Emails mit meinem Absender versendet die nicht von meinem PC stammen.
Hier mal eine Kostprobe der Header (alle Emailadressen wurden von mir entfernt):
*****************************************************************
- Beispiel:
*****************************************************************
Attention: no reply address,it was generated automaticly
Ihre Mail wurde an den folgenden Empfaenger nicht geliefert:
Your message was not delivered to the following recipients:
[email protected]: Nonlocal address
Return-Path:
Received: from mx2.bmwgroup.com ([192.109.190.179] [192.109.190.179]) by lp0054.muc with ESMTP for [email protected]; Mon, 29 Mar 2004 20:10:56 +0200
Received: from mx.expurgate.net ([195.190.135.10] [195.190.135.10]) by mx2.bmwgroup.com with ESMTP for [email protected]; Mon, 29 Mar 2004 20:10:56 +0200
Received: from [217.93.2.191] (helo=bmw.de)
by mx.expurgate.net with esmtp (Exim 3.36 #1)
id 1B81Dn-0008HI-00
for [email protected]; Mon, 29 Mar 2004 20:10:51 +0200
From: [email protected]
To: [email protected]
Subject: [VIRUS] fast food…
Date: Mon, 29 Mar 2004 20:13:36 +0200
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id:
X-purgate-ID: expurgator11/1B81Dn-0008HI-00 0:0
X-purgate-Ad: Categorized by eleven eXpurgate ® http://www.eXpurgate.net
X-purgate: This mail is considered clean (see http://www.eXpurgate.net/support/expurgate_headers for details)
X-purgate: clean
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0001_00001A2A.00001D10"
*****************************************************************
2. Beispiel:
*****************************************************************
Hi. This is the qmail-send program at mx2.ngi.de.
I’m afraid I wasn’t able to deliver your message to the following addresses.
This is a permanent error; I’ve given up. Sorry it didn’t work out.
Sorry, no mailbox here by that name. (#5.1.1)
— Below this line is a copy of the message.
Return-Path:
Received: (qmail 10298 invoked from network); 29 Mar 2004 14:16:00 -0000
Received: from unknown (HELO ngi.de) ([217.93.2.191])
(envelope-sender )
by 0 (qmail-ldap-1.03) with SMTP
for ; 29 Mar 2004 14:16:00 -0000
From: [email protected]
To: [email protected]
Subject: Question
Date: Mon, 29 Mar 2004 16:46:18 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0012_00002730.000052B4"
X-Priority: 3
X-MSMail-Priority: Normal
This is a multi-part message in MIME format.
------=_NextPart_000_0012_00002730.000052B4
Content-Type: text/plain;
charset=„Windows-1252“
Content-Transfer-Encoding: 7bit
forgotten?
------=_NextPart_000_0012_00002730.000052B4
Content-Type: application/x-zip-compressed;
name=„important_location.zip“
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=„important_location.zip“
*****************************************************************
3. Beispiel:
*****************************************************************
VIRUS ALERT
Our virus checker found
virus: W32/Netsky-D
in your email to the following recipient:
-> [email protected]
Delivery of the email was stopped!
Please check your system for viruses,
or ask your system administrator to do so.
For your reference, here are headers from your email:
------------------------- BEGIN HEADERS -----------------------------
Received: from veloce.be (p50845566.dip.t-dialin.net [80.132.85.102])
by gandalf.mail.winlin.be (Postfix) with ESMTP id 1E7B214C01B
for ; Mon, 29 Mar 2004 10:05:43 +0200 (CEST)
From: [email protected]
To: [email protected]
Subject: Re: Here
Date: Mon, 29 Mar 2004 10:12:25 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0002_00005DD3.00001AEA"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id:
-------------------------- END HEADERS ------------------------------
Received: from veloce.be (p50845566.dip.t-dialin.net [80.132.85.102])
by gandalf.mail.winlin.be (Postfix) with ESMTP id 1E7B214C01B
for ; Mon, 29 Mar 2004 10:05:43 +0200 (CEST)
From: [email protected]
To: [email protected]
Subject: Re: Here
Date: Mon, 29 Mar 2004 10:12:25 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0002_00005DD3.00001AEA"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id:
*****************************************************************
4. Beispiel:
*****************************************************************
VIRUS ALERT
Der Viren Scanner der FH Rosenheim hat einen VIRUS gefunden
VIRUS: W32/Netsky-D
in einer von Ihnen () versendeten EMAIL an den folgenden Empfänger:
-> [email protected]
Bitte prüfen Sie Ihr System auf VIREN !!!
Ihre EMAIL wurde am Mailserver der FH Rosenheim geblockt und NICHT an den Empfänger weitergeleitet !!!
Bitte beachten Sie, daß Viren bei der Verbreitung häufig den Absender fälschen, so daß die Nachricht nicht von Ihrem Rechner stammen muß. Den wahren Urheber der Nachricht erkennen Sie an dem beigefügten Header. Auch wenn diese Nachricht häufig nicht den tatsächlichen Absender erreicht, ist die Information an die Absenderadresse aus rechtlichen Gründen erforderlich.
Wenn die Nachricht nicht von Ihrem Rechner stammt, ist diese Nachricht gegenstandslos, anderenfalls untersuchen Sie bitte Ihren Rechner auf Virenbefall oder wenden Sie sich an Ihren Administrator.
Zu Ihrer Information fügen wir den Header Ihrer Nachricht bei:
------------------------- BEGIN HEADERS -----------------------------
Return-Path:
Received: by mail1.rz.fh-rosenheim.de (Postfix, from userid 1151)
id 5B39DB804D; Sun, 28 Mar 2004 21:00:25 +0200 (CEST)
Received: from fh-rosenheim.de (borderware1.relay.de [141.60.116.2])
by mail1.rz.fh-rosenheim.de (Postfix) with ESMTP id CFF40B8052
for ; Sun, 28 Mar 2004 21:00:13 +0200 (CEST)
Received: from fh-rosenheim.de ([217.84.23.82]) by firewall1.fh-rosenheim.de with ESMTP id ; Sun, 28 Mar 2004 20:52:57 +0200
From: [email protected]
To: [email protected]
Subject: Re: Your website
Date: Sun, 28 Mar 2004 21:02:46 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0001_00000686.0000475F"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id:
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on
mail1.rz.fh-rosenheim.de
X-Spam-Status: No, hits=-1.8 required=3.0 tests=BAYES_00,MICROSOFT_EXECUTABLE,
MISSING_MIMEOLE,NO_REAL_NAME,PRIORITY_NO_NAME autolearn=no
version=2.61
X-Spam-Level:
-------------------------- END HEADERS ------------------------------
Received: by mail1.rz.fh-rosenheim.de (Postfix, from userid 1151)
id 5B39DB804D; Sun, 28 Mar 2004 21:00:25 +0200 (CEST)
Received: from fh-rosenheim.de (borderware1.relay.de [141.60.116.2])
by mail1.rz.fh-rosenheim.de (Postfix) with ESMTP id CFF40B8052
for ; Sun, 28 Mar 2004 21:00:13 +0200 (CEST)
Received: from fh-rosenheim.de ([217.84.23.82]) by firewall1.fh-rosenheim.de with ESMTP id ; Sun, 28 Mar 2004 20:52:57 +0200
From: [email protected]
To: [email protected]
Subject: Re: Your website
Date: Sun, 28 Mar 2004 21:02:46 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0001_00000686.0000475F"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id:
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on
mail1.rz.fh-rosenheim.de
X-Spam-Status: No, hits=-1.8 required=3.0 tests=BAYES_00,MICROSOFT_EXECUTABLE,
MISSING_MIMEOLE,NO_REAL_NAME,PRIORITY_NO_NAME autolearn=no
version=2.61
X-Spam-Level:
***************************************************************************************************************************************************************************************************
So nun mal zur Auswertung:
-
Beispiel:
hat nun der Absender die IP 192.109.190.179, 195.190.135.10 oder 217.93.2.191??? Und ist die Zeitangabe deutsche Zeit? -
Beispiel:
Hier sieht es so aus als ob die Email lokal innerhalb des NGI-Servers versendet wurde? -
Beispiel:
Hier dürfte der Fall klar sein, eindeutig eine T-Online Adresse. -
Beispiel:
Auch hier wie im 2. Beispiel eine lokale Adresse innerhalb des Uni Netzwerkes?