[Dshield] Re: Klez header question

Bob Johnson stest031 at garbonzo.hos.ufl.edu
Fri Aug 30 14:09:50 GMT 2002


Daniels566 at cs.com said:
> This again is the header and return path of the klez I posted a few days ago. Maybe someone has
> the skill to map this thing. I sent a copy to Juno and they determined it was a forgery implying
> them.

Klez forges the From: and Reply-to: lines, so ignore them.  If you complain 
to the people in those lines, you will be spamming an innocent bystander.
What you need to look at is the Received headers.  They show the path 
the message took to get to you, in reverse order (i.e. each new step in 
the path is added to the front of the list, so the last Received: line 
shows where the message originated).

[...]
> Received: from  rly-xg02.mx.aol.com (rly-xg02.mail.aol.com [172.20.115.199]) by
> air-xg01.mail.aol.com (v87.22) with ESMTP id MAILINXG13-0818213610; Sun, 18 Aug 2002
> 21:36:10 -0400
> Received: from  out003.verizon.net (out003pub.verizon.net [206.46.170.103]) by
> rly-xg02.mx.aol.com (v87.22) with ESMTP id MAILRELAYINXG25-0818213515; Sun, 18 Aug
> 2002 21:35:15 -0400

This is the line we are interested in:

> Received: from Pgcdjo ([205.152.62.117]) by out003.verizon.net
>           (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with SMTP
>           id <20020819013544.XWIF13272.out003.verizon.net at Pgcdjo>
>           for <Wolves5149 at aol.com>; Sun, 18 Aug 2002 20:35:44 -0500

It tells us a few useful things.  First, the IP number in brackets is 
the IP of the host the message originated from, and it is inserted by 
the SMTP host that accepted the message.  Klez doesn't attempt to forge 
Received: lines, so we can trust this IP number.  If we can figure 
out who that is, we know who has the virus.  Second, the message was 
accepted by out003.verizon.net, so they are probably a Verizon customer, 
which may be useful information, but again, maybe not.  Third, the name 
of the originating host (Pgcdjo) is a random letter string, which is 
characteristic of Klez, so (if we didn't know it already) we can be fairly 
certain this is a Klez virus message.

The rest of the headers are generated by the Klez virus and can't 
be trusted:
> From: adoptapet2 <adoptapet2 at juno.com>
> To: Wolves5149 at aol.com
> Subject: A  nice game
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary=Khaz84sDP3z0cb68Cj9W63C5597938
> Message-Id: <20020819013544.XWIF13272.out003.verizon.net at Pgcdjo>
> Date: Sun, 18 Aug 2002 20:36:15 -0500
> 

The easy way to figure out where to send the complaint is to take the 
address of the originating host from the Received line above 
(205.152.62.117) and drop it in the spam reporting form at spamcop.net 
and it will tell us the abuse address for that IP number:

postmaster at yourlink.net

So send a polite note to that address, including all of the above 
headers, and ask them to try to notify the owner of the system 
that it is infected with spam.

By the way, the Spamcop FAQ asks that you not use it for automated 
reporting of viruses.  It is intended for reporting spammed advertising.  
Using it to look up the complaint address of a single IP number doesn't 
seem to violate their usage policy, though.  And if you feel guilty, 
send them a contribution!

Good luck,

- Bob

> Good luck, John Daniel




More information about the list mailing list