OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kee Hinckley (nazgulSOMEWHERE.COM)
Date: Sat Jan 13 2001 - 22:51:23 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    At 10:16 AM +0000 1/12/01, Kelly Reid wrote:
    >Following is the properties from the email from sexyfun. I'm
    >interested in knowing who this came from so that they can get their
    >machine scanned.
    >
    >Any help would be appreciated

    http://www.spamwatcher.com/ (which I run) says the following. (I
    should probably special case the IANA special numbers, since they are
    clearly not relevant).

    These headers are nearly always forged:
       To: From: Hahaha
       Message-ID: <200101120543.f0C5huk01495mx8-w.mail.home.com>

    The key is to look at the received headers. They track the
    message as it goes from one machine to the next. Most, but not
    all, mail servers record the IP address of the sending machine,
    and there is no way to forge that. So the goal is to find the
    first real machine to receive the email, and see where it got the
    mail from. That machine will typically either be one of yours,
    or it will be some (idiot) machine which left its mail software
    open for others to use as a relay. In the latter case, it's worth
    notify the that company, as well as the originating ISP.

    Here are the Received headers in order:
      Received: from mx8-w.mail.home.com (mx8-w.mail.home.com
    [24.0.95.73]) by h14.mail.home.com (8.9.3/8.9.0) with ESMTP id
    VAA09676 for ; Thu, 11 Jan 2001 21:43:57 -0800 (PST)
      Received: from smtp02.mail.onemain.com (SMTP-OUT003.ONEMAIN.COM
    [63.208.208.73]) by mx8-w.mail.home.com (8.11.1/8.11.1) with SMTP id
    f0C5huk01495 for ; Thu, 11 Jan 2001 21:43:56 -0800 (PST)
      Received: (qmail 4354 invoked from network); 12 Jan 2001 04:25:11 -0000
      Received: from moperr01-98.midwest.net (HELO computer)
    ([208.235.39.108]) (envelope-sender <>) by 10.209.20.32
    (qmail-ldap-1.03) with SMTP for ; 12 Jan 2001 04:25:11 -0000

    If we ignore the forgeable names, that makes a chain, and for
    element in the chain we can look it up and make sure that the
    chain makes sense.

    From: 208.235.39.108 (moperr01-98.midwest.net)
    To: 10.209.20.32 (Unknown)
    From: 63.208.208.73 (SMTP-OUT003.ONEMAIN.COM)
    To: mx8-w.mail.home.com (24.0.95.73)
    From: 24.0.95.73 (mx8-w.mail.home.com)
    To: h14.mail.home.com (24.0.95.48)

    So the spammer probably sent from 208.235.39.108 (moperr01-98.midwest.net).
    And 10.209.20.32 (Unknown) is probably a system with an open relay.

    Here is information on the ISP that owns the domains in question.

    Spammer: 208.235.39.108 (moperr01-98.midwest.net)
    Midwest Internet (NETBLK-UU-208-235)
        300 E. Main St.
        Carbondale, IL 62901
        US

        Netname: UU-208-235
        Netblock: 208.235.0.0 - 208.235.63.255
        Maintainer: MIDI

        Coordinator:
           Baird, Curtis (BC247-ARIN) curtisMIDWEST.NET
           (618) 529-7271

        Record last updated on 08-Jan-1998.
        Database last updated on 13-Jan-2001 18:21:34 EDT.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.

    Relay: 10.209.20.32 (Unknown)
    IANA (RESERVED-6)
        Internet Assigned Numbers Authority
        Information Sciences Institute
        University of Southern California
        4676 Admiralty Way, Suite 330
        Marina del Rey, CA 90292-6695

        Netname: RESERVED-10
        Netblock: 10.0.0.0 - 10.255.255.255

        Coordinator:
           Internet Corporation for Assigned Names and Numbers
    (IANA-ARIN) ianaIANA.ORG
           (310) 823-9358

        Domain System inverse mapping provided by:

        BLACKHOLE.ISI.EDU 128.9.64.26
        BLACKHOLE.EP.NET 198.32.1.116

        Record last updated on 30-Aug-2000.
        Database last updated on 13-Jan-2001 18:21:34 EDT.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.
    - --

    Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects
    Now Playing - Folk, Rock, odd stuff - http://www.somewhere.com/playlist.cgi

    I'm not sure which upsets me more: that people are so unwilling to accept
    responsibility for their own actions, or that they are so eager to regulate
    everyone else's.

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

    iQA/AwUBOmExaCZsPfdw+r2CEQK01wCbBGnRoCLh67Bb7n5SO51wQ2cl7AwAoMd0
    ZXs5PInqL9x9/EKVscqwA7HW
    =PHm+
    -----END PGP SIGNATURE-----