[Mimedefang] MessageID anti-impersonation function for sub fi lter()
Joseph Brennan
brennan at columbia.edu
Wed May 26 11:45:58 EDT 2004
Some data.
I did "grep msgid=.*@columbia\.edu.*,.proto= syslog" on one of our
incoming mail hosts. The file had 46,000 msgid= strings.
The Bagle virus does this. We are catching these already with a test
on the HELO string-- it says "helo columbia.edu" when sending, and we
don't allow that unless we have smtp auth (some clients do it).
There a very consistent pattern to Bagle mail. Insert your own
domain name there:
msgid=<cliyxkcmkjecpvkfguj at columbia.edu>
msgid=<aasbbsoirnszcpnwodg at columbia.edu>
msgid=<hhvvugtkjlsizudwcdc at columbia.edu>
msgid=<yiezeeekkkjebirvvrf at columbia.edu>
msgid=<tswikfzjuubzhuncidx at columbia.edu>
So... exclude Bagle and what else is there...
msgid=<CLEIKBNIBILDPGGNFBBKMEEGCHAA.xx427 at columbia.edu>
This comes from Yahoo Groups. The sender was xx427 at columbia.edu
(actually not xx but two other letters!). This looks legit. I
see some others. This seems to be how Yahoo Groups constructs
message ids.
msgid=<d870dd9c9d488a.9c954.qmail at columbia.edu>
msgid=<1f08d480fddf42.4f7a9.qmail at columbia.edu>
Mydoom virus.
msgid=<05/26/2004|xxx36 at columbia.edu|14627>
Good grief. The recipient is xxx36 at columbia.edu. Probably legit.
Sending host in morningstar.com.
msgid=<AD28736B-AF25-11D8-B98E-000393758614 at columbia.edu>
>From a Verizon mail server. Sender address is xx at columbia.edu and it
appears to be one of our users sending mail from an ISP. Some clients
construct the Message-ID using the default domain name. This is an
important example but I have to admit it is the only one I can find
in this syslog file, so it appears to be unusual.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
More information about the MIMEDefang
mailing list