[Exim] Tracking SirCam (fwd)

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Alan Thew
Date:  
À: Exim List
Sujet: [Exim] Tracking SirCam (fwd)
fyi...

---------- Forwarded Message ----------
Date: 25 July 2001 10:49 -0600
From: Peter Krawczyk <petek@???>
To: incidents@???
Subject: Tracking SirCam

Trying to track the SirCam virus without looking at the body of the
message, we've found a way to track it via headers.

In the header of the message, everything looks dynamic, and so tracking it
seems to be hard. However, there is a slip -- the Date: header actaully
appears as 'date:'.

A cursory examination of thousands of emails from mailing lists, private
sources, and other sources shows that the only messages using the lower
case 'date:' for the header are sent by the SirCam virus.

This may help those of you who want to filter on headers and not on
message body.

-Pete K
--
Pete Krawczyk <petek@???>
Senior System Administrator
mc.net <http://www.mc.net/>
(847) 594-5111



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


---------- End Forwarded Message ----------



--
Alan Thew
FAX: +44 151 794 4474
Using Mulberry 2.0.x