[Dshield] Re: Klez header question

Ed Truitt ed.truitt at etee2k.net
Thu Aug 29 23:18:23 GMT 2002

> One thing to add to Micheal's excellent Klez header analysis:
> > Received: from Molh (AC8DA130.ipt.aol.com [])
> >  by logs-wb.proxy.aol.com (8.10.0/8.10.0) with SMTP id g7TCi77201651
> >  for <XXX at XXX.XXX>; Thu, 29 Aug 2002 08:44:08 -0400 (EDT)
> >
> > logs-wb.proxy.aol.com recieved the message from computer named Molh
> > connected on AC8DA130.ipt.aol.com [] with a destination
> > address of XXX at XXX.XXX
> The "Molh" name is likely a forgery.  The name of the machine as far as
> DNS is concerned is AC8DA130.ipt.aol.com.  The name *inside* the parens
> the [IP address] is what you want to look at (if it's present at all).
> outside the parens can be forged.  The main thing to look at though is the
> address that's inside the brackets [], and then use something like
> to confirm the host's owner.

Actually, the name "Molh" is more than likely what the originating system
identified itself to the SMTP server as.  For many of  the PCs using
dial-up, this is what the user chooses to name the machine.  The name in the
parenthesis (if it exists) is the name as returned by DNS (it may be from a
CNAME - canonical name - entry, or it may be the "official" name as it
exists in the A record.)  It is not unusual for this name to be different
from the preceding name, as again you can name your host anything you want,
and unless your ISP is using Dynamic DNS, or you have a static IP with your
host name entered into DNS, there is really no way to keep the two in sync.)

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

More information about the list mailing list