[Dshield] Help on Finding contacts at domains

John Dalton dubuque_1 at msn.com
Thu Sep 4 22:32:41 GMT 2003


I have played enough at previous job and learned from here enough to see the
original sender information, when a systems send a email back i.e. Header
info on email, But all the emails I am receiving from systems that have
original header info indicate ONE ip and machine name. Note the HELO command
for the following example:
If it was random machine, or multiple ones, I would not have bothered the
list, but this goes to some of the discussions about who to contact at
sites. BTW I remember one time at the place I worked, where we got into a
loop with the infected machine and our email server sending notifications
back and forth for seevral thousand before we caught it. It was a all girls
school in australia :)

Thanks Bob,
john

<Example>
Return-Path: <dubuque_1 at msn.com>
Received: (qmail 12763 invoked by alias); 4 Sep 2003 16:43:33 -0000
Delivered-To: sport-AutoSport-Catalog at autosportcatalog.com
Received: (qmail 12759 invoked from network); 4 Sep 2003 16:43:31 -0000
Received: from unknown (HELO VALUED-078DE3BD) (207.63.198.104)
  by a.ns.international-auto.com with SMTP; 4 Sep 2003 16:43:31 -0000
From: <dubuque_1 at msn.com>
To: <AutoSport-Catalog at autosportcatalog.com>
Subject: Re: Re: My details
Date: Thu, 4 Sep 2003 8:53:17 --0700
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_00EEF21A"

This is a multipart message in MIME format

--_NextPart_000_00EEF21A
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached file for details.
--_NextPart_000_00EEF21A
Content-Type: application/octet-stream;
name="document_9446.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="document_9446.pif"
<End Example>



----- Original Message ----- 
From: "Bob Savage" <bsavage at rnr-inc.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, September 04, 2003 5:02 PM
Subject: RE: [Dshield] Help on Finding contacts at domains


> John, if I understand you correctly, you are getting emails from the
system admininstrator saying that your email is undeliverable because it is
infected.  If I've misunderstood you and this is NOT what you are asking
about, stop reading now!
>
> These are automatically generated notices coming from the antivirus
software.  Your address is on the email as the "from".  SoBig.F, and a
number of others, picks up both the "to" and "from" addresses from whatever
addresses it finds on the infected computer.  It just means your address is
in the address list on the infected computer (or in file somewhere on it).
Many system admins configure their anti-virus software to send an "infected"
notice to the sender.  It's a nice idea, but outdated.  Most infections
today spoof the sender address.
>
> Hope this helps,
>
> Bob Savage
> RNR, Inc.
>
>
>
> -----Original Message-----
> From: John Dalton [mailto:dubuque_1 at msn.com]
> Sent: Thursday, September 04, 2003 4:11 PM
> To: General DShield Discussion List
> Subject: [Dshield] Help on Finding contacts at domains
>
>
> I need to draw on the excellent resources here on the dshield list :)
>
> In the last week I have had a smattering of emails that were generated
> elsewhere and I am the one contacted. I would not be even asking this if
the
> fact they all come from two ISP's, one who I contacted by phone the other
> day, and after getting past the persons attitude while answering (so what
is
> our users email address, to which I answered his MACHINES IP was x.x.x.x,)
> I now have a good slug of ones coming from 207.63.198.104, shown in
headers
> (where the victims show them) as:
> Received: from  VALUED-078DE3BD ([207.63.198.104]
> I looked them up to find:
> Illinois Century Network
> 120 west jefferson
> suite b
> springfield
> IL
> 62702
> United States
>
> Illinois Century Network
> +1-217-557-6555
> hostmaster at illinois.net
>
> I have emailed to abuse.fraud and hostmaster at illinois.net, I have gone
to
> www.illinois.net, and tried to find contacts for a email contact. They
seem
> to be a Provider for Illinois school districts for Internet connectivity.
>
> It is a nuisance for now, but all the emails I am getting about "sending"
> infected emails to various companies, all indicate this IP as the origin.
>
> Yes I have made sure I am all patched, and checked several ways to confirm
I
> am NOT infected.
>
> Can anyone enlighten me to how to pursue this next, and how they came up
> with this direction ...
>
> Thanks in advance
> John D
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list