Welp, I just got the email myself. You'll notice that it was sent to my
domain address, then forwarded to another.

Return-Path: <rdhugeshost2.wfdns2.com>
Received: from mh7-sfba.mail.home.com ([24.0.95.236])
          by femail7.sdc1.sfba.home.com
          (InterMail vM.4.01.03.00 201-229-121) with ESMTP
          id
<20010114174657.IXXU27002.femail7.sdc1.sfba.home.commh7-sfba.mail.home.
com>
          for <rdhughesmail.rchdsn1.tx.home.com>;
          Sun, 14 Jan 2001 09:46:57 -0800
Received: from mx7-sfba.mail.home.com (mx7-sfba.mail.home.com
[24.0.95.232])
        by mh7-sfba.mail.home.com (8.9.3/8.9.0) with ESMTP id JAA01165
        for <rdhugheshome.com>; Sun, 14 Jan 2001 09:46:57 -0800 (PST)
Received: from host2.wfdns2.com (host2.wfdns2.com [209.239.38.26])
        by mx7-sfba.mail.home.com (8.11.1/8.11.1) with ESMTP id
f0EHkrG07498
        for <rdhugheshome.com>; Sun, 14 Jan 2001 09:46:53 -0800 (PST)
Received: (from rdhugeslocalhost)
        by host2.wfdns2.com (8.10.2/8.10.2) id f0EHkqf28020
        for rdhugheshome.com; Sun, 14 Jan 2001 12:46:52 -0500
Received: from cheryl (slip-32-102-97-111.tx.us.prserv.net
[32.102.97.111])
        by host2.wfdns2.com (8.10.2/8.10.2) with SMTP id f0EHkem28006
        for <robrobhughes.com>; Sun, 14 Jan 2001 12:46:40 -0500
Date: Sun, 14 Jan 2001 12:46:40 -0500
Message-Id: <200101141746.f0EHkem28006host2.wfdns2.com>
From: Hahaha <hahahasexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEBOXM34HU745YF0HM38LQBOT"
Apparently-To: <rdhugheshome.com>

This one seems to have come from a network belonging to IBMGLOBALSERV,
but the domain seems to belong to ATT

IBM Global Services (NETBLK-IBMGLOBALSERV)
   4 Bedford Farms
   Bedford, NH 03110-6528
   US

   Netname: IBMGLOBALSERV
   Netblock: 32.0.0.0 - 32.255.255.255

   Coordinator:
      Sides Jr., Phil (PS4071-ARIN) pdsidesUS.IBM.COM
      (603)224-3815 (FAX) (781)623-8379 (FAX) (781)623-8379

   Domain System inverse mapping provided by:

   NS.UK.IBM.NET 152.158.16.48
   NS.DE.IBM.NET 152.158.2.48
   NS.NL.IBM.NET 152.158.36.48

   Record last updated on 01-Sep-1999.
   Database last updated on 13-Jan-2001 18:21:34 EDT.

Registrant:
AT&T Global Network Services (PRSERV-DOM)
   231 N. Martingale Road
   Schaumburg, IL 60173
   US

   Domain Name: PRSERV.NET

   Administrative Contact:
      Sammons, Greg (GSX208) gsammo1US.IBM.COM
      AT&T Global Network Services
      231 N. Martingale Road
      Schaumburg , IL 60173
      847-240-3230 (FAX) 847-240-4817
   Technical Contact:
      Administrator, Dns (DA694) dnsUS.IBM.COM
      ATT Global Network Solutions
      500 Mamaroneck Ave.
      Harrison, NY 10528
      800-566-0056 Opt 2 (FAX) 914-899-4555
   Billing Contact:
      Irwin, Lori (LI381) irwinl1US.IBM.COM
      IBM Network Services
      425 N. Martingale Rd, Suite 300
      Schaumburg , IL 60173
      847-706-2863 (FAX) 847-240-8230

   Record last updated on 21-Sep-2000.
   Record expires on 30-Sep-2005.
   Record created on 30-Sep-1998.
   Database last updated on 14-Jan-2001 08:38:06 EST.

   Domain servers in listed order:

   NS1.US.PRSERV.NET 165.87.194.244
   NS4.US.PRSERV.NET 165.87.201.244
   NS3.US.PRSERV.NET 165.87.201.243

As determined by the injection record:
Received: from cheryl (slip-32-102-97-111.tx.us.prserv.net
[32.102.97.111])
        by host2.wfdns2.com (8.10.2/8.10.2) with SMTP id f0EHkem28006
        for <robrobhughes.com>; Sun, 14 Jan 2001 12:46:40 -0500

prserv.net doesn't seem to resolve though, though the IP address does
resolve to the apparent sender. Now I just need to track down who this
"prserv.net actually belongs to

Rob Hughes
Network Analyst
Voice (H) (972) 918-0980
Voice (W) (972) 856-3232
Voice (C) (214) 282-7996
Email robrobhughes.com, rhughescompucom.com
___________________________________________

"Try not to become a man of success but rather try to become a man of
value." -- Albert Einstein

> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTSSECURITYFOCUS.COM]On
> Behalf Of Kelly Reid
> Sent: Friday, January 12, 2001 4:17 AM
> To: INCIDENTSSECURITYFOCUS.COM
> Subject: properties in e-mail from sexyfun
>
>
> Following is the properties from the email from sexyfun. I'm
> interested in knowing who this came from so that they can get
> their machine scanned.
>
> Any help would be appreciated
>
> Thu, 11 Jan 2001 21:43:57 -0800
> Received: from mx8-w.mail.home.com (mx8-w.mail.home.com [24.0.95.73])
> by h14.mail.home.com (8.9.3/8.9.0) with ESMTP id VAA09676
> for <Kelly-Reidhome.com>; Thu, 11 Jan 2001 21:43:57 -0800 (PST)
> Received: from smtp02.mail.onemain.com
> (SMTP-OUT003.ONEMAIN.COM [63.208.208.73])
> by mx8-w.mail.home.com (8.11.1/8.11.1) with SMTP id f0C5huk01495
> for <Kelly-Reidhome.com>; Thu, 11 Jan 2001 21:43:56 -0800 (PST)
> Date: Thu, 11 Jan 2001 21:43:56 -0800 (PST)
> Message-Id: <200101120543.f0C5huk01495mx8-w.mail.home.com>
> Received: (qmail 4354 invoked from network); 12 Jan 2001
> 04:25:11 -0000
> Received: from moperr01-98.midwest.net (HELO computer)
> ([208.235.39.108]) (envelope-sender <>)
> by 10.209.20.32 (qmail-ldap-1.03) with SMTP
> for <Kelly-Reidhome.com>; 12 Jan 2001 04:25:11 -0000
> From: Hahaha <hahahasexyfun.net>
> Subject: Snowhite and the Seven Dwarfs - The REAL story!
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="--VEJOXIFS9IZC1IZ4DAR0DIVOTAJ05AJ"
> Apparently-To: <Kelly-Reidhome.com>
>

• application/x-pkcs7-signature attachment: smime.p7s

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]