[Dshield] Re: Klez header question

Ellen Clary ellen at dgi.com
Thu Aug 29 22:30:26 GMT 2002


One thing to add to Micheal's excellent Klez header analysis:

> Received: from Molh (AC8DA130.ipt.aol.com [172.141.161.48])
>  by logs-wb.proxy.aol.com (8.10.0/8.10.0) with SMTP id g7TCi77201651
>  for <XXX at XXX.XXX>; Thu, 29 Aug 2002 08:44:08 -0400 (EDT)
>
> logs-wb.proxy.aol.com recieved the message from computer named Molh
> connected on AC8DA130.ipt.aol.com [172.141.161.48] with a destination
> address of XXX at XXX.XXX

The "Molh" name is likely a forgery.  The name of the machine as far as reverse
DNS is concerned is AC8DA130.ipt.aol.com.  The name *inside* the parens beside
the [IP address] is what you want to look at (if it's present at all).  Things
outside the parens can be forged.  The main thing to look at though is the IP
address that's inside the brackets [], and then use something like samspade.org
to confirm the host's owner.

In any case, send this to abuse at aol.com.

AOL is the only ISP I've seen with the X-Apparently-From header on a Klez
virus.  Anyone know if it's a reasonable guess?  I've contacted one person
using that header information saying that they might be infected, but I didn't
get a confirmation that they actually had the virus (though they said they'd
check.)

Ellen Clary
Senior System Administrator
Dynamic Graphics


> Message: 9
> From: "Micheal Patterson" <micheal at cancercare.net>
> To: "dshield" <list at dshield.org>
> Subject: Re: [Dshield] Klez header question
> Date: Thu, 29 Aug 2002 12:52:42 -0500
> Reply-To: list at dshield.org
>
> I'm not sure if Klez forges headers and such or if you're not familiar with
> reading SMTP headers. If it's the later, they always read from the bottom to
> top.
>
> A breakdown:
>
> Received: from rly-ip04.mx.aol.com ([64.12.138.8]) by XXX.XXX.XXX with SMTP
> (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id R52JKNN6;
> Thu, 29 Aug 2002 08:46:58 -0400
>
> Your mail server recieved it from 64.12.138.8 here. The top two lines of the
> header appear to be garbled to me, but that would be your domains SMTP
> system header.
>
> Received: from  logs-wb.proxy.aol.com (logs-wb.proxy.aol.com
> [205.188.192.135]) by rly-ip04.mx.aol.com (v87.21) with ESMTP id
> RELAYIN7-0829084642; Thu, 29 Aug 2002 08:46:42 -0400
>
>  rly-ip04.mx.aol.com recieved the message from logs-wb.proxy.aol.com  here.
>
> Received: from Molh (AC8DA130.ipt.aol.com [172.141.161.48])
>  by logs-wb.proxy.aol.com (8.10.0/8.10.0) with SMTP id g7TCi77201651
>  for <XXX at XXX.XXX>; Thu, 29 Aug 2002 08:44:08 -0400 (EDT)
>
> logs-wb.proxy.aol.com recieved the message from computer named Molh
> connected on AC8DA130.ipt.aol.com [172.141.161.48] with a destination
> address of XXX at XXX.XXX
>
> Date: Thu, 29 Aug 2002 08:44:08 -0400 (EDT)
> Message-Id: <200208291244.g7TCi77201651 at logs-wb.proxy.aol.com>
>
> The actual ID of the message as logged at logs-wb.proxy.aol.com
>
> As far as the X-Header field, that may have been injected by the aol proxy
> server.
>
> If you already know this, then please accept my apologies..
>
> --
>
> Micheal Patterson
> Network Administration
> Cancer Care Network
> 405-733-2230
>
> ----- Original Message -----
> From: "Paul Marsh" <pmarsh at nmefdn.org>
> To: "'Dshield (E-mail)" <list at dshield.org>
> Sent: Thursday, August 29, 2002 12:02 PM
> Subject: [Dshield] Klez header question
>
>
> >
> > Attached is a header from klez.  I know it's hard to impossible to really
> > know what system is infected and sending these but this is the third time
> in
> > so many weeks that I've received these.  I get about 15-20 of them in a 5
> > minute time frame and then I'll get nothing for a week.  Scanmail is doing
> a
> > very nice job on my perimeter so we're staying clean but I'd like to track
> > down the human/box that's infected.  Please note the "X-Apparently-From:
> > Brianfitzgerald at aol.com" in the header, is it possible that this is the
> > human?  AOL seams to be the only headers that have this line.
> >
> > Thanx, Paul




More information about the list mailing list