On Thursday 04 September 2003 03:57 pm, Anne Wilson wrote: > On Thursday 04 Sep 2003 6:07 pm, rikona wrote: > > Hello Anne, > > > > Thursday, September 4, 2003, 4:50:14 AM, you wrote: > > >> Somebody on the list infected? Headers indicate a windows > > >> "lookout express 6" user. > > > > Of course. What else would you expect? :-))) > > > > AW> would seem to indicate the origination was a pacbell DSL modem > > AW> (67.122.222.126) which does belong to Pacbell so is probably > > AW> accurate. > > > > I've received a few on this list, and all have different 'origins'. > > I think this virus has its own stack and spoofs addresses, so the > > origin might not be what it seems. > > > > ALL Win users on this list, ESPECIALLY those using M$ virusware, > > would be advised to do a check - today - and before sending out any > > other emails! > > I agree with what you're saying, except that I didn't make the remarks > you attribute to me <g> > > Anne
I did. And I still believe that I was accurate. It is trivial to spoof the machine name when sending out mail but spoofing the IP address is NOT trivial. The receiving mail server WILL log the originating request so the IP address will be accurate. The only way that the IP does not trace back to the originating machine is when the originating machine used an open or compromised proxy or machine. Even in the case of a proxy, the IP address will be accurate for the proxy. I suppose it is possible that the SoBig.F virus was designed to seek out and relay through compromised or open proxies but if that is the case, it is the first that I have heard of it. In this case, the host name would appear to match the originating IP, making it very unlikely that the received lines are spoofed, although I suppose it is possible that the compromised proxy and the forged hostname just happen to both match to Pacbell DSL netspace. it is trivial to add additional received header lines that are completely false, but in most cases, the IP ranges will not match up with real netspace and in any case, the originating mail server will still show the true originating IP address, it will just have some (extra) lines that should be ignored. I have been tracking and LARTing spammers for about 5 years now and I have not yet been told that I got one wrong but I suppose that is always a possibility. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
