[Dshield] Klez header question

Micheal Patterson micheal at cancercare.net
Thu Aug 29 17:52:42 GMT 2002


I'm not sure if Klez forges headers and such or if you're not familiar with
reading SMTP headers. If it's the later, they always read from the bottom to
top.

A breakdown:

Received: from rly-ip04.mx.aol.com ([64.12.138.8]) by XXX.XXX.XXX with SMTP
(Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id R52JKNN6;
Thu, 29 Aug 2002 08:46:58 -0400

Your mail server recieved it from 64.12.138.8 here. The top two lines of the
header appear to be garbled to me, but that would be your domains SMTP
system header.

Received: from  logs-wb.proxy.aol.com (logs-wb.proxy.aol.com
[205.188.192.135]) by rly-ip04.mx.aol.com (v87.21) with ESMTP id
RELAYIN7-0829084642; Thu, 29 Aug 2002 08:46:42 -0400

 rly-ip04.mx.aol.com recieved the message from logs-wb.proxy.aol.com  here.

Received: from Molh (AC8DA130.ipt.aol.com [172.141.161.48])
 by logs-wb.proxy.aol.com (8.10.0/8.10.0) with SMTP id g7TCi77201651
 for <XXX at XXX.XXX>; Thu, 29 Aug 2002 08:44:08 -0400 (EDT)

logs-wb.proxy.aol.com recieved the message from computer named Molh
connected on AC8DA130.ipt.aol.com [172.141.161.48] with a destination
address of XXX at XXX.XXX

Date: Thu, 29 Aug 2002 08:44:08 -0400 (EDT)
Message-Id: <200208291244.g7TCi77201651 at logs-wb.proxy.aol.com>

The actual ID of the message as logged at logs-wb.proxy.aol.com

As far as the X-Header field, that may have been injected by the aol proxy
server.

If you already know this, then please accept my apologies..

--

Micheal Patterson
Network Administration
Cancer Care Network
405-733-2230

----- Original Message -----
From: "Paul Marsh" <pmarsh at nmefdn.org>
To: "'Dshield (E-mail)" <list at dshield.org>
Sent: Thursday, August 29, 2002 12:02 PM
Subject: [Dshield] Klez header question


>
> Attached is a header from klez.  I know it's hard to impossible to really
> know what system is infected and sending these but this is the third time
in
> so many weeks that I've received these.  I get about 15-20 of them in a 5
> minute time frame and then I'll get nothing for a week.  Scanmail is doing
a
> very nice job on my perimeter so we're staying clean but I'd like to track
> down the human/box that's infected.  Please note the "X-Apparently-From:
> Brianfitzgerald at aol.com" in the header, is it possible that this is the
> human?  AOL seams to be the only headers that have this line.
>
> Thanx, Paul
>
>





More information about the list mailing list