Mailing List SIMS@mail.stalker.com Message #13256
From: Mark Hartman <mh-list@harthaven.com>
Subject: Re: Is this a worm?
Date: Sun, 3 Aug 2003 14:15:33 -0700
To: SIMS Discussions <SIMS@mail.stalker.com>
home.com doesn't exist any more.  You're getting that error because it's
a bad e-mail address.

At 2:02 PM -0500 8/3/03, Joe Sporleder wrote:
>Ok, I upped my logging to level 4, and here is a snippet of what I got:
>
>
>13:57:45 4 SMTP(tcp) Connection request from [204.127.198.35:34977],seq=4074, 9/10
>13:57:45 4 SMTP Line 13430 created for answering
>13:57:45 4 SMTP-430() Got connection from [204.127.198.35:34977]
>13:57:45 4 SMTP(tcp) Connection accepted from [204.127.198.35:34977], seq=4074, 9/10
>13:57:45 4 SMTP-430([204.127.198.35]) Sending 220-Stalker Internet Mail Server V.1.8b7 is ready.\r\n220 ESMTP is spoken here. You are welcome\r\n
>13:57:45 4 SMTP-430([204.127.198.35]) Looking for 35.198.127.204.206.253.56.66
>13:57:45 4 SMTP-430([204.127.198.35]) Input Line: EHLO rwcrmhc11.comcast.net\r
>13:57:45 4 SMTP-430(rwcrmhc11.comcast.net) Looking for rwcrmhc11.comcast.net
>13:57:45 4 SMTP-430(rwcrmhc11.comcast.net) Sending 250-beloit-kansas.com is pleased to meet you\r\n250-HELP\r\n250-PIPELINING\r\n250-ETRN\r\n250 EHLO\r\n
>13:57:45 4 SMTP-430(rwcrmhc11.comcast.net) Input Line: MAIL FROM:<hellozabine@home.com>\r
>13:58:00 3 SMTP-429(rwcrmhc12.comcast.net) Return-Path-A Search Error. Error Code=-3162
>13:58:00 4 SMTP-429(rwcrmhc12.comcast.net) Sending 472 <hellozabine@home.com> cannot be verified now\r\n
>13:58:00 4 SMTP-429(rwcrmhc12.comcast.net) Input Line: RSET\r
>13:58:00 4 SMTP-429(rwcrmhc12.comcast.net) Sending 250 SMTP state reset\r\n
>13:58:02 4 SMTP-429(rwcrmhc12.comcast.net) Input Line: QUIT\r
>13:58:02 4 SMTP-429(rwcrmhc12.comcast.net) Sending 221 beloit-kansas.com closing connection\r\n
>13:58:02 4 SMTP-429(rwcrmhc12.comcast.net) Closing
>13:58:02 4 SMTP-429(rwcrmhc12.comcast.net) Nothing read - stream closed
>13:58:02 4 SMTP-429(rwcrmhc12.comcast.net) Input Stream ended
>13:58:02 3 SMTP-429(rwcrmhc12.comcast.net) Abort Received, reason=14961446
>13:58:02 4 SMTP disposing line 13429
>13:58:16 4 SMTP-430(rwcrmhc11.comcast.net) No relay exists for 'home.com'
>13:58:16 4 SMTP-430(rwcrmhc11.comcast.net) Looking for home.com
>13:58:47 3 SMTP-430(rwcrmhc11.comcast.net) Return-Path-A Search Error. Error Code=-3162
>13:58:47 4 SMTP-430(rwcrmhc11.comcast.net) Sending 472 <hellozabine@home.com> cannot be verified now\r\n
>13:58:47 4 SMTP-430(rwcrmhc11.comcast.net) Input Line: RSET\r
>13:58:47 4 SMTP-430(rwcrmhc11.comcast.net) Sending 250 SMTP state reset\r\n
>13:58:49 4 SMTP-430(rwcrmhc11.comcast.net) Input Line: QUIT\r
>13:58:49 4 SMTP-430(rwcrmhc11.comcast.net) Sending 221 beloit-kansas.com closing connection\r\n
>13:58:49 4 SMTP-430(rwcrmhc11.comcast.net) Closing
>13:58:49 4 SMTP-430(rwcrmhc11.comcast.net) Nothing read - stream closed
>13:58:49 4 SMTP-430(rwcrmhc11.comcast.net) Input Stream ended
>13:58:49 4 SMTP disposing line 13430
>
>
>On Sunday, August 3, 2003, at 01:13  PM, Global Homes Webmaster wrote:
>
>>>I've been getting the following in my logs since July 5. Could this be
>>>a worm that is going around? I have found out from other contacts, that
>>>a contact with my address in their address book and that has a
>>>comcast.net address does have a virus/worm. Is that what this log
>>>indicates, or is this from something else? It is still going on as now,
>>>and by looking at the size of my log files, is steadily getting worse.
>>
>>The 'Return-Path-A Search Error' means that SIMS can't find an A record for
>>the domain of whatever Return Path was offered for the message that
>>rwcrmhc12.comcast.net is trying to send. You won't know what the return
>>path is unless you set your SMTP logging to something deeper than level 3.
>>The 'Abort Received' means that, for those connections, the connection was
>>dropped abnormally for some reason. Those two entries, in and of themselves
>>don't tell us much about the nature of the messages that
>>rwcrmhc12.comcast.net is trying to send. However, the frequency and
>>persistence of the attempts could well be consistent with an e-mail virus
>>attempting to propagate itself. Since you've got Return-Path checking
>>turned on, SIMS should be rejecting these messages because of the return
>>path domain failing to resolve. You might want to temporarily turn your
>>SMTP logging level up so that you can see the SMTP conversation and get
>>more information about the sender and the intended recipient.
>
>
>#############################################################
>This message is sent to you because you are subscribed to
> the mailing list <SIMS@mail.stalker.com>.
>To unsubscribe, E-mail to: <SIMS-off@mail.stalker.com>
>To switch to the DIGEST mode, E-mail to <SIMS-digest@mail.stalker.com>
>To switch to the INDEX mode, E-mail to <SIMS-index@mail.stalker.com>
>Send administrative queries to  <SIMS-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster