[Dshield] Re: Klez header question

Ed Truitt ed.truitt at etee2k.net
Fri Aug 30 12:43:13 GMT 2002


My response, bracketed with [etee: ], below.

----- Original Message -----
From: Daniels566 at cs.com
To: list at dshield.org
Sent: Thursday, August 29, 2002 8:55 PM
Subject: Re: [Dshield] Re: Klez header question


This again is the header and return path of the klez I posted a few days
ago. Maybe someone has the skill to map this thing. I sent a copy to Juno
and they determined it was a forgery implying them.

[etee:  all but the Received: lines snipped, as they are irrelevant to
finding the originator.}

Received: from  rly-xg02.mx.aol.com (rly-xg02.mail.aol.com [172.20.115.199])
by air-xg01.mail.aol.com (v87.22) with ESMTP id MAILINXG13-0818213610; Sun,
18 Aug 2002 21:36:10 -0400

[etee: mail is transferred from AOL's SMTP gateway to the server that
finally delivered it to you.  The rDNS check failed, as the 172.16.0.0/12
netblock is "reserved for special purposes".  This might imply a forgery:
however, as the IP address is for the "FROM" server in the transaction, I
would bet that this is simply the "inward-facing" NIC on that box, and that
AOL uses Martian addresses on their internal network.

Many orgs use a "hub & spoke" arrangement for SMTP servers, rather than
having them all accept mail from anyone.  It facilitates centralized
scanning for virii, spam filtering, etc.  A good security practice, IMHO.]

Received: from  out003.verizon.net (out003pub.verizon.net [206.46.170.103])
by rly-xg02.mx.aol.com (v87.22) with ESMTP id MAILRELAYINXG25-0818213515;
Sun, 18 Aug 2002 21:35:15 -0400

[etee: mail transferred from verizon's SMTP relay to AOL's gateway SMTP
server.  rDNS check on the address passes.]

Received: from Pgcdjo ([205.152.62.117]) by out003.verizon.net
          (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with SMTP
          id <20020819013544.XWIF13272.out003.verizon.net at Pgcdjo>
          for <Wolves5149 at aol.com>; Sun, 18 Aug 2002 20:35:44 -0500

[etee:  This is the last header, and based on what I see it is indeed the
"origination".  Here, the mail was sent from IP 205.152.62.117 (the client)
to out003.verizon.net (a Verizon SMTP server).  IIRC, someone mentioned that
Verizon was one of the ISPs that Klez bounced mail off of.

So, what about the sender?  The user-assigned name is "Pgcdjo", which per my
earlier email doesn't help a whole lot (except in cases where the same
machine sends out spews at different times, using different IPs.  Then, it
can become a good piece of evidence to tie all the spews to one box.)
Looking up that IP,  I get the following rDNS entry:

117.62.152.205.in-addr.arpa. domain name pointer YL117.yourlink.net.

A WHOIS search on yourlink.net coughs up:

Registrant:
 Yourlink, Inc.
 275 Magnolia Ave. # 4
 Merritt Island, FL 32952
 US

 Domain Name: YOURLINK.NET

 Administrative Contact:
    Bradley, Richard  hostmaster at yourlink.net
    275 Magnolia Ave. # 4
    Merritt Island, FL 32952
    US
    321-452-6699

 Technical Contact:
    Bradley, Richard  hostmaster at yourlink.net
    275 Magnolia Ave. # 4
    Merritt Island, FL 32952
    US
    321-452-6699

Abuse.net doesn't have an entry, so I would forward the email to
hostmaster at yourlink.net (ISP for the originator), and abuse at verizon.net
(they have the maillogs, and can verify the source.  Also, why was this
person able to bounce a message off of their SMTP server?  After all
yourlink.net has their own mail servers.  (This may indicate an earlier
version of Klez, IIRC).]

Hope this helps.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."





More information about the list mailing list