[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: yet another virus alert



PureBytes Links

Trading Reference Links

On Fri, Sep 19, 2003 at  5:04:59PM -0700, David wrote:
> This was what the header looked like:
> 
> Return-Path: <Sigstroker@xxxxxxxxxxx>
> From:  Sigstroker@xxxxxxxxxxx
> Subject:  Re: looking for retail day traders
> Date: Fri, 19 Sep 2003 11:48:14 -0400

No, *this* is what a header looks like:

  Received: from mta1.adelphia.net (mta1.adelphia.net [68.168.78.175])
      by mx1.eskimo.com (8.9.3/8.8.8) with ESMTP id IAA04656;
      Fri, 19 Sep 2003 08:45:43 -0700
  Received: from jack ([68.70.218.56]) by mta1.adelphia.net
      (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP
      id <20030919154810.DKCZ29306.mta1.adelphia.net@xxxx>;
      Fri, 19 Sep 2003 11:48:10 -0400
  From: Sigstroker@xxxxxxxxxxx
  Subject:  Re: looking for retail day traders
  MIME-Version: 1.0
  Content-Type: multipart/mixed; boundary="----------K7YWGH9U2JTAKE"
  Message-Id: <20030919154810.DKCZ29306.mta1.adelphia.net@xxxx>

Those abbreviated headers are useless for determining the source of
email. There are header lines above and below the fragment I show
above, but it's the Received: lines that are important. They flow
from bottom to top.  This header shows that the mail originated at IP
address: 68.70.218.56, and was handed off to 68.168.78.175 for
delivery to Eskimo's mail server.  Using whois on the originating IP,
we get:

:> whois -h whois.arin.net 68.70.218.56
  Adelphia Cable Communications ADELPHIA-CABLE-4 (NET-68-64-0-0-1)
                                  68.64.0.0 - 68.71.255.255
  Adelphia 68702080-Z7 (NET-68-70-208-0-1)
                                  68.70.208.0 - 68.70.223.255

as the owner of the IP range into which 68.70.218.56 falls.  If
that had been the IP address of somebody small enough to care,
I'd have sent a warning to them.

The other instances of this virus were also sent from that IP,
but with different forged From: addresses.

Jim