There is only one Mailwasher - from Firetrust.
Please explain in more detail what happened.
[snip]
Correction. *Three* times they have bounced worms to me. I found another
in my email archives. (I haven't yet found the one that was successfully
disinfected by my ISP's filter. I may have zipped in in my mail directory
on my Internet account without having downloaded it yet.)
In both cases, the origin was an IP address that has *nothing* to do with
my ISP (all IPs in 192.75.95.0/24) but had its hostname forged in the HELO:
: Received: from unknown (HELO chebucto.ns.ca) (218.24.142.194)
: Received: from unknown (HELO chebucto.ns.ca) (218.24.142.194)
First sample:
: From <> Fri Jan 7 01:49:35 2005
: Received: from loki.chebucto.ns.Ca ([192.75.95.97]:35947 "EHLO
: loki.chebucto.ns.ca") by halifax.chebucto.ns.ca with ESMTP
: id S13002AbVAGFru (ORCPT <rfc822;
[email protected]>);
: Fri, 7 Jan 2005 01:47:50 -0400
: Received: from lobster.firetrust.com ([69.59.174.220]:13513 "HELO
: lobster.firetrust.com") by loki.chebucto.ns.Ca with SMTP
: id <S4248333AbVAGFmF>; Fri, 7 Jan 2005 01:42:05 -0400
: Received: (qmail 19754 invoked for bounce); 7 Jan 2005 05:46:52 -0000
: Received: (mailwasher server; not checked: socket error connecting to the
: MPD: unable to connect to /local:/var/run/mwserver/mpd.sock: Connection refused); 07 Jan 2005 05:46:52 +0000
: Date: 7 Jan 2005 05:46:52 -0000
: From: (e-mail address removed)
: To: (e-mail address removed)
: Subject: Virus: failure notice
^^^^^^ <-- added by my ISP's filter
: X-CCN-MailScanner-Information: Please contact the ISP for more information
: X-MailScanner: Virus Infected
: X-Is-Spam: not spam, SpamAssassin (score=2.27, required 5,
: autolearn=disabled, AWL -0.04, BAYES_50 0.00, NO_REAL_NAME 0.01,
: UNIQUE_WORDS 2.27, UPPERCASE_25_50 0.03)
: X-MailScanner-SpamScore: ss
: X-MailScanner-From:
: Message-Id: <
[email protected]>
: Return-Path: <>
: Status: RO
: X-Status:
:
: Warning: This message has had one or more attachments removed
: Warning: (file.pif).
: Warning: Please read the "VirusWarning.txt" attachment(s) for more
: information.
:
: Hi. This is the qmail-send program at lobster.firetrust.com.
: I'm afraid I wasn't able to deliver your message to the following
: addresses.
: This is a permanent error; I've given up. Sorry it didn't work out.
:
: <
[email protected]>:
: Sorry, no mailbox here by that name. vpopmail (#5.1.1)
:
: --- Below this line is a copy of the message.
:
: Return-Path: <
[email protected]>
: Received: (qmail 18805 invoked from network); 7 Jan 2005 05:46:52 -0000
: Received: (mailwasher server; not checked: socket error connecting to the MPD: unable to connect to /local:/var/run/mwserver/mpd.sock: Connection refused); 07 Jan 2005 05:46:52 +0000
: Received: from unknown (HELO chebucto.ns.ca) (218.24.142.194) by lobster.firetrust.com with SMTP; 7 Jan 2005 05:45:57 -0000
: From: (e-mail address removed)
: To: (e-mail address removed)
: Subject: HELLO
: Date: Fri, 7 Jan 2005 13:44:18 +0800
: MIME-Version: 1.0
: Content-Type: multipart/mixed;
: boundary="----=_NextPart_000_0007_99DAED9D.5DF05053"
: X-Priority: 3
: X-MSMail-Priority: Normal
:
: This is a multi-part message in MIME format.
:
: ------=_NextPart_000_0007_99DAED9D.5DF05053
: Content-Type: text/plain;
: charset="Windows-1252"
: Content-Transfer-Encoding: 7bit
:
: It's the long-awaited film version of the Broadway hit. The message sent
: as a binary attachment.
:
:
: ------=_NextPart_000_0007_99DAED9D.5DF05053
: Content-Type: application/octet-stream;
: name="file.pif"
: Content-Transfer-Encoding: base64
: Content-Disposition: attachment;
: filename="file.pif"
:
: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
: [BIG SNIP of infectious worm]
: aWJyYXJ5QQAAAAAAAAAAAAAAAABsjwQAXI8EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
:
: ------=_NextPart_000_0007_99DAED9D.5DF05053--
Second sample:
: From <> Mon Mar 14 03:50:42 2005
: Received: from lich.chebucto.ns.Ca ([192.75.95.79]:36575 "EHLO
: lich.chebucto.ns.ca") by halifax.chebucto.ns.ca with ESMTP
: id S1862AbVCNHru (ORCPT <rfc822;
[email protected]>);
: Mon, 14 Mar 2005 03:47:50 -0400
: Received: from lobster.firetrust.com ([69.59.174.220]:7901 "HELO
: lobster.firetrust.com") by lich.chebucto.ns.ca with SMTP
: id <S416521AbVCNHrp>; Mon, 14 Mar 2005 03:47:45 -0400
: Received: (qmail 1855 invoked for bounce); 14 Mar 2005 07:47:03 -0000
: Date: 14 Mar 2005 07:47:03 -0000
: From: (e-mail address removed)
: To: (e-mail address removed)
: Subject: Virus: failure notice
^^^^^^ <-- added by my ISP's filter
: X-CCN-MailScanner-Information: Please contact the ISP for more information
: X-MailScanner: Virus Infected
: X-Is-Spam: not spam, SpamAssassin (score=4.128, required 5, AWL 0.26,
: BAYES_50 1.57, NO_REAL_NAME 0.01, UNIQUE_WORDS 2.27,
: UPPERCASE_25_50 0.03)
: X-MailScanner-SpamScore: ssss
: X-MailScanner-From:
: Message-Id: <
[email protected]>
: Return-Path: <>
: Status: RO
: X-Status:
:
: Warning: This message has had one or more attachments removed
: Warning: (data.exe).
: Warning: Please read the "VirusWarning.txt" attachment(s) for more
: information.
:
: Hi. This is the qmail-send program at lobster.firetrust.com.
: I'm afraid I wasn't able to deliver your message to the following
: addresses.
: This is a permanent error; I've given up. Sorry it didn't work out.
:
: <
[email protected]>:
: Sorry, no mailbox here by that name. vpopmail (#5.1.1)
:
: --- Below this line is a copy of the message.
:
: Return-Path: <
[email protected]>
: Received: (qmail 16037 invoked from network); 14 Mar 2005 07:44:20 -0000
: Received: from unknown (HELO chebucto.ns.ca) (218.24.142.194)
: by lobster.firetrust.com with SMTP; 14 Mar 2005 07:44:20 -0000
: From: (e-mail address removed)
: To: (e-mail address removed)
: Subject: Error
: Date: Mon, 14 Mar 2005 15:42:19 +0800
: MIME-Version: 1.0
: Content-Type: multipart/mixed;
: boundary="----=_NextPart_000_0003_BD09DF8E.9F22C21C"
: X-Priority: 3
: X-MSMail-Priority: Normal
:
: This is a multi-part message in MIME format.
:
: ------=_NextPart_000_0003_BD09DF8E.9F22C21C
: Content-Type: text/plain;
: charset="Windows-1252"
: Content-Transfer-Encoding: 7bit
:
: The message contains Unicode characters and has been sent as a binary
: attachment.
:
:
: ------=_NextPart_000_0003_BD09DF8E.9F22C21C
: Content-Type: application/octet-stream;
: name="data.exe"
: Content-Transfer-Encoding: base64
: Content-Disposition: attachment;
: filename="data.exe"
:
: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
: [BIG SNIP of infectious worm]
: aWJyYXJ5QQAAAAAAAAAAAAAAAABsjwQAXI8EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
:
: ------=_NextPart_000_0003_BD09DF8E.9F22C21C--
Note that pine on my ISP's system couldn't decode the attachments as they
were included as plain text (and that is probably also why the virus
filter couldn't delete the "attachment" even though it claimed "This
message has had one or more attachments removed" -- this problem has since
been fixed once I pointed it out to the tech team). HOWEVER (!!), there
are a number of mailers out there with broken MIME handling (webmail
applications that include a footer with unquoted '=' characters in a
message sent as quoted-printable is one offender) that result in messages
that pine can't decode. A recommended workaround is to download the raw
messages and use UUDEVIEW or a similar utility to extract the attachments.
In the case of the Firetrust messages, UUDEVIEW successfully decoded and
extracted the infectious worms and the bounces from Firetrust could have
caused a less suspicious user to get infected.
Oh, and good luck on getting any contact information for them from a
whois lookup.
