Pierre Fortin wrote:
> This is an interesting thread that can be educational for anyone that
> wishes to follow... it is a bit off-topic and we can take it offline if
> it bothers anyone...
>
Well it looks like some votes are in for learning, and that is always a
good thing. And, after all, this is the place for learning about
mandrake and security.
As we have seen, these script kiddies can be very clever. I am attaching
some headers from email that was returned to me as though I had sent
them. I did not send them. I am not the originator, and each time it was
sent back to me, it had the W32/Klez.e@mm virus file attached to it. As
I posted earlier, this actually came into a win2000 server on my
network. I am running firewall rules and snort (http://www.snort.org)
and other security protection programs, such as tripwire (hey can you be
*too* paranoid?). This particular win2000 server picks up mail from a
pop3 server, and this pop3 server is ran by verizon.net. Verizon is my
ISP. That is why you will see a verizon mail server as a relay in the
attached email header file. I run my own smtp (postfix) server but you
will not see any of this info in the headers. Remember this, Pierre, the
winn2000 machine picks up mail directly from the verizon.net pop3 server
so it bypasses all my network security but only for the picking up of
email does it do this. For every other function, this win2000 server
sits behind the firewall and uses NAT to get out to the internet.
It was really no big thing to see the attached virus file and delete it
but what was unusual was the way these messages ended up being sent back
to me as though I was the originator. You might get a kick out of some
of the subject lines too. Could anyone really believe this crap, and
consequently open a binary file but, then again, people still use
windoze and run outlook on it. Go figure.
Pierre, in your sleuthing, you will see the ip address, 12.18.104.170
emerge as the likely culprit. This is some user on the AT&T Starnet
System but I can not get a hostname on it via nslookup. Post back any
new info you can glean from the headers. For example, have you seen any
of these addresses before? We will see where all this goes....
p.s. Each header is separated by
"*****************HEADERS FROM EMAIL (X)***************************
Dr John
Craig Woods
UNIX SA
*******************HEADERS FROM EMAIL (1)*************************
This Message was undeliverable due to the following reason:
Each of the following recipients was rejected by a remote mail server.
The reasons given by the server are included to help you determine why
each recipient was rejected.
Recipient: <[EMAIL PROTECTED]>
Reason: Requested action not taken:user account inactive
Please reply to [EMAIL PROTECTED]
if you feel this message to be in error.
Reporting-MTA: dns; out011.verizon.net
Arrival-Date: Mon, 8 Apr 2002 09:51:13 -0500
Received-From-MTA: dns; Kuow (12.18.104.170)
Final-Recipient: RFC822; <[EMAIL PROTECTED]>
Action: failed
Status: 5.1.1
Remote-MTA: dns; mx11.hotmail.com (64.4.49.199)
Diagnostic-Code: smtp; 550 Requested action not taken:user account inactive
Received: from Kuow ([12.18.104.170]) by out011.verizon.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20020408145112.ZMOJ2777.out011.verizon.net@Kuow>
for <[EMAIL PROTECTED]>; Mon, 8 Apr 2002 09:51:12 -0500
From: DERAIDBULLS <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Border
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Z5r1bsj1mb5613A1N52
Message-Id: <20020408145112.ZMOJ2777.out011.verizon.net@Kuow>
Date: Mon, 8 Apr 2002 09:51:13 -0500
Content-Type: text/html;
********************HEADERS FROM EMAIL (2)**********************
This Message was undeliverable due to the following reason:
Each of the following recipients was rejected by a remote mail server.
The reasons given by the server are included to help you determine why
each recipient was rejected.
Recipient: <[EMAIL PROTECTED]>
Reason: <[EMAIL PROTECTED]>... User not known
Please reply to [EMAIL PROTECTED]
if you feel this message to be in error.
Reporting-MTA: dns; out007.verizon.net
Arrival-Date: Mon, 8 Apr 2002 09:46:31 -0500
Received-From-MTA: dns; Jezrax (12.18.104.170)
Final-Recipient: RFC822; <[EMAIL PROTECTED]>
Action: failed
Status: 5.1.1
Remote-MTA: dns; mxpool01.netaddress.usa.net (165.212.8.32)
Diagnostic-Code: smtp; 550 <[EMAIL PROTECTED]>... User not known
Received: from Jezrax ([12.18.104.170]) by out007.verizon.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20020408144627.ZAKK18698.out007.verizon.net@Jezrax>
for <[EMAIL PROTECTED]>; Mon, 8 Apr 2002 09:46:27 -0500
From: JSEINSHEIMER <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: A special funny website
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=AtP583295a7f4A5R4A9NW28616Y92324613R
Message-Id: <20020408144627.ZAKK18698.out007.verizon.net@Jezrax>
Date: Mon, 8 Apr 2002 09:46:31 -0500
Content-Type: text/html;
**********************HEADERS FROM EMAIL (3)************************
This Message was undeliverable due to the following reason:
Each of the following recipients was rejected by a remote mail server.
The reasons given by the server are included to help you determine why
each recipient was rejected.
Recipient: <[EMAIL PROTECTED]>
Reason: <[EMAIL PROTECTED]> User unknown; rejecting
Please reply to [EMAIL PROTECTED]
if you feel this message to be in error.
Reporting-MTA: dns; out010.verizon.net
Arrival-Date: Mon, 8 Apr 2002 09:24:08 -0500
Received-From-MTA: dns; Dqxpy (12.18.104.170)
Final-Recipient: RFC822; <[EMAIL PROTECTED]>
Action: failed
Status: 5.1.1
Remote-MTA: dns; mail.ecommunities.ch (195.216.81.98)
Diagnostic-Code: smtp; 550 <[EMAIL PROTECTED]> User unknown; rejecting
Received: from Dqxpy ([12.18.104.170]) by out010.verizon.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20020408142406.MNRS1257.out010.verizon.net@Dqxpy>
for <[EMAIL PROTECTED]>; Mon, 8 Apr 2002 09:24:06 -0500
From: bettervw <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: A powful tool
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=JSf7H45gSKdrDT7ZhIOE73o881R1KbV54
Message-Id: <20020408142406.MNRS1257.out010.verizon.net@Dqxpy>
Date: Mon, 8 Apr 2002 09:24:08 -0500
Content-Type: text/html;
***********************HEADERS FROM EMAIL (4)*************************
The original message was received at Sun, 7 Apr 2002 18:17:48 -0400 (EDT)
from out012pub.verizon.net [206.46.170.137]
*** ATTENTION ***
Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".
The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".
The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.
Please direct further questions regarding this message to your e-mail
administrator.
--AOL Postmaster
----- The following addresses had permanent fatal errors -----
<[EMAIL PROTECTED]>
----- Transcript of session follows -----
... while talking to air-yb01.mail.aol.com.:
>>> RCPT To:<[EMAIL PROTECTED]>
<<< 550 MAILBOX NOT FOUND
550 <[EMAIL PROTECTED]>... User unknown
Reporting-MTA: dns; rly-yb05.mx.aol.com
Arrival-Date: Sun, 7 Apr 2002 18:17:48 -0400 (EDT)
Final-Recipient: RFC822; [EMAIL PROTECTED]
Action: failed
Status: 2.0.0
Remote-MTA: DNS; air-yb01.mail.aol.com
Diagnostic-Code: SMTP; 250 OK
Last-Attempt-Date: Sun, 7 Apr 2002 18:17:58 -0400 (EDT)
Received: from out012.verizon.net (out012pub.verizon.net [206.46.170.137]) by
rly-yb05.mx.aol.com (v84.10) with ESMTP id MAILRELAYINYB57-0407181748; Sun, 07 Apr
2002 18:17:48 -0500
Received: from Ghojt ([12.18.104.170]) by out012.verizon.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20020407221747.GMGO1346.out012.verizon.net@Ghojt>
for <[EMAIL PROTECTED]>; Sun, 7 Apr 2002 17:17:47 -0500
From: DERALDBULLS <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Welcome to my hometown
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Kg959gi0K36E6j4vUBuL0VB52awZ551K3nj
Message-Id: <20020407221747.GMGO1346.out012.verizon.net@Ghojt>
Date: Sun, 7 Apr 2002 17:17:47 -0500
Content-Type: text/html;
********************HEADERS FROM EMAIL (5)*********************
This Message was undeliverable due to the following reason:
Each of the following recipients was rejected by a remote mail server.
The reasons given by the server are included to help you determine why
each recipient was rejected.
Recipient: <[EMAIL PROTECTED]>
Reason: sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Please reply to [EMAIL PROTECTED]
if you feel this message to be in error.
Reporting-MTA: dns; out016.verizon.net
Arrival-Date: Sun, 7 Apr 2002 16:32:56 -0500
Received-From-MTA: dns; Ixvutrhr (12.18.104.170)
Final-Recipient: RFC822; <[EMAIL PROTECTED]>
Action: failed
Status: 5.1.3
Remote-MTA: dns; wayfarer.com (66.28.26.21)
Diagnostic-Code: smtp; 553 sorry, that domain isn't in my list of allowed rcpthosts
(#5.7.1)
Received: from Ixvutrhr ([12.18.104.170]) by out016.verizon.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20020407213255.TWYG8115.out016.verizon.net@Ixvutrhr>
for <[EMAIL PROTECTED]>; Sun, 7 Apr 2002 16:32:55 -0500
From: ctc <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Darling
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Nlz303709y43e264g40UpA0PY07DA
Message-Id: <20020407213255.TWYG8115.out016.verizon.net@Ixvutrhr>
Date: Sun, 7 Apr 2002 16:32:56 -0500
Content-Type: text/html;
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
