On 25 Jul, Peter Krawczyk wrote: | Trying to track the SirCam virus without looking at the body of the | message, we've found a way to track it via headers. | | In the header of the message, everything looks dynamic, and so tracking it | seems to be hard. However, there is a slip -- the Date: header actaully | appears as 'date:'. | | A cursory examination of thousands of emails from mailing lists, private | sources, and other sources shows that the only messages using the lower | case 'date:' for the header are sent by the SirCam virus. | | This may help those of you who want to filter on headers and not on | message body. That may guarantee no false positives, but I don't think it guarantees no false negatives (i.e. don't rely on it to catch all of them). All but one of these I've seen came through mail lists (sans payload), so the Date: header wouldn't be as originally sent. But I have one that came direct and has a "normal" Date: header that is not lower case. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 13:34:13 PDT