Weird email messages with "re:movie" and "re:application" in the subject line..

Mark Segal MSegal at Corporate.FCIBroadband.com
Thu Jun 26 03:33:36 UTC 2003 

Here the best link I have seen so far... Thanks to kevin day..

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]


My guess is they might need to upgrade it to more than 55-999 infections :).

mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-----Original Message-----
From: Eric Brunner-Williams in Portland Maine [mailto:brunner at nic-naa.net] 
Sent: June 25, 2003 11:25 PM
To: Larry Rosenman
Cc: Mark Segal; 'nanog at merit.edu'; brunner at nic-naa.net
Subject: Re: Weird email messages with "re:movie" and "re:application" in
the subject line.. 



> W32/sobig.e at MM per McAffee.....

I seem to have done one better ... according to a M$ host in Level3-land,
the Unix box right in front of me sent the mail in question.

Someone at L3 needs to call home. The only L3 turd in my mail log is their
inbound...

Jun 25 18:21:11 nic-naa sm-mta[24589]: h5PMLB5U024589:
from=<administrator at Level3.com>, size=1711, class=0, nrcpts=1,
msgid=<012d01c33b68$2bd14b40$d706010a at corp.global.level3.com>, proto=ESMTP,
daemon=MTA, relay=machine77.Level3.com [209.244.4.106]

Cheers,
Eric
------- Forwarded Message

Return-Path: administrator at Level3.com
Delivery-Date: Wed Jun 25 18:21:11 2003
Return-Path: <administrator at Level3.com>
Received: from f1ee40-19.idc1.level3.com (machine77.Level3.com
[209.244.4.106])
	by nic-naa.net (8.12.9/8.12.9) with ESMTP id h5PMLB5U024589
	for <brunner at nic-naa.net>; Wed, 25 Jun 2003 18:21:11 -0400 (EDT)
Received: from idc1exc0001.corp.global.level3.com (localhost [127.0.0.1])
	by f1ee40-19.idc1.level3.com (8.8.8p2+Sun/8.8.8) with SMTP id
WAA02577
	for <brunner at nic-naa.net>; Wed, 25 Jun 2003 22:21:50 GMT
Received: from idc1exc0005.corp.global.level3.com ([10.1.6.215]) by
idc1exc0001.corp.global.level3.com with Microsoft SMTPSVC(5.0.2195.4905);
	 Wed, 25 Jun 2003 16:21:49 -0600
Received: from mail pickup service by idc1exc0005.corp.global.level3.com
with Microsoft SMTPSVC;
	 Wed, 25 Jun 2003 16:21:49 -0600
thread-index: AcM7aCvRcfOY+VcOT2aAnuNoWHZmCQ==
Thread-Topic: [MailServer Notification]Alert to Sender:  File Attachment
Blocked
From: <Administrator at machine77.level3.com>
Sender: <Administrator at machine77.level3.com>
To: <brunner at nic-naa.net>
Subject: [MailServer Notification]Alert to Sender:  File Attachment Blocked
Date: Wed, 25 Jun 2003 16:21:49 -0600
Message-ID: <012d01c33b68$2bd14b40$d706010a at corp.global.level3.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Exchange 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300
X-OriginalArrivalTime: 25 Jun 2003 22:21:49.0631 (UTC)
FILETIME=[2BF044F0:01C33B68]

ScanMail for Microsoft Exchange has blocked an attachment.

Sender = brunner at nic-naa.net
Recipient(s) = ops at genuity.com
Subject = Re: Movie
Scanning time = 06/25/2003 16:21:49

Action on file blocking:
The attachment your_details.zi matches the file blocking settings. ScanMail
has Deleted it. 

Attachment blocked due to extension match of .bat, .eml, .nws, .pif, .scr,
.src, .shs, .vbe, .vbs, .com, or .exe.

------- End of Forwarded Message

More information about the NANOG mailing list