[Dshield] Understanding Virus Email Origin

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Thu Apr 29 19:03:26 GMT 2004


An attempt to answer inline and furthest below:

list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org>
wrote on Tuesday, April 27, 2004 12:04 AM (EETDST) UTC+3 on behalf of
Jens E. Madsen Jr.

| Good day,
| 
| I have received several emails with this virus in it over the past
| weekend. They were all caught and I checked to make sure they did not
| get beyond my mail server.
| 
| This one appears to be from a friend and I am wondering if they are
| infected, one of my systems is infected, or this is a joejob? It is
| interesting to note that two messages had the receive addresses,
| ne.client2.attbi.com and sccrmhc12.comcast.net.
| 
| Are the first two Received headers real or are they forged?
| 

Looks that way, at least they are invalid for tracking.

| 
| Should I be concerned? Should MyFriend be concerned?
| 

I would use Symantec's NAV2004 ( http://www.symantec.com/nav/nav_9xnt/
), or an on-line virus scanner service and PestPatrol (from PestPatrol,
Inc. http://www.pestpatrol.com/ ) or the On-Line PestScan Service (at
PestPatrol, Inc. http://www.pestscan.com/home.asp ) to help in finding
out whether there is reason for concern or not.

| Start of Header---------------------------------------
|| From MyFriend at comcast.net  Sun Apr 25 14:17:04 2004
| Return-Path: <MyFriend at comcast.net>
| Delivered-To: me at localhost.mydomain.com
| Received: from localhost (localhost [127.0.0.1])
| 	by mail.mydomain.com (Postfix) with ESMTP id 418D1B8C1
| 	for <me at localhost>; Sun, 25 Apr 2004 14:16:00 -0600 (MDT)
| Status:  U
| Received: from mail.earthlink.net [207.217.121.213]
| 	by localhost with POP3 (fetchmail-6.2.0)
| 	for me at localhost (single-drop); Sun, 25 Apr 2004 14:16:00 -0600
(MDT)
| Received: from sccrmhc12.comcast.net ([204.127.202.56])
| 	by mamo (EarthLink SMTP Server) with ESMTP id 1bhQ145Ul3NZFk71
| 	for <me at earthlink.net>; Sun, 25 Apr 2004 13:14:18 -0700 (PDT)
| Date: Sun, 25 Apr 2004 20:14:15 +0000 (GMT)
| X-Comment: Sending client does not conform to RFC822 minimum
| requirements
| X-Comment: Date has been added by Maillennium.
| Received: from Znefrrdpk
| (h00095b1b3634.ne.client2.attbi.com[24.91.71.42])
|           by comcast.net (sccrmhc12) with SMTP
|           id <20040425201414012002rtroe>; Sun, 25 Apr 2004 20:14:14
| +0000
| From: nooneIknow <nooneIknow at rtmc.net>
| To: me at Earthlink.net
| Subject: Not automatically take you to the registration
| MIME-Version: 1.0
| Content-Type: multipart/alternative;
| 	boundary=Cy751hb1174zaw81d2EjkV1KQ352OA92
| Message-Id: <200404251314.1bhQ145Ul3NZFk71 at mamo>
| X-Virus-Status: Yes
| X-Virus-Report: Worm.Klez.H FOUND
| End of Header---------------------------------------------------


Jens et al.

Consider trying www.spamcop.net .

Consider trying the free reporting on-line tool, but do NOT send the
report. (You preferably have to use the body of the email as well, not
just the headers.)

In the report, you will see SpamCop's conclusion of the origin of the
infected email.


SmartWhois (from TamoSoft, Inc.
http://www.tamos.com/products/smartwhois/ ) gives the following
information regarding the originating IP: 

207.217.121.213
pop03.earthlink.net

207.217.0.0 - 207.217.255.255

EarthLink Network, Inc.
1375 PEACHTREE ST, LEVEL A
ATLANTA
GA
30309
US

Domain Administrator, Administrator
+1-404-815-0770
arinpoc at corp.earthlink.net
EarthLink, Inc.
+1-404-815-0770
arin_tech at lists.corp.earthlink.net

Abuse:
ABUSE TEAM
+1-404-815-0770
abuse at abuse.earthlink.net

DNS1.EARTHLINK.NET
DNS2.EARTHLINK.NET
DNS3.EARTHLINK.NET

EARTHLINK-CIDR
Created: 1996-10-04
Updated: 2001-10-09
Source: whois.arin.net


Went to a S/W vendor's web site (Visualware, Inc. "Email Tracking
Tutorial: How to trace email"
http://www.visualware.com/whitepapers/tutorials/email.html ) when I
first studied tracking email to the sender.

At the same time acquainted myself with S/W supposed to do the same
(eMailTrackerPro
http://www.visualware.com/personal/products/emailtrackerpro/index.html ,
bundled with VisualRoute Personal Edition, the latter which is necessary
for the results accuracy in verification of email source
http://www.visualware.com/personal/products/visualroute/index.html ).


- Pete


  "What really happens is trivial in comparison to what could occur."
            Robert von Musil (1880-1942); Austrian author.






More information about the list mailing list