What is Netdoor?

  • Thread starter Thread starter Jan Il
  • Start date Start date
J

Jan Il

Hi all -

I received a message with an attachment a while ago that stated that it had
been cleaned by Netdoor, and gave some urls for Netdoor to 'check it out.'
Well...I'm not going to open anything or go to any site I've never heard of
until I know a bit more about what Netdoor is. I have no idea who, or what,
rocketmail.net is. Here is the body of the message;

I WARNING: This e-mail has been altered by MIMEDefang. Following this
paragraph are indications of the actual changes made. For more
information about your site's MIMEDefang policy, contact
NETDOOR Spam Filter Administrator <[email protected]>. For more
information about MIMEDefang, see:

http://support.netdoor.com/email/filtering.html

An attachment named bmvrzlwq.scr was removed from this document as it
constituted a security hazard. If you require this document, please contact
the sender and arrange an alternate means of receiving it.

(There is a open box her that says page can't be displayed)
----------------------------------------------------------------------------
---

Message from rocketmail.net

I'm sorry the message returned below could not be delivered to the following
addresses:

Undelivered mail to (e-mail address removed)

Message follows:information regarding this
****************************************************************************
************************
And here are the details:

Return-Path: <[email protected]>
Received: from smtp2.netdoor.com ([208.137.128.155]) by lakemtai08.cox.net
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP
id <[email protected]>;
Sat, 6 Dec 2003 16:45:44 -0500
Received: from lbjgfv (port605.hat.netdoor.com [208.148.200.205])
by smtp2.netdoor.com (8.12.10/8.12.1) with SMTP id hB6Lewrm026977;
Sat, 6 Dec 2003 15:40:59 -0600 (CST)
Date: Sat, 6 Dec 2003 15:40:58 -0600 (CST)
Message-Id: <[email protected]>
FROM: "microsoft internet message system" <>
TO: "network recipient" <[email protected]>
SUBJECT: Message
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_1070746897-21950-1021"
X-Defanged: YES
X-Scanned-By: MIMEDefang 2.31 (www . roaringpenguin . com / mimedefang)
****************************************************************************
****************

Very best regards,
Jan :)
 
Jan Il said:
I received a message with an attachment a while ago that stated that it had
been cleaned by Netdoor, and gave some urls for Netdoor to 'check it out.'
Well...I'm not going to open anything or go to any site I've never heard of
until I know a bit more about what Netdoor is. I have no idea who, or what,
rocketmail.net is. Here is the body of the message;

I WARNING: This e-mail has been altered by MIMEDefang. Following this
paragraph are indications of the actual changes made. For more
information about your site's MIMEDefang policy, contact
NETDOOR Spam Filter Administrator <[email protected]>. For more
information about MIMEDefang, see:

http://support.netdoor.com/email/filtering.html
Click to expand...

That page is quite safe -- it describe's NETDOOR's mail filtering
implementation and the consequences of it. (NETDOOR appears to be
an ISP.)
An attachment named bmvrzlwq.scr was removed from this document as it
constituted a security hazard. If you require this document, please contact
the sender and arrange an alternate means of receiving it.

(There is a open box her that says page can't be displayed)
Click to expand...

This is what their policy says it will do when messages with attachments
with certain filetypes, including .SCR extensions, are passed through
its mail servers. If you look at the first Received: header (below --
note, here "first" means "earliest" and should be the last one you find
reading down through the headers) you will see that the message was sent
from a NETDOOR user's machine:

Received: from lbjgfv (port605.hat.netdoor.com [208.148.200.205]) ...

by a NETDOOR mail server:

... by smtp2.netdoor.com (8.12.10/8.12.1) ...
Message from rocketmail.net

I'm sorry the message returned below could not be delivered to the following
addresses:

Undelivered mail to (e-mail address removed)
Click to expand...
<<snip>>

A standard Swen message made by the virus to look like a bounce sent by
the recipient to a randomly selected (by the virus) address.
X-Defanged: YES
X-Scanned-By: MIMEDefang 2.31 (www . roaringpenguin . com / mimedefang)
Click to expand...

These message headers were inserted by one of the programs used in
NETDOOR's message filtering process.
 
Hi Nick :)

Nick FitzGerald said:
Jan Il said:
I received a message with an attachment a while ago that stated that it had
been cleaned by Netdoor, and gave some urls for Netdoor to 'check it out.'
Well...I'm not going to open anything or go to any site I've never heard of
until I know a bit more about what Netdoor is. I have no idea who, or what,
rocketmail.net is. Here is the body of the message;

I WARNING: This e-mail has been altered by MIMEDefang. Following this
paragraph are indications of the actual changes made. For more
information about your site's MIMEDefang policy, contact
NETDOOR Spam Filter Administrator <[email protected]>. For more
information about MIMEDefang, see:

http://support.netdoor.com/email/filtering.html
Click to expand...

That page is quite safe -- it describe's NETDOOR's mail filtering
implementation and the consequences of it. (NETDOOR appears to be
an ISP.)
An attachment named bmvrzlwq.scr was removed from this document as it
constituted a security hazard. If you require this document, please contact
the sender and arrange an alternate means of receiving it.

(There is a open box her that says page can't be displayed)
Click to expand...

This is what their policy says it will do when messages with attachments
with certain filetypes, including .SCR extensions, are passed through
its mail servers. If you look at the first Received: header (below --
note, here "first" means "earliest" and should be the last one you find
reading down through the headers) you will see that the message was sent
from a NETDOOR user's machine:

Received: from lbjgfv (port605.hat.netdoor.com [208.148.200.205]) ...

by a NETDOOR mail server:

... by smtp2.netdoor.com (8.12.10/8.12.1) ...
Message from rocketmail.net

I'm sorry the message returned below could not be delivered to the following
addresses:

Undelivered mail to (e-mail address removed)
Click to expand...
<<snip>>

A standard Swen message made by the virus to look like a bounce sent by
the recipient to a randomly selected (by the virus) address.
X-Defanged: YES
X-Scanned-By: MIMEDefang 2.31 (www . roaringpenguin . com / mimedefang)
Click to expand...

These message headers were inserted by one of the programs used in
NETDOOR's message filtering process.
Click to expand...

Thank you so much for the very detailed explanation, I truly do appreciate
it. It looked very suspicious...especially, the part about the
roaringpenguin. So..if I don't know...I don't go..<g>

Jan :)
 
So..if I don't know...I don't go..<g>
Click to expand...


What you can do in future (I don't personally know if anything that
exploits this.. although I am open to hedumacation =) ).. rather than
entering 'www.foo.bar' into your browsers addybar, you can use
'view-source:http://www.foo.bar'. This, rather than rendering the page in
the actual browser, will popup the normal 'view source' window where
you're able to view the code before you ever actually view the page. This
obviously relies on you having some knowledge of the likes of javascript /
vbscript etc in case you need to read any actual code. It's just one
method that can be used.. could use Telnet etc if you liked blah blah blah =)


</£0.02>




Regards,

Ian
 
Hi Ian,

Ian.H said:
What you can do in future (I don't personally know if anything that
exploits this.. although I am open to hedumacation =) ).. rather than
entering 'www.foo.bar' into your browsers addybar, you can use
'view-source:http://www.foo.bar'. This, rather than rendering the page in
the actual browser, will popup the normal 'view source' window where
you're able to view the code before you ever actually view the page. This
obviously relies on you having some knowledge of the likes of javascript /
vbscript etc in case you need to read any actual code. It's just one
method that can be used.. could use Telnet etc if you liked blah blah blah
Click to expand...
=)

Found it, Ian. I'll check out the Telnet too...just to keep an open mind.
;-)

Thank you for the additional information.

Cheers,
Jan :)
 
Back
Top