Re: Sleuthing [Re: [expert] Looking for the Spoofer (was Reading Email headers)]
yeah! no complaints here. Some of the most interesting information I've read in a while on the expert list. Mark Just a vote to keeping the discussion on-line -- I'd like to try to follow it. Randy Kramer Pierre Fortin wrote: This is an interesting thread that can be educational for anyone that wishes to follow... it is a bit off-topic and we can take it offline if it bothers anyone... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Sleuthing [Re: [expert] Looking for the Spoofer (was Reading Email headers)]
This is an interesting thread that can be educational for anyone that wishes to follow... it is a bit off-topic and we can take it offline if it bothers anyone... Jason DrJ, Can you guys send me, privately, the headers of these messages...? I'm a bit of a sleuth and am curious about this one... Sidebar: a while back, I started seeing a hacker using my web site to hide his/her activities. Today, the packets continue (even if unproductive due to my HoneyPort); but the emerging pattern is that someone may be trying to boost click-through counts to affect advertising charges... If anyone is seeing packets from 211.154.65.144, I'd be interested in getting some info from you... Pierre On 21 Apr 2002 20:22:24 -0500 J. Craig Woods [EMAIL PROTECTED] wrote: On Sun, 2002-04-21 at 17:49, Jason Guidry wrote: do the headers of the mail you are getting match any of the mail you are getting? I'm suspicious of a BBS i posted to about sheetmusic available on my website. I think I'm gonna contact the guy in charge and compare IPs. I realise that the person sending the email may not be aware, but I don't know who would have my address from Syracuse. Not sure about the BBS being the source of your problems, Jason, but I kinda doubt it. The headers on the infected mail I received didn't match anything else I might be receiving at the time of delivery. After looking at a few of these infected emails, about the only consistency I could find was that the origin was the same ip address, each time with a different name, such as [EMAIL PROTECTED] or [EMAIL PROTECTED]. The other constant was that the address it was sending to (destination address) was usually a bogus address, sometime not even the domain name was real. The bottom line is, I think this is what Pierre is saying. you can identify the originating ip address in the email headers but, in the final analysis, this ip address may be spoofed, meaning that the ip address may or may not be the offending machine. Nope, you do not have to worry: this mail is not being sent by your machine unless you might be using windoze with some version of MS outlook.. As a matter of fact, I have never heard of or seen a email type virus, such as W32/Klez.e@MM, on linux. Another reason to bring the uninitiated into the fold, right LX? Dr John -- J. Craig Woods UNIX/NT Network/System Administration -Art is the illusion of spontaneity- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: Sleuthing [Re: [expert] Looking for the Spoofer (was Reading Email headers)]
Just a vote to keeping the discussion on-line -- I'd like to try to follow it. Randy Kramer Pierre Fortin wrote: This is an interesting thread that can be educational for anyone that wishes to follow... it is a bit off-topic and we can take it offline if it bothers anyone... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: Sleuthing [Re: [expert] Looking for the Spoofer (was Reading Email headers)]
Yeah, keep it going. It might help me understand why I keep sending great amounts of spam to myself. -- cmg On Sunday 21 April 2002 10:14 pm, Randy Kramer wrote: Just a vote to keeping the discussion on-line -- I'd like to try to follow it. Randy Kramer Pierre Fortin wrote: This is an interesting thread that can be educational for anyone that wishes to follow... it is a bit off-topic and we can take it offline if it bothers anyone... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: Sleuthing [Re: [expert] Looking for the Spoofer (was Reading Email headers)]
Pierre Fortin wrote: This is an interesting thread that can be educational for anyone that wishes to follow... it is a bit off-topic and we can take it offline if it bothers anyone... Well it looks like some votes are in for learning, and that is always a good thing. And, after all, this is the place for learning about mandrake and security. As we have seen, these script kiddies can be very clever. I am attaching some headers from email that was returned to me as though I had sent them. I did not send them. I am not the originator, and each time it was sent back to me, it had the W32/Klez.e@mm virus file attached to it. As I posted earlier, this actually came into a win2000 server on my network. I am running firewall rules and snort (http://www.snort.org) and other security protection programs, such as tripwire (hey can you be *too* paranoid?). This particular win2000 server picks up mail from a pop3 server, and this pop3 server is ran by verizon.net. Verizon is my ISP. That is why you will see a verizon mail server as a relay in the attached email header file. I run my own smtp (postfix) server but you will not see any of this info in the headers. Remember this, Pierre, the winn2000 machine picks up mail directly from the verizon.net pop3 server so it bypasses all my network security but only for the picking up of email does it do this. For every other function, this win2000 server sits behind the firewall and uses NAT to get out to the internet. It was really no big thing to see the attached virus file and delete it but what was unusual was the way these messages ended up being sent back to me as though I was the originator. You might get a kick out of some of the subject lines too. Could anyone really believe this crap, and consequently open a binary file but, then again, people still use windoze and run outlook on it. Go figure. Pierre, in your sleuthing, you will see the ip address, 12.18.104.170 emerge as the likely culprit. This is some user on the ATT Starnet System but I can not get a hostname on it via nslookup. Post back any new info you can glean from the headers. For example, have you seen any of these addresses before? We will see where all this goes p.s. Each header is separated by *HEADERS FROM EMAIL (X)*** Dr John Craig Woods UNIX SA ***HEADERS FROM EMAIL (1)* This Message was undeliverable due to the following reason: Each of the following recipients was rejected by a remote mail server. The reasons given by the server are included to help you determine why each recipient was rejected. Recipient: [EMAIL PROTECTED] Reason:Requested action not taken:user account inactive Please reply to [EMAIL PROTECTED] if you feel this message to be in error. Reporting-MTA: dns; out011.verizon.net Arrival-Date: Mon, 8 Apr 2002 09:51:13 -0500 Received-From-MTA: dns; Kuow (12.18.104.170) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Remote-MTA: dns; mx11.hotmail.com (64.4.49.199) Diagnostic-Code: smtp; 550 Requested action not taken:user account inactive Received: from Kuow ([12.18.104.170]) by out011.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id 20020408145112.ZMOJ2777.out011.verizon.net@Kuow for [EMAIL PROTECTED]; Mon, 8 Apr 2002 09:51:12 -0500 From: DERAIDBULLS [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Border MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=Z5r1bsj1mb5613A1N52 Message-Id: 20020408145112.ZMOJ2777.out011.verizon.net@Kuow Date: Mon, 8 Apr 2002 09:51:13 -0500 Content-Type: text/html; HEADERS FROM EMAIL (2)** This Message was undeliverable due to the following reason: Each of the following recipients was rejected by a remote mail server. The reasons given by the server are included to help you determine why each recipient was rejected. Recipient: [EMAIL PROTECTED] Reason:[EMAIL PROTECTED]... User not known Please reply to [EMAIL PROTECTED] if you feel this message to be in error. Reporting-MTA: dns; out007.verizon.net Arrival-Date: Mon, 8 Apr 2002 09:46:31 -0500 Received-From-MTA: dns; Jezrax (12.18.104.170) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Remote-MTA: dns; mxpool01.netaddress.usa.net (165.212.8.32) Diagnostic-Code: smtp; 550 [EMAIL PROTECTED]... User not known Received: from Jezrax ([12.18.104.170]) by out007.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id 20020408144627.ZAKK18698.out007.verizon.net@Jezrax for [EMAIL PROTECTED]; Mon, 8 Apr 2002 09:46:27 -0500 From: JSEINSHEIMER [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: A special funny website MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=AtP583295a7f4A5R4A9NW28616Y92324613R Message-Id: