[Dshield] Klez header question

John Sage jsage at finchhaven.com
Fri Aug 30 03:31:39 GMT 2002


On Thu, Aug 29, 2002 at 01:02:34PM -0400, Paul Marsh wrote:
> Attached is a header from klez.  I know it's hard to impossible to really
> know what system is infected and sending these but this is the third time in
> so many weeks that I've received these.  I get about 15-20 of them in a 5
> minute time frame and then I'll get nothing for a week.  Scanmail is doing a
> very nice job on my perimeter so we're staying clean but I'd like to track
> down the human/box that's infected.  Please note the "X-Apparently-From:
> Brianfitzgerald at aol.com" in the header, is it possible that this is the
> human?  AOL seams to be the only headers that have this line.  
> Thanx, Paul

Hard to know what to make of everything, immediately below:

> â ImCr µ¢8O rly-ip04.mx.aol.com rly-ip04.mx.aol.com
 <youme at hongkong.com>
  c=us;a= ;p=XXXXXXXXXX;l=EXCHANGE0208291246R52JKNN6 
   B  d file b
  EwLsReceived: from rly-ip04.mx.aol.com ([])
  by XXX.XXX.XXX with SMTP
 (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)

But the above host name (rly-ip04.mx.aol.com ([])) checks

[toot at sparky /]# host domain name pointer rly-ip04.mx.aol.com.

Note: I'm guessing "mx" is Mail eXchange, not the country code for

> id R52JKNN6; Thu, 29 Aug 2002 08:46:58 -0400

> Received: from  logs-wb.proxy.aol.com (logs-wb.proxy.aol.com
 []) by rly-ip04.mx.aol.com (v87.21)
 with ESMTP id RELAYIN7-0829084642; Thu, 29 Aug 2002 08:46:42 -0400

The above host name checks out:

[toot at sparky /]# host domain name pointer logs-wb.proxy.aol.com.

> Received: from Molh (AC8DA130.ipt.aol.com [])
> 	by logs-wb.proxy.aol.com (8.10.0/8.10.0) with SMTP id g7TCi77201651
> 	for <XXX at XXX.XXX>; Thu, 29 Aug 2002 08:44:08 -0400 (EDT)

The above checks out:

[toot at sparky /]# host AC8DA130.ipt.aol.com
AC8DA130.ipt.aol.com. has address

I believe this is AOL's host naming convention for a dialup or
somesuch enduser.

The string AC8DA130 is a packed hex representaion of the IP address:

[toot at sparky /usr/local/2]# ./2.pl hd AC 8D A1 30

So the greater part of these headers look to be legit.

What do they tell you?

Not much. The virus-carrying email probably *did* originate from an
AOL dialup customer, but not absolutely "Brianfitzgerald at aol.com".

Nothing below here, with the possible exception of the "Message-Id",
can really be relied upon..

> Date: Thu, 29 Aug 2002 08:44:08 -0400 (EDT)
> Message-Id: <200208291244.g7TCi77201651 at logs-wb.proxy.aol.com>
> From: support <support at mcafee.dk>
> To: XXX at XXX.XXX
> Subject: A very  powful tool
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary=WmB565SFb1Vb938
> X-Apparently-From: Brianfitzgerald at aol.com
> --WmB565SFb1Vb938
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable

- John
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

More information about the list mailing list