Re: Sleuthing [Re: [expert] Looking for the Spoofer (was Reading Email headers)]
yeah! no complaints here. Some of the most interesting information I've read in a while on the expert list. Mark Just a vote to keeping the discussion on-line -- I'd like to try to follow it. Randy Kramer Pierre Fortin wrote: This is an interesting thread that can be educational for anyone that wishes to follow... it is a bit off-topic and we can take it offline if it bothers anyone... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Looking for the Spoofer (was Reading Email headers)
On Sat, 2002-04-20 at 22:05, Pierre Fortin wrote: On Sat, 20 Apr 2002 21:00:29 -0500 Jason Guidry [EMAIL PROTECTED] wrote: It looks like someone has decided that I don't have enough headaches and has started sending me viri. Normally this would not bother me, but the problem is that the from line shows my email address on my website [EMAIL PROTECTED]! Spoofing by spammer(?) at 66.24.19.151 (syr-66-24-19-151.twcny.rr.com). I have received several of these types of infected email (W32/Klez.e@MM) coming to a win2000 box on my network. Pierre is correct in his assumption about spoofing being done. It appears that the virus code does the spoofing. This code generates an email, with the virus file attached, and this email is then sent. This email, the one generated by the offending machine, is created as though I am the originator, which I am clearly not. This is where the spoofing comes to be a part of the process. Now, here is the question for Pierre or any others that might have some thoughts on this. In my investigation of this matter, I have made the following observations: The only logical way that the offending machine would know to use my address (spoofing) as the originator is that this person/machine is using some variation of Outlook, such as Outlook Express or Outlook (W32/Klez.e@MM only works with version of MS Outlook), and this means that my address is in that person/machine's address book, i.e. someone that knows me or at least has my address in their address book, is responsible for sending this virus email that has my address at the originator. It could be that this person/machine is *not* aware that this is occurring but this is nonetheless how it all got started. Would like to see some thoughts on this logic (sanity check)... aka Dr John, The Night Tripper -- J. Craig Woods UNIX/NT Network/System Administration -Art is the illusion of spontaneity- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Looking for the Spoofer (was Reading Email headers)
J. Craig Woods wrote: On Sat, 2002-04-20 at 22:05, Pierre Fortin wrote: On Sat, 20 Apr 2002 21:00:29 -0500 Jason Guidry [EMAIL PROTECTED] wrote: It looks like someone has decided that I don't have enough headaches and has started sending me viri. Normally this would not bother me, but the problem is that the from line shows my email address on my website [EMAIL PROTECTED]! Spoofing by spammer(?) at 66.24.19.151 (syr-66-24-19-151.twcny.rr.com). Ok, now I think I understand the situation. I assumed someone was somehow using the email acct off my website *ignernt-grin* my heart-rate has now slowed ~10bpm. more below... I have received several of these types of infected email (W32/Klez.e@MM) coming to a win2000 box on my network. Pierre is correct in his assumption about spoofing being done. It appears that the virus code does the spoofing. This code generates an email, with the virus file attached, and this email is then sent. This email, the one generated by the offending machine, is created as though I am the originator, which I am clearly not. This is where the spoofing comes to be a part of the process. do the headers of the mail you are getting match any of the mail you are getting? I'm suspicious of a BBS i posted to about sheetmusic available on my website. I think I'm gonna contact the guy in charge and compare IPs. I realise that the person sending the email may not be aware, but I don't know who would have my address from Syracuse. -- Jason Guidry http://www.gmaestro.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Looking for the Spoofer (was Reading Email headers)
On Sun, 2002-04-21 at 17:49, Jason Guidry wrote: do the headers of the mail you are getting match any of the mail you are getting? I'm suspicious of a BBS i posted to about sheetmusic available on my website. I think I'm gonna contact the guy in charge and compare IPs. I realise that the person sending the email may not be aware, but I don't know who would have my address from Syracuse. Not sure about the BBS being the source of your problems, Jason, but I kinda doubt it. The headers on the infected mail I received didn't match anything else I might be receiving at the time of delivery. After looking at a few of these infected emails, about the only consistency I could find was that the origin was the same ip address, each time with a different name, such as [EMAIL PROTECTED] or [EMAIL PROTECTED]. The other constant was that the address it was sending to (destination address) was usually a bogus address, sometime not even the domain name was real. The bottom line is, I think this is what Pierre is saying. you can identify the originating ip address in the email headers but, in the final analysis, this ip address may be spoofed, meaning that the ip address may or may not be the offending machine. Nope, you do not have to worry: this mail is not being sent by your machine unless you might be using windoze with some version of MS outlook.. As a matter of fact, I have never heard of or seen a email type virus, such as W32/Klez.e@MM, on linux. Another reason to bring the uninitiated into the fold, right LX? Dr John -- J. Craig Woods UNIX/NT Network/System Administration -Art is the illusion of spontaneity- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Sleuthing [Re: [expert] Looking for the Spoofer (was Reading Email headers)]
This is an interesting thread that can be educational for anyone that wishes to follow... it is a bit off-topic and we can take it offline if it bothers anyone... Jason DrJ, Can you guys send me, privately, the headers of these messages...? I'm a bit of a sleuth and am curious about this one... Sidebar: a while back, I started seeing a hacker using my web site to hide his/her activities. Today, the packets continue (even if unproductive due to my HoneyPort); but the emerging pattern is that someone may be trying to boost click-through counts to affect advertising charges... If anyone is seeing packets from 211.154.65.144, I'd be interested in getting some info from you... Pierre On 21 Apr 2002 20:22:24 -0500 J. Craig Woods [EMAIL PROTECTED] wrote: On Sun, 2002-04-21 at 17:49, Jason Guidry wrote: do the headers of the mail you are getting match any of the mail you are getting? I'm suspicious of a BBS i posted to about sheetmusic available on my website. I think I'm gonna contact the guy in charge and compare IPs. I realise that the person sending the email may not be aware, but I don't know who would have my address from Syracuse. Not sure about the BBS being the source of your problems, Jason, but I kinda doubt it. The headers on the infected mail I received didn't match anything else I might be receiving at the time of delivery. After looking at a few of these infected emails, about the only consistency I could find was that the origin was the same ip address, each time with a different name, such as [EMAIL PROTECTED] or [EMAIL PROTECTED]. The other constant was that the address it was sending to (destination address) was usually a bogus address, sometime not even the domain name was real. The bottom line is, I think this is what Pierre is saying. you can identify the originating ip address in the email headers but, in the final analysis, this ip address may be spoofed, meaning that the ip address may or may not be the offending machine. Nope, you do not have to worry: this mail is not being sent by your machine unless you might be using windoze with some version of MS outlook.. As a matter of fact, I have never heard of or seen a email type virus, such as W32/Klez.e@MM, on linux. Another reason to bring the uninitiated into the fold, right LX? Dr John -- J. Craig Woods UNIX/NT Network/System Administration -Art is the illusion of spontaneity- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: Sleuthing [Re: [expert] Looking for the Spoofer (was Reading Email headers)]
Just a vote to keeping the discussion on-line -- I'd like to try to follow it. Randy Kramer Pierre Fortin wrote: This is an interesting thread that can be educational for anyone that wishes to follow... it is a bit off-topic and we can take it offline if it bothers anyone... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: Sleuthing [Re: [expert] Looking for the Spoofer (was Reading Email headers)]
Yeah, keep it going. It might help me understand why I keep sending great amounts of spam to myself. -- cmg On Sunday 21 April 2002 10:14 pm, Randy Kramer wrote: Just a vote to keeping the discussion on-line -- I'd like to try to follow it. Randy Kramer Pierre Fortin wrote: This is an interesting thread that can be educational for anyone that wishes to follow... it is a bit off-topic and we can take it offline if it bothers anyone... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: Sleuthing [Re: [expert] Looking for the Spoofer (was Reading Email headers)]
Pierre Fortin wrote: This is an interesting thread that can be educational for anyone that wishes to follow... it is a bit off-topic and we can take it offline if it bothers anyone... Well it looks like some votes are in for learning, and that is always a good thing. And, after all, this is the place for learning about mandrake and security. As we have seen, these script kiddies can be very clever. I am attaching some headers from email that was returned to me as though I had sent them. I did not send them. I am not the originator, and each time it was sent back to me, it had the W32/Klez.e@mm virus file attached to it. As I posted earlier, this actually came into a win2000 server on my network. I am running firewall rules and snort (http://www.snort.org) and other security protection programs, such as tripwire (hey can you be *too* paranoid?). This particular win2000 server picks up mail from a pop3 server, and this pop3 server is ran by verizon.net. Verizon is my ISP. That is why you will see a verizon mail server as a relay in the attached email header file. I run my own smtp (postfix) server but you will not see any of this info in the headers. Remember this, Pierre, the winn2000 machine picks up mail directly from the verizon.net pop3 server so it bypasses all my network security but only for the picking up of email does it do this. For every other function, this win2000 server sits behind the firewall and uses NAT to get out to the internet. It was really no big thing to see the attached virus file and delete it but what was unusual was the way these messages ended up being sent back to me as though I was the originator. You might get a kick out of some of the subject lines too. Could anyone really believe this crap, and consequently open a binary file but, then again, people still use windoze and run outlook on it. Go figure. Pierre, in your sleuthing, you will see the ip address, 12.18.104.170 emerge as the likely culprit. This is some user on the ATT Starnet System but I can not get a hostname on it via nslookup. Post back any new info you can glean from the headers. For example, have you seen any of these addresses before? We will see where all this goes p.s. Each header is separated by *HEADERS FROM EMAIL (X)*** Dr John Craig Woods UNIX SA ***HEADERS FROM EMAIL (1)* This Message was undeliverable due to the following reason: Each of the following recipients was rejected by a remote mail server. The reasons given by the server are included to help you determine why each recipient was rejected. Recipient: [EMAIL PROTECTED] Reason:Requested action not taken:user account inactive Please reply to [EMAIL PROTECTED] if you feel this message to be in error. Reporting-MTA: dns; out011.verizon.net Arrival-Date: Mon, 8 Apr 2002 09:51:13 -0500 Received-From-MTA: dns; Kuow (12.18.104.170) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Remote-MTA: dns; mx11.hotmail.com (64.4.49.199) Diagnostic-Code: smtp; 550 Requested action not taken:user account inactive Received: from Kuow ([12.18.104.170]) by out011.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id 20020408145112.ZMOJ2777.out011.verizon.net@Kuow for [EMAIL PROTECTED]; Mon, 8 Apr 2002 09:51:12 -0500 From: DERAIDBULLS [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Border MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=Z5r1bsj1mb5613A1N52 Message-Id: 20020408145112.ZMOJ2777.out011.verizon.net@Kuow Date: Mon, 8 Apr 2002 09:51:13 -0500 Content-Type: text/html; HEADERS FROM EMAIL (2)** This Message was undeliverable due to the following reason: Each of the following recipients was rejected by a remote mail server. The reasons given by the server are included to help you determine why each recipient was rejected. Recipient: [EMAIL PROTECTED] Reason:[EMAIL PROTECTED]... User not known Please reply to [EMAIL PROTECTED] if you feel this message to be in error. Reporting-MTA: dns; out007.verizon.net Arrival-Date: Mon, 8 Apr 2002 09:46:31 -0500 Received-From-MTA: dns; Jezrax (12.18.104.170) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Remote-MTA: dns; mxpool01.netaddress.usa.net (165.212.8.32) Diagnostic-Code: smtp; 550 [EMAIL PROTECTED]... User not known Received: from Jezrax ([12.18.104.170]) by out007.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id 20020408144627.ZAKK18698.out007.verizon.net@Jezrax for [EMAIL PROTECTED]; Mon, 8 Apr 2002 09:46:27 -0500 From: JSEINSHEIMER [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: A special funny website MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=AtP583295a7f4A5R4A9NW28616Y92324613R Message-Id:
Re: [expert] Looking for the Spoofer (was Reading Email headers)
Here is an explanation of the Klez virus. Note that based on the explanation below, an open relay is not required. The virus can simply using it's own SMTP engine contact the recipient's email server and drop the email which is perfectly 'legal' (meaning within SMTP rules as defined by the RFCs and common safe SMTP setup practices, not legal as in the law). If someone contacts your email server to send email to you, it's not relaying. http:[EMAIL PROTECTED] Excerpt of virus' operation: - Email: This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers. The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer. - Enjoy, Woody On Sun, 2002-04-21 at 19:22, J. Craig Woods wrote: snip As a matter of fact, I have never heard of or seen a email type virus, such as W32/Klez.e@MM, on linux. Another reason to bring the uninitiated into the fold, right LX? -- Woody --- Gatewood GreenWeb Developer/Systems Admin Email:[EMAIL PROTECTED] http://www.linif.org/ Linux in Idaho Falls Linux User Group --- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Looking for the Spoofer (was Reading Email headers)
On Mon, 2002-04-22 at 00:33, Woody Green wrote: Here is an explanation of the Klez virus. Note that based on the explanation below, an open relay is not required. The virus can simply using it's own SMTP engine contact the recipient's email server and drop the email which is perfectly 'legal' (meaning within SMTP rules as defined by the RFCs and common safe SMTP setup practices, not legal as in the law). If someone contacts your email server to send email to you, it's not relaying. Hey Woody, I think you got in on the tread a bit late. While I appreciate this info, it was already discussed and known (look at the earlier posting I made on the virus) What is of more intrigue, and where this tread is heading was the question asked in an earlier thread. Can you render an assumption on that point? Dr John -- J. Craig Woods UNIX/NT Network/System Administration -Art is the illusion of spontaneity- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
