[Dshield] Klez

Paul Marsh pmarsh at nmefdn.org
Thu Jun 27 14:52:56 GMT 2002

Thank you all very much for your input.  I just wanted to make sure I was
not the only one still getting this annoying thing.  I've been reading
through the reply-posts to my question and have come to the conclusions that
I need to educate myself more on reading headers, does anyone know where I
can find some quick and dirty info on headers.  I stripped the headers off
of a few that came through yesterday and found they were all from the same
place minus the BS virus inserted stuff.  I've posted it here so I can get
some feed back on what it really says.  The way I interpret is that it's
from an AOL netblock/modem pool I also noticed the
following "X-Apparently-From: RealtyVis2 at aol.com" so would that mean this is
the infected system/user?  

Thanx, Paul    

æ   ImCr         ì#E
        rly-ip02.mx.aol.com rly-ip02.mx.aol.com
<MFOLLETT at WILTON.COM>   c=us;a= ;p=nellie mae;l=EXCHANGE0206262310N4K44L1D
   E                                    <user at nmefdn.org>
EwLsReceived: from rly-ip02.mx.aol.com ([]) by
exchange.nmfdn.org with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.2653.13)
	id N4K44L1D; Wed, 26 Jun 2002 19:10:06 -0400
Received: from  logs-mtc-ta.proxy.aol.com (logs-mtc-ta.proxy.aol.com
[]) by rly-ip02.mx.aol.com (v83.35) with ESMTP id
RELAYIN2-0626190953; Wed, 26 Jun 2002 19:09:53 -0400
Received: from Pltqfsb (ACA7B3AA.ipt.aol.com [])
	by logs-mtc-ta.proxy.aol.com (8.10.0/8.10.0) with SMTP id
	for <user at nmefdn.org>; Wed, 26 Jun 2002 18:51:12 -0400 (EDT)
Date: Wed, 26 Jun 2002 18:51:12 -0400 (EDT)
Message-Id: <200206262251.g5QMpCq501899 at logs-mtc-ta.proxy.aol.com>
From: <user at nmefdn.org>
To: user at nmefdn.org
Subject: Returned mail--"(InString2.toLowerCase().substring(0,4) "
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Apparently-From: RealtyVis2 at aol.com

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable


<FONT>The following mail can't be sent to infolex at otenet.gr:<br>
From: user at nmefdn.org<br>
To: infolex at otenet.gr<br>
Subject: (InString2.toLowerCase().substring(0,4) <br>
The attachment is the original mail</FONT></BODY></HTML>

Content-Type: application/octet-stream;
Content-Transfer-Encoding: base64
Content-ID: <QX85o1h7T9>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020627/544d7d88/attachment.htm

More information about the list mailing list