On Sat, 20 Apr 2002 21:00:29 -0500 Jason Guidry <[EMAIL PROTECTED]> wrote:
> > It looks like someone has decided that I don't have enough headaches and > > has started sending me viri. Normally this would not bother me, but the > > problem is that the from line shows my email address on my website > <[EMAIL PROTECTED]>! Spoofing by spammer(?) at 66.24.19.151 (syr-66-24-19-151.twcny.rr.com). > the email has been sent twice, from me, to me, containing some kind of > virus. I looked at the email source, but I can't figure out what's > going on. > > Can anyone help me figure out these headers so I can pinpoint what I > need to yell at my hosting company about? The headers are read bottom to top and indicate that message originated at 66.24.19.151 (syr-66-24-19-151.twcny.rr.com -- looks like Syracuse, NY), and proceeded through (in this order): hongkong.com 202.84.12.154 mail.itmom.com 64.214.129.197 <==== [qmail -- this is why I *hate* qmail... non-standard headers!] hilcos01.hilconet.com 64.132.16.247 hilcos02.hilconet.com 64.132.16.248 host1.itmom.com 64.214.129.198 (aka gmaestro.org) <==== The questions I have are: - what is the qmail machine? - why did mail.itmom.com forward the msg to the qmail machine? - why is the routing through hilconet.com when the destination is an adjacent IP address? As a result of your message, I reported 202.84.12.154 to http://ordb.org/submit; however, that host is not currently accepting SMTP connections. So it was probably a temporary "open relay"; otherwise, it should not have passed the message. >From what I see, the sender used an open relay (202.84.12.154) which delivered to mail.itmom.com which is in turn misconfigured(?) to route mail via qmail, etc. If you want to report anything, I suggest 66.24.19.151 (syr-66-24-19-151.twcny.rr.com) for spamming/infection; it could be a dedicated user, or a dialup... If you analyze my response, you will see that not all information was present in the forwarded message; but there was enough to get the rest... HTH, Pierre > <start message> > > From - Sat Apr 20 20:40:48 2002 > X-UIDL: 8b5be4b6a82a0200 > X-Mozilla-Status: 0001 > X-Mozilla-Status2: 00000000 > Received: by hilcos02 (mbox jason) > (with Cubic Circle's cucipop (v1.31 1998/05/13) Sat Apr 20 20:39:20 > 2002) > X-From_: [EMAIL PROTECTED] Sat Apr 20 19:32:29 2002 > Received: from mail.itmom.com (mail.itmom.com [64.214.129.197]) > by hilcos01.hilconet.com (8.11.6/8.11.6) with SMTP id g3L0W9805514 > for <[EMAIL PROTECTED]>; Sat, 20 Apr 2002 19:32:12 -0500 (CDT) > Received: (qmail 71527 invoked by uid 89); 21 Apr 2002 00:28:14 -0000 > Date: 21 Apr 2002 00:28:14 -0000 > Message-ID: <[EMAIL PROTECTED]> > Delivered-To: [EMAIL PROTECTED] > Received: (qmail 71520 invoked from network); 21 Apr 2002 00:28:09 -0000 > Received: from unknown (HELO hongkong.com) (202.84.12.154) > by mail.itmom.com with SMTP; 21 Apr 2002 00:28:09 -0000 > Received: from Aktf([66.24.19.151]) by hongkong.com(JetMail 2.5.3.0) > with SMTP id jm1043cc264ba; Sun, 21 Apr 2002 00:26:20 -0000 > From: jason <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Sos! > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary=M4rTJ77P7ArjCa9441gts990W2LB69X > Content-Length: 138959 > > --M4rTJ77P7ArjCa9441gts990W2LB69X > Content-Type: text/html; > Content-Transfer-Encoding: quoted-printable > > <HTML><HEAD></HEAD><BODY> > <iframe src=3Dcid:Yzz5x1u46C441sg757O height=3D0 width=3D0> > </iframe> > <FONT></FONT></BODY></HTML> > > --M4rTJ77P7ArjCa9441gts990W2LB69X > Content-Type: audio/x-midi; > name=rocker_john[1].pif > Content-Transfer-Encoding: base64 > Content-ID: <Yzz5x1u46C441sg757O> > > This is followed by several hundred lines of gibberish. > > any help is much appreciated. > > -- > Jason Guidry > http://www.gmaestro.org > > > > > > > > > > >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
