[ale] Sanitized, spoofed "bounced e-mail" header....
Fulton Green
ale at FultonGreen.com
Sat Jul 13 16:39:37 EDT 2002
"host 216.163.188.206" yields several canonicals, including
c9mailgw04.amadis.com . But "host c9mailgw04.amadis.com" yields 10.9.14.4.
"whois 216.163.188.206 at whois.arin.net" yields info for "Commtouch", as does
"whois amadis.com". "whois 10.9.14.4" yields an IANA reserved block.
Hmmm ...
On Sat, Jul 13, 2002 at 04:07:56PM -0400, Brian J. Dowd wrote:
> Following is the beginning (minus about 1000 lines of attempted
> buffer-overflow code)
> of an ostensibly bounced-back e-mail I received. Can someone tell me the
> actual
> origination of this? Is it C9Mailgw04.amadis.com ? I need a short lesson
> is decoding
> mail headers and/or a good FAQ on which to read up.
> Thanks,
> -Brian
>
>
> > From - Sat Jul 14 11:12:59 2002
> > X-UIDL: 17toxP14F3NZFoB0.0
> > X-Mozilla-Status: 0001
> > X-Mozilla-Status2: 00000000
> > Status: U
> > Return-Path: <stuffingbox at starband.net>
> > Received: from C9Mailgw04.amadis.com ([216.163.188.206])
> > by thrush (EarthLink SMTP Server) with ESMTP id 17toxP14F3NZFoB0
> > for <bdowd at dentfirst.com>; Sat, 13 Jul 2002 08:10:49 -0700 (PDT)
> > Received: from c9service11.amadis.com (10.9.0.1)
> > id 3CDDFFF9004FE8B7 for bdowd at DentFirst.com; Sat, 13 Jul 2002
> > 08:07:38 -0700
> > Received: from Tredhpnhu (148.64.26.235) by c9service11.amadis.com
> > (NPlex 6.5.012)
> > id 3D063B24000CB581 for bdowd at DentFirst.com; Sat, 13 Jul 2002
> > 08:07:38 -0700
> > Date: Sat, 13 Jul 2002 08:07:38 -0700 (added by
> > postmaster at c9service11.amadis.com)
> > Message-ID: <3D063B24000CB581 at c9service11.amadis.com> (added by
> > postmaster at c9service11.amadis.com)
> > From: postmaster <postmaster at DentFirst.com>
> > To: bdowd at DentFirst.com
> > Subject: Returned mail--"eager to see you"
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
> > boundary=Cw82V71J097148WcTF2G1WFKL4tw
> >
> > --Cw82V71J097148WcTF2G1WFKL4tw
> > Content-Type: text/html;
> > Content-Transfer-Encoding: quoted-printable
> >
> > <HTML><HEAD></HEAD><BODY>
> >
> > <FONT>The following mail can't be sent to nlam22461 at yahoo.com:<br>
> > <br>
> > From: bdowd at DentFirst.com<br>
> > To: nlam22461 at yahoo.com<br>
> > Subject: eager to see you<br>
> > The file is the original mail</FONT></BODY></HTML>
> >
> > --Cw82V71J097148WcTF2G1WFKL4tw
> > Content-Type: application/octet-stream;
> > name=valued sony customer at hotmail.msn[1].bat
> > Content-Transfer-Encoding: base64
> > Content-ID: <Xzl4MKqj347GMfp6JD>
> >
> > TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAA
>
> <snipped last 1000+ lines>
>
> >
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
>
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list