[ale] E-mail Virus (with header)

Frank Zamenski fzamenski at voyager.net
Mon Dec 17 22:54:11 EST 2001 


Yup, indeed I did ask. You be one
mean email sleuthing 'l33t' dude! :)

Thanks for the education!

Frank


----- Original Message -----
From: "Fulton Green" <ale at FultonGreen.com>
To: ale at ale.org
To: "Frank Zamenski" <fzamenski at voyager.net>
Cc: "ALE" <ale at ale.org>
Sent: Monday, December 17, 2001 10:29 PM
Subject: Re: [ale] E-mail Virus (with header)


> Having been the victim of many a spam recently, I've really had to get my
> "mad email sleuthing skillz" on. :)
>
> The key is always in the "Received:" headers. It used to be that the first
> few "Received:" headers would tend to be more accurate than the later
ones,
> but most of the MTAs out there seem to have gotten more fake-proof.
Anyhow,
> if you look at the first Received header:
>
> Received: from imf01bis.bellsouth.net (mail201.mail.bellsouth.net
[205.152.58.141])
> by magneto.troycable.net (8.9.3/8.9.3) with ESMTP id MAA46322
> for <mlecroy at troycable.net>; Mon, 17 Dec 2001 12:18:06 -0600 (CST)
> (envelope-from sangell at bellsouth.net)
>
> You'll notice three addresses in the "From:" field: the "imf01bis", the
> "mail201.mail" (both in the BellSouth ISP domain, obviously) and an IP.
> Other MTAs (most notably Exim) use a different format, but in this case:
>
> - "imf01bis" represents the address that the BellSouth mail relay
identified
> itself as to Troy Cable's mail relay
> - This address is reported by the originator in the SMTP "HELO" command
> - "mail201.mail" represents the successful reverse lookup of ...
> - 205.152.58.141, which is the "actual" IP of the originating host
(assuming
> no funky low-level spoofing is in effect)
>
> Looking at the next header, the destination address reported appears to
> match up with at least some of the previous header's info, so the
confidence
> level is high that this header is legit and not faked. OTOH, the
origination
> address is claimed to be "aol.com" by this header's originator. That's the
> first tip-off for me, as this didn't look like a typical header from an
> AOL relay. So I looked at the "actual" part of the "from" address info and
> attempted my own reverse lookup, which yielded the ADSL canonical. Note
> that the canonical part didn't appear in this header, most likely because
> BellSouth opted not to perform reverse lookups, perhaps in an effort to
> conserve spare CPU and/or bandwidth resources.
>
> Now most of the spam I've received lately seems to come from specially
> opened Internet access accounts used solely for the purpose of connecting
> to an open mail relay. Over half of the spams originate from AT&T Managed
> Services (prserv.net), and over half of them use an open mail relay in
> China. A lot of times, the reverse lookup fails, so I lookup the IP in
> ARIN's Whois DB:
> whois a.b.c.d at whois.arin.net
> and repeat (going to other regions' whois servers, if necessary) until I
find
> what I need.
>
> Hey, you asked. :)
>
> On Mon, Dec 17, 2001 at 09:28:09PM -0500, Frank Zamenski wrote:
> > Perhaps it should be obvious by inspection, but I'm not an
> > email guru either. How did you deduce that?
> >
> > > The "AOL.com" was spoofed. OTOH, the accompanying origination IP maps
to
> > the
> > > canonical adsl-156-62-200.asm.bellsouth.net . Look familiar?
> > >
> > > On Mon, Dec 17, 2001 at 02:30:19PM -0500, sangell at nan.net wrote:
> > > >  Return-Path: <sangell at bellsouth.net>
> > > >  Received: from imf01bis.bellsouth.net (mail201.mail.bellsouth.net
> > [205.152.58.141])
> > > >  by magneto.troycable.net (8.9.3/8.9.3) with ESMTP id MAA46322
> > > >  for <mlecroy at troycable.net>; Mon, 17 Dec 2001 12:18:06 -0600 (CST)
> > > >  (envelope-from sangell at bellsouth.net)
> > > >  Received: from aol.com ([66.156.62.200]) by imf01bis.bellsouth.net
> > > >  (InterMail vM.5.01.04.00 201-253-122-122-20010827) with SMTP
> > > >  id <20011217181301.IGN21185.imf01bis.bellsouth.net at aol.com>
> > > >  for <mlecroy at troycable.net>; Mon, 17 Dec 2001 13:13:01 -0500
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should
be
> sent to listmaster at ale dot org.
>
>


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list