[Dshield] Delivery reports about your e-mail

Tom dshield at oitc.com
Wed Feb 11 19:39:24 GMT 2009 

Marc,

Doesn't look spoofed to me:

$ host 65.173.218.97
97.218.173.65.in-addr.arpa domain name pointer www.dshield.org.

Looks to me that either 1) some valid person of 
the list is infected or 2) there is a breach 
somewhere.

Tom

At 6:56 PM +0000 2/11/09, M Quibell wrote:
>Hi Mr. Tom - I am sorry to have not checked 
>further into this before I posted. In your case 
>the IP address does not match the domain name: 
>(dshield.org) (65.173.218.97). Looks spoofed to 
>me. Thanks!
>
>Marc
>
>
>Date: Wed, 11 Feb 2009 13:49:12 -0500
>To: list at lists.sans.org
>From: dshield at oitc.com
>Subject: Re: [Dshield] Delivery reports about your e-mail
>
>.ExternalClass blockquote, .ExternalClass dl, 
>.ExternalClass ul, .ExternalClass ol, 
>.ExternalClass li 
>{padding-top:0;padding-bottom:0;} Re: [Dshield] 
>Delivery reports about your e-mail
>Well, Jim, the copy of Mydoom I got from this list came from:
>
>Return-Path: <list-bounces at lists.sans.org>
>Received: from iceman12-ext.giac.net (65.173.218.113) by oitc.com with
>  ESMTP (EIMS X 3.3.7) for <dshield at oitc.com>;
>  Wed, 11 Feb 2009 10:06:57 -0500
>Received: (qmail 14703 invoked from network); 11 Feb 2009 15:06:55 -0000
>Received: from unknown (HELO dshield.org) (65.173.218.97)
>   by iceman12-ext.giac.net with AES256-SHA 
>encrypted SMTP; 11 Feb 2009 15:06:55 -0000
>
>etc etc etc
>
>Looks like DShield/SANS to me also..........
>
>Tom
>
>
>At 1:37 PM -0500 2/11/09, Jim McCullough wrote:
>
>Ok, back to the basics on part of this.  Rule 1, 
>always check the headers.  99.99% of the time 
>there is spoofed address.   Being in the world 
>of trying to keep the bad guys out, we get 
>targeted for having the address used for spam, 
>and sending viri.  However, if you check the 
>orginating and relay addresses, then I doubt you 
>will find the emails coming through the dshield 
>servers.   Without the header information, 
>tracking and finding the problem is basically 
>like finding a gold needle in a haystack the 
>size of  Canada.
>
>On Wed, Feb 11, 2009 at 1:12 PM, M Quibell 
><<mailto:mquibell at hotmail.com>mquibell at hotmail.com> 
>wrote:
>
>You guys sending me a virus/worm in a zip file.. 
>There was an infected .zip file attached to this 
>message.
>
>>  From: <mailto:MAILER-DAEMON at dshield.org>MAILER-DAEMON at dshield.org
>>  To: <mailto:list at dshield.org>list at dshield.org
>>  Date: Wed, 11 Feb 2009 09:55:33 -0500
>>  Subject: [Dshield] Delivery reports about your e-mail
>>
>>  Dear user <mailto:list at dshield.org>list at dshield.org,
>>
>>  We have received reports that your e-mail 
>>account was used to send a huge amount of spam 
>>messages during this week.
>>  We suspect that your computer was compromised 
>>and now runs a trojaned proxy server.
>>
>>  We recommend you to follow instruction in order to keep your computer safe.
>>
>>  Best regards,
>>  <http://dshield.org>dshield.org support team.
>>
>
>
>Windows Live?: Keep your life in sync. 
><http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t1_allup_howitworks_022009>See 
>how it works.
>
>
>_______________________________________________
>Dshield mailing list
><mailto:Dshield at lists.sans.org>Dshield at lists.sans.org
>To change your subscription options (or 
>unsubscribe), see: 
><https://lists.sans.org/mailman/listinfo/list>https://lists.sans.org/mailman/listinfo/list
>
>
>
>_______________________________________________
>Dshield mailing list
>Dshield at lists.sans.org
>To change your subscription options (or 
>unsubscribe), see: 
>https://lists.sans.org/mailman/listinfo/list
>
>
>
>--
>Tom Shaw - Chief Engineer, OITC
><tshaw at oitc.com>, http://www.oitc.com/ local wx: http://www.oitc.com/weather
>US Phone Numbers: 321-984-3714, 
>321-729-6258(fax), 321-258-2475(cell/voice 
>mail,pager)
>Text Paging: http://www.oitc.com/Pager/sendmessage.html
>AIM/iChat: trshaw at mac.com
>
>Never argue with an idiot: a bystander can't tell the difference. - Mark Twain
>
>
>
>Windows Live: Keep your life in sync. 
><http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t1_allup_howitworks_022009>See 
>how it works.
>
>_______________________________________________
>Dshield mailing list
>Dshield at lists.sans.org
>To change your subscription options (or 
>unsubscribe), see: 
>https://lists.sans.org/mailman/listinfo/list


-- 
Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 
321-729-6258(fax), 321-258-2475(cell/voice 
mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com

Never argue with an idiot: a bystander can't tell the difference. - Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/list/attachments/20090211/099f7d96/attachment.htm

More information about the Dshield mailing list