Well, there's not a lot to go on, but here's what I can tell you by looking at the headers:
1) The subject looks a lot like someone is sending you the W32.KlezE worm. See here for more information: http:[EMAIL PROTECTED] 2) The From: (J.MARSHAK) is irrelevant. Forging this is trivial. If this is W32.KlezE, it's probably not even the originating address, so we'll disregard it for now. 3) The only "real" information here can be found in the first Received: line. Note the IP address: 131.95.135.162 This is the "address" of the machine which is originating these messages. This cannot easily be forged or erased. The only potential "gotcha" in the case of these originating addresses is if they are an RFC 1918 (private network) address. These are addresses which begin with 192.168, 172.16, or 10. You can find a full explanation of these addresses here: http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1918.html If you _do_ see one of these private addresses, it's meaningless without getting additional information from the administrator of the network the machine is on (go down one or more Received: lines until you get a public IP address, then follow the same process as described below). 131.95.135.162 is a public IP address, so first, we can find out who is responsbile for this network block using a whois query against whois.arin.net: [begin WHOIS block] simian!jeremy 23 $ whois -h whois.arin.net 131.95.135.162 University of Southern Mississippi (NET-USM) Box 10001 Hattiesburg, MS 39406 US Netname: USM Netblock: 131.95.0.0 - 131.95.255.255 Coordinator: University of Southern Mississippi (ZU66-ARIN) usmtc@usm. 601-266-4000 Domain System inverse mapping provided by: DARBAN.CC.USM.EDU 131.95.84.2 JUPITER.COAM.USM.EDU 198.49.215.21 Record last updated on 18-Oct-2001. Database last updated on 25-Jun-2002 20:00:18 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. [end WHOIS block] No big surprise here. The machine is directly or indirectly under the purview of USM. If we do a traceroute to this machine, we get the following information (truncated for brevity): 17 205.152.137.232 (205.152.137.232) 95.106 ms 94.528 ms 95.015 ms 18 172.19.146.122 (172.19.146.122) 97.577 ms 96.360 ms 98.707 ms 19 172.22.0.2 (172.22.0.2) 100.591 ms 97.032 ms 98.891 ms 20 131.95.135.150 (131.95.135.150) 102.044 ms 97.819 ms 96.604 ms 21 131.95.135.162 (131.95.135.162) 382.436 ms 281.091 ms 278.937 ms Note the substantial jump in response time between hop 20 and 21. This could mean a number of things (a really busy connection, bad wiring, an ancient machine, a slow router, etc.), but based on the time jump, the best guess is that the machine is connecting to the network via modem. Thus, here's where we're at with this. A forged header, most likely a popular and quickly replicating worm for a payload, a modem user at a big land grant university, no easy to identify fingerprints, and approximately 13,000 potential suspects. If you're really obsessed by this, send the header to one of the operations folks at USM. There is enough information for a patient and sympathetic operator to trace this message back to a human being. As for me, I get 10 of these worms a week. I throw them away, and figure that I'll get something back in the future as karmic payment in the future for my time being wasted in the present. Hope this was helpful Jeremy *********** REPLY SEPARATOR *********** On 6/24/2002 at 11:20 PM [EMAIL PROTECTED] wrote: >Someone's been sending me these HTML type email with the IFRAME type tags. >Here is one of the headers from the email. It seems that it is coming from >some person with an account at USM.EDU named J.MARSHAK (all of the emails >have the same type of heading). Can someone explained some, if not all of >these heading information. (I purposely put [EMAIL PROTECTED] to hide my >personal information.) > >Thank you in advance. > >-Roberto > >----------------------------------------------------- > >Received: from ocean.otr.usm.edu ([131.95.82.42]) by >trinity.infinethosting.com with Microsoft SMTPSVC(5.0.2195.4905); > Mon, 24 Jun 2002 13:44:41 -0500 >Received: from Vcc ([131.95.135.162]) > by ocean.otr.usm.edu (8.11.6/8.11.6) with SMTP id g5OIgo231905 > for <[EMAIL PROTECTED]>; Mon, 24 Jun 2002 13:42:55 -0500 >Date: Mon, 24 Jun 2002 13:42:55 -0500 >Message-Id: <[EMAIL PROTECTED]> >From: tommyd <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: A special nice game >MIME-Version: 1.0 >Content-Type: multipart/alternative; >--------------------------------------------------------
