[Dshield] Re: Klez header question

John Sage jsage at finchhaven.com
Fri Aug 30 04:00:14 GMT 2002


John:

On Thu, Aug 29, 2002 at 09:55:02PM -0400, Daniels566 at cs.com wrote:
> This again is the header and return path of the klez I posted a few days ago. 
> Maybe someone has the skill to map this thing. I sent a copy to Juno and they 
> determined it was a forgery implying them.
> 
> Message Start
> Forwarded Message:
> Subj: A nice game
> Date: 8/18/02 9:36:10 PM Eastern Daylight Time
> From: adoptapet2 at juno.com
> To: Wolves5149 at aol.com
> Received from Internet: click here for more information
> 
> This is a special nice game
> This game is my first work.
> You're the first player.
> I expect you would enjoy it.
> 
> Return-Path: <adoptapet2 at verizon.net>
> Received: from  rly-xg02.mx.aol.com (rly-xg02.mail.aol.com [172.20.115.199]) 
> by air-xg01.mail.aol.com (v87.22) with ESMTP id MAILINXG13-0818213610; Sun, 
> 18 Aug 2002 21:36:10 -0400

The IP address above (172.20.115.119) is non-routable: it's in the
reserved address space:

[toot at sparky /usr/local/2]# host 172.20.115.199
Host 199.115.20.172.in-addr.arpa. not found: 3(NXDOMAIN)

OrgName:    IANA
OrgID:      IANA-2 

NetRange:   172.16.0.0 - 172.31.255.255
CIDR:       172.16.0.0/12
NetName:    IANA-BBLK-RESERVED
NetHandle:  NET-172-16-0-0-1
Parent:     NET-172-0-0-0-0
NetType:    Direct Assignment
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment:    This block is reserved for special purposes.
            Please see RFC 1918 for additional information.


But rly-xg02.mx.aol.com is good:

[toot at sparky /usr/local/2]# dig @greatwall any rly-xg02.mx.aol.com

; <<>> DiG 9.1.0 <<>> @greatwall any rly-xg02.mx.aol.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61866
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;rly-xg02.mx.aol.com.		IN	ANY

;; ANSWER SECTION:
rly-xg02.mx.aol.com.	300	IN	A	64.12.137.66

;; AUTHORITY SECTION:
mx.aol.com.		300	IN	NS	dns-01.ns.aol.com.
mx.aol.com.		300	IN	NS	dns-02.ns.aol.com.

;; ADDITIONAL SECTION:
dns-01.ns.aol.com.	3600	IN	A	152.163.159.232
dns-02.ns.aol.com.	3600	IN	A	205.188.157.232


As is air-xg01.mail.aol.com:

[toot at sparky /usr/local/2]# dig @greatwall any air-xg01.mail.aol.com

; <<>> DiG 9.1.0 <<>> @greatwall any air-xg01.mail.aol.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14685
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;air-xg01.mail.aol.com.		IN	ANY

;; ANSWER SECTION:
air-xg01.mail.aol.com.	600	IN	A	172.20.115.193

;; AUTHORITY SECTION:
mail.aol.com.		600	IN	NS	dns-01.ns.aol.com.
mail.aol.com.		600	IN	NS	dns-02.ns.aol.com.

;; ADDITIONAL SECTION:
dns-01.ns.aol.com.	3600	IN	A	152.163.159.232
dns-02.ns.aol.com.	3600	IN	A	205.188.157.232



> Received: from  out003.verizon.net (out003pub.verizon.net [206.46.170.103]) 
> by rly-xg02.mx.aol.com (v87.22) with ESMTP id MAILRELAYINXG25-0818213515; 

[toot at sparky /usr/local/2]# host 206.46.170.103
103.170.46.206.in-addr.arpa. domain name pointer out003pub.verizon.net.

So that checks out..


> Sun, 18 Aug 2002 21:35:15 -0400
> Received: from Pgcdjo ([205.152.62.117]) by out003.verizon.net
>           (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with SMTP
>           id <20020819013544.XWIF13272.out003.verizon.net at Pgcdjo>
>           for <Wolves5149 at aol.com>; Sun, 18 Aug 2002 20:35:44 -0500

[toot at sparky /usr/local/2]# host 205.152.62.117
117.62.152.205.in-addr.arpa. domain name pointer YL117.yourlink.net.


[toot at sparky /usr/local/2]# dig @greatwall any yourlink.net

; <<>> DiG 9.1.0 <<>> @greatwall any yourlink.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51414
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;yourlink.net.			IN	ANY

;; ANSWER SECTION:
yourlink.net.		164057	IN	NS	dns.yourlink.net.
yourlink.net.		164057	IN	NS	DNS2.yourlink.net.
yourlink.net.		164057	IN	NS	MAIL.yourlink.net.
yourlink.net.		164057	IN	NS	NS3.CL.BELLSOUTH.net.

;; AUTHORITY SECTION:
yourlink.net.		164057	IN	NS	dns.yourlink.net.
yourlink.net.		164057	IN	NS	DNS2.yourlink.net.
yourlink.net.		164057	IN	NS	MAIL.yourlink.net.
yourlink.net.		164057	IN	NS	NS3.CL.BELLSOUTH.net.

;; ADDITIONAL SECTION:
dns.yourlink.net.	172692	IN	A	205.152.62.4
DNS2.yourlink.net.	172692	IN	A	205.152.62.13
MAIL.yourlink.net.	172692	IN	A	205.152.62.5
NS3.CL.BELLSOUTH.net.	10692	IN	A	205.152.244.188


What does this tell you?

The email *possibly/probably* originated from within yourlink.net;
path was *possibly/probably* from yourlink.net to verizon.net to
mx.aol.com

Maybe :-/


Nothing below here can be relied upon...

> From: adoptapet2 <adoptapet2 at juno.com>
> To: Wolves5149 at aol.com
> Subject: A  nice game
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary=Khaz84sDP3z0cb68Cj9W63C5597938
> Message-Id: <20020819013544.XWIF13272.out003.verizon.net at Pgcdjo>
> Date: Sun, 18 Aug 2002 20:36:15 -0500
> 
> Good luck, John Daniels


Cheers,


- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list