Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: properties in e-mail from sexyfun
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: properties in e-mail from sexyfun
  • From: Kee Hinckley <[EMAIL PROTECTED]>
  • Date: Sun, 14 Jan 2001 06:27:18 +0100
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:16 AM +0000 1/12/01, Kelly Reid wrote:
>Following is the properties from the email from sexyfun.  I'm
>interested in knowing who this came from so that they can get their
>machine scanned.
>
>Any help would be appreciated

http://www.spamwatcher.com/ (which I run) says the following.  (I
should probably special case the IANA special numbers, since they are
clearly not relevant).

These headers are nearly always forged:
   To:   From: Hahaha
   Message-ID: <[EMAIL PROTECTED]>

The key is to look at the received headers.  They track the
message as it goes from one machine to the next.  Most, but not
all, mail servers record the IP address of the sending machine,
and there is no way to forge that.  So the goal is to find the
first real machine to receive the email, and see where it got the
mail from.  That machine will typically either be one of yours,
or it will be some (idiot) machine which left its mail software
open for others to use as a relay.  In the latter case, it's worth
notify the that company, as well as the originating ISP.

Here are the Received headers in order:
  Received: from mx8-w.mail.home.com (mx8-w.mail.home.com
[24.0.95.73]) by h14.mail.home.com (8.9.3/8.9.0) with ESMTP id
VAA09676 for ; Thu, 11 Jan 2001 21:43:57 -0800 (PST)
  Received: from smtp02.mail.onemain.com (SMTP-OUT003.ONEMAIN.COM
[63.208.208.73]) by mx8-w.mail.home.com (8.11.1/8.11.1) with SMTP id
f0C5huk01495 for ; Thu, 11 Jan 2001 21:43:56 -0800 (PST)
  Received: (qmail 4354 invoked from network); 12 Jan 2001 04:25:11 -0000
  Received: from moperr01-98.midwest.net (HELO computer)
([208.235.39.108]) (envelope-sender <>) by 10.209.20.32
(qmail-ldap-1.03) with SMTP for ; 12 Jan 2001 04:25:11 -0000

If we ignore the forgeable names, that makes a chain, and for
element in the chain we can look it up and make sure that the
chain makes sense.

From: 208.235.39.108 (moperr01-98.midwest.net)
To:   10.209.20.32 (Unknown)
From: 63.208.208.73 (SMTP-OUT003.ONEMAIN.COM)
To:   mx8-w.mail.home.com (24.0.95.73)
From: 24.0.95.73 (mx8-w.mail.home.com)
To:   h14.mail.home.com (24.0.95.48)


So the spammer probably sent from 208.235.39.108 (moperr01-98.midwest.net).
And 10.209.20.32 (Unknown) is probably a system with an open relay.

Here is information on the ISP that owns the domains in question.

Spammer: 208.235.39.108 (moperr01-98.midwest.net)
Midwest Internet (NETBLK-UU-208-235)
    300 E. Main St.
    Carbondale, IL 62901
    US

    Netname: UU-208-235
    Netblock: 208.235.0.0 - 208.235.63.255
    Maintainer: MIDI

    Coordinator:
       Baird, Curtis  (BC247-ARIN)  [EMAIL PROTECTED]
       (618) 529-7271

    Record last updated on 08-Jan-1998.
    Database last updated on 13-Jan-2001 18:21:34 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.


Relay: 10.209.20.32 (Unknown)
IANA (RESERVED-6)
    Internet Assigned Numbers Authority
    Information Sciences Institute
    University of Southern California
    4676 Admiralty Way, Suite 330
    Marina del Rey, CA 90292-6695

    Netname: RESERVED-10
    Netblock: 10.0.0.0 - 10.255.255.255

    Coordinator:
       Internet Corporation for Assigned Names and Numbers
(IANA-ARIN)  [EMAIL PROTECTED]
       (310) 823-9358

    Domain System inverse mapping provided by:

    BLACKHOLE.ISI.EDU		128.9.64.26
    BLACKHOLE.EP.NET		198.32.1.116

    Record last updated on 30-Aug-2000.
    Database last updated on 13-Jan-2001 18:21:34 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
- --

Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects
Now Playing - Folk, Rock, odd stuff - http://www.somewhere.com/playlist.cgi

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOmExaCZsPfdw+r2CEQK01wCbBGnRoCLh67Bb7n5SO51wQ2cl7AwAoMd0
ZXs5PInqL9x9/EKVscqwA7HW
=PHm+
-----END PGP SIGNATURE-----
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.