Pierre Fortin wrote: > This is an interesting thread that can be educational for anyone that > wishes to follow... it is a bit off-topic and we can take it offline if > it bothers anyone... >
Well it looks like some votes are in for learning, and that is always a good thing. And, after all, this is the place for learning about mandrake and security. As we have seen, these script kiddies can be very clever. I am attaching some headers from email that was returned to me as though I had sent them. I did not send them. I am not the originator, and each time it was sent back to me, it had the W32/Klez.e@mm virus file attached to it. As I posted earlier, this actually came into a win2000 server on my network. I am running firewall rules and snort (http://www.snort.org) and other security protection programs, such as tripwire (hey can you be *too* paranoid?). This particular win2000 server picks up mail from a pop3 server, and this pop3 server is ran by verizon.net. Verizon is my ISP. That is why you will see a verizon mail server as a relay in the attached email header file. I run my own smtp (postfix) server but you will not see any of this info in the headers. Remember this, Pierre, the winn2000 machine picks up mail directly from the verizon.net pop3 server so it bypasses all my network security but only for the picking up of email does it do this. For every other function, this win2000 server sits behind the firewall and uses NAT to get out to the internet. It was really no big thing to see the attached virus file and delete it but what was unusual was the way these messages ended up being sent back to me as though I was the originator. You might get a kick out of some of the subject lines too. Could anyone really believe this crap, and consequently open a binary file but, then again, people still use windoze and run outlook on it. Go figure. Pierre, in your sleuthing, you will see the ip address, 12.18.104.170 emerge as the likely culprit. This is some user on the AT&T Starnet System but I can not get a hostname on it via nslookup. Post back any new info you can glean from the headers. For example, have you seen any of these addresses before? We will see where all this goes.... p.s. Each header is separated by "*****************HEADERS FROM EMAIL (X)*************************** Dr John Craig Woods UNIX SA
*******************HEADERS FROM EMAIL (1)************************* This Message was undeliverable due to the following reason: Each of the following recipients was rejected by a remote mail server. The reasons given by the server are included to help you determine why each recipient was rejected. Recipient: <[EMAIL PROTECTED]> Reason: Requested action not taken:user account inactive Please reply to [EMAIL PROTECTED] if you feel this message to be in error. Reporting-MTA: dns; out011.verizon.net Arrival-Date: Mon, 8 Apr 2002 09:51:13 -0500 Received-From-MTA: dns; Kuow (12.18.104.170) Final-Recipient: RFC822; <[EMAIL PROTECTED]> Action: failed Status: 5.1.1 Remote-MTA: dns; mx11.hotmail.com (64.4.49.199) Diagnostic-Code: smtp; 550 Requested action not taken:user account inactive Received: from Kuow ([12.18.104.170]) by out011.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id <20020408145112.ZMOJ2777.out011.verizon.net@Kuow> for <[EMAIL PROTECTED]>; Mon, 8 Apr 2002 09:51:12 -0500 From: DERAIDBULLS <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Border MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=Z5r1bsj1mb5613A1N52 Message-Id: <20020408145112.ZMOJ2777.out011.verizon.net@Kuow> Date: Mon, 8 Apr 2002 09:51:13 -0500 Content-Type: text/html; ********************HEADERS FROM EMAIL (2)********************** This Message was undeliverable due to the following reason: Each of the following recipients was rejected by a remote mail server. The reasons given by the server are included to help you determine why each recipient was rejected. Recipient: <[EMAIL PROTECTED]> Reason: <[EMAIL PROTECTED]>... User not known Please reply to [EMAIL PROTECTED] if you feel this message to be in error. Reporting-MTA: dns; out007.verizon.net Arrival-Date: Mon, 8 Apr 2002 09:46:31 -0500 Received-From-MTA: dns; Jezrax (12.18.104.170) Final-Recipient: RFC822; <[EMAIL PROTECTED]> Action: failed Status: 5.1.1 Remote-MTA: dns; mxpool01.netaddress.usa.net (165.212.8.32) Diagnostic-Code: smtp; 550 <[EMAIL PROTECTED]>... User not known Received: from Jezrax ([12.18.104.170]) by out007.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id <20020408144627.ZAKK18698.out007.verizon.net@Jezrax> for <[EMAIL PROTECTED]>; Mon, 8 Apr 2002 09:46:27 -0500 From: JSEINSHEIMER <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: A special funny website MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=AtP583295a7f4A5R4A9NW28616Y92324613R Message-Id: <20020408144627.ZAKK18698.out007.verizon.net@Jezrax> Date: Mon, 8 Apr 2002 09:46:31 -0500 Content-Type: text/html; **********************HEADERS FROM EMAIL (3)************************ This Message was undeliverable due to the following reason: Each of the following recipients was rejected by a remote mail server. The reasons given by the server are included to help you determine why each recipient was rejected. Recipient: <[EMAIL PROTECTED]> Reason: <[EMAIL PROTECTED]> User unknown; rejecting Please reply to [EMAIL PROTECTED] if you feel this message to be in error. Reporting-MTA: dns; out010.verizon.net Arrival-Date: Mon, 8 Apr 2002 09:24:08 -0500 Received-From-MTA: dns; Dqxpy (12.18.104.170) Final-Recipient: RFC822; <[EMAIL PROTECTED]> Action: failed Status: 5.1.1 Remote-MTA: dns; mail.ecommunities.ch (195.216.81.98) Diagnostic-Code: smtp; 550 <[EMAIL PROTECTED]> User unknown; rejecting Received: from Dqxpy ([12.18.104.170]) by out010.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id <20020408142406.MNRS1257.out010.verizon.net@Dqxpy> for <[EMAIL PROTECTED]>; Mon, 8 Apr 2002 09:24:06 -0500 From: bettervw <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: A powful tool MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=JSf7H45gSKdrDT7ZhIOE73o881R1KbV54 Message-Id: <20020408142406.MNRS1257.out010.verizon.net@Dqxpy> Date: Mon, 8 Apr 2002 09:24:08 -0500 Content-Type: text/html; ***********************HEADERS FROM EMAIL (4)************************* The original message was received at Sun, 7 Apr 2002 18:17:48 -0400 (EDT) from out012pub.verizon.net [206.46.170.137] *** ATTENTION *** Your e-mail is being returned to you because there was a problem with its delivery. The address which was undeliverable is listed in the section labeled: "----- The following addresses had permanent fatal errors -----". The reason your mail is being returned to you is listed in the section labeled: "----- Transcript of Session Follows -----". The line beginning with "<<<" describes the specific reason your e-mail could not be delivered. The next line contains a second error message which is a general translation for other e-mail servers. Please direct further questions regarding this message to your e-mail administrator. --AOL Postmaster ----- The following addresses had permanent fatal errors ----- <[EMAIL PROTECTED]> ----- Transcript of session follows ----- ... while talking to air-yb01.mail.aol.com.: >>> RCPT To:<[EMAIL PROTECTED]> <<< 550 MAILBOX NOT FOUND 550 <[EMAIL PROTECTED]>... User unknown Reporting-MTA: dns; rly-yb05.mx.aol.com Arrival-Date: Sun, 7 Apr 2002 18:17:48 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 2.0.0 Remote-MTA: DNS; air-yb01.mail.aol.com Diagnostic-Code: SMTP; 250 OK Last-Attempt-Date: Sun, 7 Apr 2002 18:17:58 -0400 (EDT) Received: from out012.verizon.net (out012pub.verizon.net [206.46.170.137]) by rly-yb05.mx.aol.com (v84.10) with ESMTP id MAILRELAYINYB57-0407181748; Sun, 07 Apr 2002 18:17:48 -0500 Received: from Ghojt ([12.18.104.170]) by out012.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id <20020407221747.GMGO1346.out012.verizon.net@Ghojt> for <[EMAIL PROTECTED]>; Sun, 7 Apr 2002 17:17:47 -0500 From: DERALDBULLS <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Welcome to my hometown MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=Kg959gi0K36E6j4vUBuL0VB52awZ551K3nj Message-Id: <20020407221747.GMGO1346.out012.verizon.net@Ghojt> Date: Sun, 7 Apr 2002 17:17:47 -0500 Content-Type: text/html; ********************HEADERS FROM EMAIL (5)********************* This Message was undeliverable due to the following reason: Each of the following recipients was rejected by a remote mail server. The reasons given by the server are included to help you determine why each recipient was rejected. Recipient: <[EMAIL PROTECTED]> Reason: sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) Please reply to [EMAIL PROTECTED] if you feel this message to be in error. Reporting-MTA: dns; out016.verizon.net Arrival-Date: Sun, 7 Apr 2002 16:32:56 -0500 Received-From-MTA: dns; Ixvutrhr (12.18.104.170) Final-Recipient: RFC822; <[EMAIL PROTECTED]> Action: failed Status: 5.1.3 Remote-MTA: dns; wayfarer.com (66.28.26.21) Diagnostic-Code: smtp; 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) Received: from Ixvutrhr ([12.18.104.170]) by out016.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id <20020407213255.TWYG8115.out016.verizon.net@Ixvutrhr> for <[EMAIL PROTECTED]>; Sun, 7 Apr 2002 16:32:55 -0500 From: ctc <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Darling MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=Nlz303709y43e264g40UpA0PY07DA Message-Id: <20020407213255.TWYG8115.out016.verizon.net@Ixvutrhr> Date: Sun, 7 Apr 2002 16:32:56 -0500 Content-Type: text/html;
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com