[Declude.Virus] FORGE question.
Hey gang, I was curious about something. We have gotten an e-mail to our abuse account at least 3 times stating we're sending him spam/infected mail. This is the bottom header line of what he sees. Received: from Satumqc ([63.160.179.245]) by out016.verizon.net (InterMail vM.5.01.05.27 201-253-122-126-127-20021220) with SMTP id [EMAIL PROTECTED] for user; Wed, 2 Apr 2003 19:35:37 -0600 Now that IP shown IS ours, but the brackets tell me it's fake. Besides our mailserver is obviously not verizon. Comments / suggestions? This guys starting to tick me off. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FORGE question.
Received: from Satumqc ([63.160.179.245]) by out016.verizon.net (InterMail vM.5.01.05.27 201-253-122-126-127-20021220) with SMTP id [EMAIL PROTECTED] for user; Wed, 2 Apr 2003 19:35:37 -0600 Now that IP shown IS ours, but the brackets tell me it's fake. Besides our mailserver is obviously not verizon. Comments / suggestions? This guys starting to tick me off. Actually, the bracket doesn't mean it is fake. The bracket just indicates an IP address. This header means that the mailserver claims to be called out016.verizon.net, and that it received the E-mail from a mailserver (or mail client) claiming to be Saturmqc, from the IP 63.160.179.245. Most likely, this E-mail *did* originate from 63.160.179.245. The only way to be sure is to have verizon.net confirm it, but they are very unlikely to do that, given the volume of viruses that are transmitted via their mailservers. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FORGE question.
Actually, the bracket doesn't mean it is fake. The bracket just indicates an IP address. This header means that the mailserver claims to be called out016.verizon.net, and that it received the E-mail from a mailserver (or mail client) claiming to be Saturmqc, from the IP 63.160.179.245. Ok, I figured fake since it was a KLEZ sent mail message.. Most likely, this E-mail *did* originate from 63.160.179.245. The only way to be sure is to have verizon.net confirm it, but they are very unlikely to do that, given the volume of viruses that are transmitted via their mailservers. Hmmm, that's really odd. When someone logs onto our system and is assigned an an IP, and this particular one was not in us at the time of this least not issued by us... Thanks Scott. Any other ideas? Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FORGE question.
Actually, the bracket doesn't mean it is fake. The bracket just indicates an IP address. This header means that the mailserver claims to be called out016.verizon.net, and that it received the E-mail from a mailserver (or mail client) claiming to be Saturmqc, from the IP 63.160.179.245. Ok, I figured fake since it was a KLEZ sent mail message.. It's (virtually) impossible for a virus, spammer, or hacker to forge an IP address. What they *can* forge, very easily, is Received: headers. In this case, Klez will often use *.verizon.net mailservers to spread (apparently, they are open relays). So the Received: header was almost certainly added by Verizon, which would mean that the virus could not forge it. Most likely, this E-mail *did* originate from 63.160.179.245. The only way to be sure is to have verizon.net confirm it, but they are very unlikely to do that, given the volume of viruses that are transmitted via their mailservers. Hmmm, that's really odd. When someone logs onto our system and is assigned an an IP, and this particular one was not in us at the time of this least not issued by us... Have you double-checked and triple-checked? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.