[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OT: Inundated with bogus(?) warnings I'm infected



Paul Howarth wrote:
On Thu, 2006-09-14 at 13:05 -0500, Mike McCarty wrote:

Ok, here's an example. I turned on all headers. The actual message
in this case is one that my ISP caught, and clobbered the attachment
which the ISP claims contains a copy of a virus. In cases like this,

[snip]

Subject: Delivery reports about your e-mail
From: "Mail Administrator" <MAILER-DAEMON sbcglobal net>
Date: Wed, 13 Sep 2006 14:23:40 +0000
To: mike mccarty sbcglobal net
X-Apparently-To: mike mccarty sbcglobal net via 216.252.101.37; Wed, 13 Sep 2006 11:07:33 -0700
X-Originating-IP: [162.39.117.147]
Authentication-Results:
mta101.sbc.mail.mud.yahoo.com from=sbcglobal.net; domainkeys=neutral (no sig) Received: from 207.115.57.79 (EHLO ylpvm48.prodigy.net) (207.115.57.79) by mta101.sbc.mail.mud.yahoo.com with SMTP; Wed, 13 Sep 2006 11:07:33 -0700


I'm guessing that SBC are outsourcing some of their mail handling to
Yahoo! - is that right?

They have some sort of reciprocal agreement. Exactly what that is
I'm not sure.

207.115.57.79 is within the network that SBC's inbound mail servers use,
so since the mail was addressed to you at sbcglobal.net, it looks like a
valid Received: header and that the mail is then forwarded to Yahoo! for
virus scanning etc.

So this one looks genuine to me.

What I thought. It looks like someone is sending e-mail, and spoofing
my address as the originator. When it is undeliverable, it gets bounced
(back to me) with the (viral) attachment still there. Yahoo finds
the infection, cleans it, and forwards the bounced message on to me.

X-Originating-IP: [162.39.117.147]
Received: from sbcglobal.net (h147.117.39.162.ip.alltel.net [162.39.117.147]) by ylpvm48.prodigy.net (8.13.6 inb/8.13.6) with ESMTP id k8DI7NKK019802 for <mike mccarty sbcglobal net>; Wed, 13 Sep 2006 14:07:31 -0400


This is the only remaining Received: header so it stands to reason that
the source identified here (h147.117.39.162.ip.alltel.net
[162.39.117.147]) is where the infection is. A further giveaway is that

That was the way I analyzed it.

the sender pretended to be sbcglobal.net (i.e. your domain), in order to
try to throw people off the scent when identifying the source; this is a
typical trick employed by spammers, yet it gives them away so easily to
people that understand Received: headers.

That's what I thought as well. The *numerical* IP addresses in the
"Received by" field (I thought) was always correct.

Since this is almost certainly a dynamic IP address, there's not a lot
further you can do to identify the actual person that's infected short
of forwarding the message to abuse alltel net and let them figure out
who was connected at that time.

Perhaps not, but I thought that at least I might at least identify
the ISP and get them to investigate.

Thanks for the reply.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]