Suspected Intruder
James Kosin
jkosin at beta.intcomgrp.com
Fri Jan 7 18:57:25 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Don Flinn wrote:
|On Thu, 2005-01-06 at 15:49 +0000, Paul Howarth wrote:
|
|>Don Flinn wrote:
|>
|>>I suspect that an intruder may be using my node to send e-mail, because
|>>I have received some notices from my e-mail daemon that such and such
|>>was not available when I never sent e-mail to that person/address.
|>>
|>>How do I check if someone is logged in/using my machine? I'm running
|>>FC3.
|>
|>Please post the full headers of one of these notices. It's possible
that
|>you're just getting backscatter due to a virus somewhere else forging
|>your address as the sender.
|>
|>Paul.
|>
|
|Paul
|
|Here is the info from the Mail Daemon (For clarity my name is not
|Monika :-). Some others on this mailing list also speculated that
|someone is spoofing my address and have not compromised my machine.
|Thanks to all for your suggestions.
|
|Don
|
|------ Mail daemon message follows ------------
|Reporting-MTA: dns; rly-nc05.mx.aol.com
|Arrival-Date: Thu, 30 Dec 2004 10:50:31 -0500 (EST)
|
|Final-Recipient: RFC822; beachboy99 at netscape.net
|Action: failed
|Status: 5.1.1
|Remote-MTA: DNS; air-nc02.mail.aol.com
|Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
|Last-Attempt-Date: Thu, 30 Dec 2004 10:50:55 -0500 (EST)
|
|
|Received: from 31.red-212-40-232.user.auna.net
|(31.red-212-40-232.user.auna.net [212.40.232.31]) by rly-nc05.mx.aol.com
|(v103.7) with ESMTP id MAILRELAYINNC56-68c41d423a72b4; Thu, 30 Dec 2004
|10:50:18 -0500
|Date: Thu, 30 Dec 2004 15:43:33 +0000
|From: Monika <flinn at alum.mit.edu>
|To: beachboy99 at netscape.net
|Subject: =?Windows-1251?B?1OXp5fDi5fDq6CDu8iDv8O7o5+Lu5Ojy5ev/IO/uIO3o5
|+ro7CD25e3g7C4=?=
|MIME-Version: 1.0
|Content-Type: multipart/related;
| boundary="----------6BE01FA8FBDE43307081C8A850"
|X-AOL-IP: 212.40.232.31
|X-AOL-SCOLL-SCORE: 0:2:31266268:1342177
|X-AOL-SCOLL-URL_COUNT: 0
|Message-ID: <200412301050.68c41d423a72b4 at rly-nc05.mx.aol.com>
|
|
(1) AOL doesn't relay messages for non members, that I'm aware of.
(2) The IP address in question: 212.40.232.31 has a slow response
time at the destination... probably due to the 100's of emails being
sent out.
In conclusion:
~ The email is probably a VIRUS, sent directly from the above IP...
spoofing as AOL sending a return notice back to you.
~ I've had this happen a few times. The best you can do is email the
domain administrator for the domain that owns the IP address in
question asking them to investigate the matter.
Thanks,
James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB3tuUkNLDmnu1kSkRAlviAJ9OfEf0ZNE70aI4a3Xn/tBwlcFDSACfbEcO
yu1uysPQfXFxAlNowCNFxf4=
=Mef3
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list