|
PureBytes Links
Trading Reference Links
|
On Fri, Sep 19, 2003 at 5:04:59PM -0700, David wrote:
> This was what the header looked like:
>
> Return-Path: <Sigstroker@xxxxxxxxxxx>
> From: Sigstroker@xxxxxxxxxxx
> Subject: Re: looking for retail day traders
> Date: Fri, 19 Sep 2003 11:48:14 -0400
No, *this* is what a header looks like:
Received: from mta1.adelphia.net (mta1.adelphia.net [68.168.78.175])
by mx1.eskimo.com (8.9.3/8.8.8) with ESMTP id IAA04656;
Fri, 19 Sep 2003 08:45:43 -0700
Received: from jack ([68.70.218.56]) by mta1.adelphia.net
(InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP
id <20030919154810.DKCZ29306.mta1.adelphia.net@xxxx>;
Fri, 19 Sep 2003 11:48:10 -0400
From: Sigstroker@xxxxxxxxxxx
Subject: Re: looking for retail day traders
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------K7YWGH9U2JTAKE"
Message-Id: <20030919154810.DKCZ29306.mta1.adelphia.net@xxxx>
Those abbreviated headers are useless for determining the source of
email. There are header lines above and below the fragment I show
above, but it's the Received: lines that are important. They flow
from bottom to top. This header shows that the mail originated at IP
address: 68.70.218.56, and was handed off to 68.168.78.175 for
delivery to Eskimo's mail server. Using whois on the originating IP,
we get:
:> whois -h whois.arin.net 68.70.218.56
Adelphia Cable Communications ADELPHIA-CABLE-4 (NET-68-64-0-0-1)
68.64.0.0 - 68.71.255.255
Adelphia 68702080-Z7 (NET-68-70-208-0-1)
68.70.208.0 - 68.70.223.255
as the owner of the IP range into which 68.70.218.56 falls. If
that had been the IP address of somebody small enough to care,
I'd have sent a warning to them.
The other instances of this virus were also sent from that IP,
but with different forged From: addresses.
Jim
|