[Dshield] Klez header question
jsage at finchhaven.com
Fri Aug 30 03:31:39 GMT 2002
On Thu, Aug 29, 2002 at 01:02:34PM -0400, Paul Marsh wrote:
> Attached is a header from klez. I know it's hard to impossible to really
> know what system is infected and sending these but this is the third time in
> so many weeks that I've received these. I get about 15-20 of them in a 5
> minute time frame and then I'll get nothing for a week. Scanmail is doing a
> very nice job on my perimeter so we're staying clean but I'd like to track
> down the human/box that's infected. Please note the "X-Apparently-From:
> Brianfitzgerald at aol.com" in the header, is it possible that this is the
> human? AOL seams to be the only headers that have this line.
> Thanx, Paul
Hard to know what to make of everything, immediately below:
> â ImCr µ¢8OÂ rly-ip04.mx.aol.com rly-ip04.mx.aol.com
<youme at hongkong.com>
B d file b
<XXX at XXX.XXX>
EwLsReceived: from rly-ip04.mx.aol.com ([22.214.171.124])
by XXX.XXX.XXX with SMTP
(Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
But the above host name (rly-ip04.mx.aol.com ([126.96.36.199])) checks
[toot at sparky /]# host 188.8.131.52
184.108.40.206.in-addr.arpa. domain name pointer rly-ip04.mx.aol.com.
Note: I'm guessing "mx" is Mail eXchange, not the country code for
> id R52JKNN6; Thu, 29 Aug 2002 08:46:58 -0400
> Received: from logs-wb.proxy.aol.com (logs-wb.proxy.aol.com
[220.127.116.11]) by rly-ip04.mx.aol.com (v87.21)
with ESMTP id RELAYIN7-0829084642; Thu, 29 Aug 2002 08:46:42 -0400
The above host name checks out:
[toot at sparky /]# host 18.104.22.168
22.214.171.124.in-addr.arpa. domain name pointer logs-wb.proxy.aol.com.
> Received: from Molh (AC8DA130.ipt.aol.com [126.96.36.199])
> by logs-wb.proxy.aol.com (8.10.0/8.10.0) with SMTP id g7TCi77201651
> for <XXX at XXX.XXX>; Thu, 29 Aug 2002 08:44:08 -0400 (EDT)
The above checks out:
[toot at sparky /]# host AC8DA130.ipt.aol.com
AC8DA130.ipt.aol.com. has address 188.8.131.52
I believe this is AOL's host naming convention for a dialup or
The string AC8DA130 is a packed hex representaion of the IP address:
[toot at sparky /usr/local/2]# ./2.pl hd AC 8D A1 30
So the greater part of these headers look to be legit.
What do they tell you?
Not much. The virus-carrying email probably *did* originate from an
AOL dialup customer, but not absolutely "Brianfitzgerald at aol.com".
Nothing below here, with the possible exception of the "Message-Id",
can really be relied upon..
> Date: Thu, 29 Aug 2002 08:44:08 -0400 (EDT)
> Message-Id: <200208291244.g7TCi77201651 at logs-wb.proxy.aol.com>
> From: support <support at mcafee.dk>
> To: XXX at XXX.XXX
> Subject: A very powful tool
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> X-Apparently-From: Brianfitzgerald at aol.com
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
"In those days, you could not buy a $2000 200MHz Pentium server."
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
More information about the list