Mailing List Message #13256
From: Mark Hartman <>
Subject: Re: Is this a worm?
Date: Sun, 3 Aug 2003 14:15:33 -0700
To: SIMS Discussions <> doesn't exist any more.  You're getting that error because it's
a bad e-mail address.

At 2:02 PM -0500 8/3/03, Joe Sporleder wrote:
>Ok, I upped my logging to level 4, and here is a snippet of what I got:
>13:57:45 4 SMTP(tcp) Connection request from [],seq=4074, 9/10
>13:57:45 4 SMTP Line 13430 created for answering
>13:57:45 4 SMTP-430() Got connection from []
>13:57:45 4 SMTP(tcp) Connection accepted from [], seq=4074, 9/10
>13:57:45 4 SMTP-430([]) Sending 220-Stalker Internet Mail Server V.1.8b7 is ready.\r\n220 ESMTP is spoken here. You are welcome\r\n
>13:57:45 4 SMTP-430([]) Looking for
>13:57:45 4 SMTP-430([]) Input Line: EHLO\r
>13:57:45 4 SMTP-430( Looking for
>13:57:45 4 SMTP-430( Sending is pleased to meet you\r\n250-HELP\r\n250-PIPELINING\r\n250-ETRN\r\n250 EHLO\r\n
>13:57:45 4 SMTP-430( Input Line: MAIL FROM:<>\r
>13:58:00 3 SMTP-429( Return-Path-A Search Error. Error Code=-3162
>13:58:00 4 SMTP-429( Sending 472 <> cannot be verified now\r\n
>13:58:00 4 SMTP-429( Input Line: RSET\r
>13:58:00 4 SMTP-429( Sending 250 SMTP state reset\r\n
>13:58:02 4 SMTP-429( Input Line: QUIT\r
>13:58:02 4 SMTP-429( Sending 221 closing connection\r\n
>13:58:02 4 SMTP-429( Closing
>13:58:02 4 SMTP-429( Nothing read - stream closed
>13:58:02 4 SMTP-429( Input Stream ended
>13:58:02 3 SMTP-429( Abort Received, reason=14961446
>13:58:02 4 SMTP disposing line 13429
>13:58:16 4 SMTP-430( No relay exists for ''
>13:58:16 4 SMTP-430( Looking for
>13:58:47 3 SMTP-430( Return-Path-A Search Error. Error Code=-3162
>13:58:47 4 SMTP-430( Sending 472 <> cannot be verified now\r\n
>13:58:47 4 SMTP-430( Input Line: RSET\r
>13:58:47 4 SMTP-430( Sending 250 SMTP state reset\r\n
>13:58:49 4 SMTP-430( Input Line: QUIT\r
>13:58:49 4 SMTP-430( Sending 221 closing connection\r\n
>13:58:49 4 SMTP-430( Closing
>13:58:49 4 SMTP-430( Nothing read - stream closed
>13:58:49 4 SMTP-430( Input Stream ended
>13:58:49 4 SMTP disposing line 13430
>On Sunday, August 3, 2003, at 01:13  PM, Global Homes Webmaster wrote:
>>>I've been getting the following in my logs since July 5. Could this be
>>>a worm that is going around? I have found out from other contacts, that
>>>a contact with my address in their address book and that has a
>>> address does have a virus/worm. Is that what this log
>>>indicates, or is this from something else? It is still going on as now,
>>>and by looking at the size of my log files, is steadily getting worse.
>>The 'Return-Path-A Search Error' means that SIMS can't find an A record for
>>the domain of whatever Return Path was offered for the message that
>> is trying to send. You won't know what the return
>>path is unless you set your SMTP logging to something deeper than level 3.
>>The 'Abort Received' means that, for those connections, the connection was
>>dropped abnormally for some reason. Those two entries, in and of themselves
>>don't tell us much about the nature of the messages that
>> is trying to send. However, the frequency and
>>persistence of the attempts could well be consistent with an e-mail virus
>>attempting to propagate itself. Since you've got Return-Path checking
>>turned on, SIMS should be rejecting these messages because of the return
>>path domain failing to resolve. You might want to temporarily turn your
>>SMTP logging level up so that you can see the SMTP conversation and get
>>more information about the sender and the intended recipient.
>This message is sent to you because you are subscribed to
> the mailing list <>.
>To unsubscribe, E-mail to: <>
>To switch to the DIGEST mode, E-mail to <>
>To switch to the INDEX mode, E-mail to <>
>Send administrative queries to  <>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster