OT: Inundated with bogus(?) warnings I'm infected

Mike McCarty Mike.McCarty at sbcglobal.net
Fri Sep 15 03:25:48 UTC 2006 

Paul Howarth wrote:
> On Thu, 2006-09-14 at 13:05 -0500, Mike McCarty wrote:
> 
>>Ok, here's an example. I turned on all headers. The actual message
>>in this case is one that my ISP caught, and clobbered the attachment
>>which the ISP claims contains a copy of a virus. In cases like this,

[snip]

>>Subject: Delivery reports about your e-mail
>>From: "Mail Administrator" <MAILER-DAEMON at sbcglobal.net>
>>Date: Wed, 13 Sep 2006 14:23:40 +0000
>>To: mike.mccarty at sbcglobal.net
>>X-Apparently-To: mike.mccarty at sbcglobal.net via 216.252.101.37; Wed, 13 
>>Sep 2006 11:07:33 -0700
>>X-Originating-IP: [162.39.117.147]
>>Authentication-Results:
>>mta101.sbc.mail.mud.yahoo.com from=sbcglobal.net; domainkeys=neutral (no 
>>sig)
>>Received: from 207.115.57.79 (EHLO ylpvm48.prodigy.net) (207.115.57.79) 
>>by mta101.sbc.mail.mud.yahoo.com with SMTP; Wed, 13 Sep 2006 11:07:33 -0700
> 
> 
> I'm guessing that SBC are outsourcing some of their mail handling to
> Yahoo! - is that right?

They have some sort of reciprocal agreement. Exactly what that is
I'm not sure.

> 207.115.57.79 is within the network that SBC's inbound mail servers use,
> so since the mail was addressed to you at sbcglobal.net, it looks like a
> valid Received: header and that the mail is then forwarded to Yahoo! for
> virus scanning etc.
> 
> So this one looks genuine to me.

What I thought. It looks like someone is sending e-mail, and spoofing
my address as the originator. When it is undeliverable, it gets bounced
(back to me) with the (viral) attachment still there. Yahoo finds
the infection, cleans it, and forwards the bounced message on to me.

>>X-Originating-IP: [162.39.117.147]
>>Received: from sbcglobal.net (h147.117.39.162.ip.alltel.net 
>>[162.39.117.147]) by ylpvm48.prodigy.net (8.13.6 inb/8.13.6) with ESMTP 
>>id k8DI7NKK019802 for <mike.mccarty at sbcglobal.net>; Wed, 13 Sep 2006 
>>14:07:31 -0400
> 
> 
> This is the only remaining Received: header so it stands to reason that
> the source identified here (h147.117.39.162.ip.alltel.net
> [162.39.117.147]) is where the infection is. A further giveaway is that

That was the way I analyzed it.

> the sender pretended to be sbcglobal.net (i.e. your domain), in order to
> try to throw people off the scent when identifying the source; this is a
> typical trick employed by spammers, yet it gives them away so easily to
> people that understand Received: headers.

That's what I thought as well. The *numerical* IP addresses in the
"Received by" field (I thought) was always correct.

> Since this is almost certainly a dynamic IP address, there's not a lot
> further you can do to identify the actual person that's infected short
> of forwarding the message to abuse at alltel.net and let them figure out
> who was connected at that time.

Perhaps not, but I thought that at least I might at least identify
the ISP and get them to investigate.

Thanks for the reply.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!

More information about the fedora-list mailing list