I recently got a worm infected email. It is an old one disguised as Y2K
bug fix program. Apparently, somebody who's not using an anti-virus
program is keeping this worm alive. This got me interested in email
headers and I have a few questions. Below is the envelope and mail headers
from the email.
--------------------------------------
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 24114 invoked from network); 9 Jun 2000 01:50:19 -0000
Received: from unknown (HELO main.gatesway.com) (202.163.234.5)
by 208.169.158.13 with SMTP; 9 Jun 2000 01:50:19 -0000
Received: from Pupi (as1-19.gatesway.com [202.163.235.19])
by main.gatesway.com (8.9.3/8.9.3) with SMTP id JAA10099
for <[EMAIL PROTECTED]>; Fri, 9 Jun 2000 09:55:43 +0800
----------------------------------------------MY QUESTIONS BELOW
I am right to assume that it originally came from an ISP subscriber
connected through 202.163.235.19 who made an SMTP connection at 9:55 AM on
June 9?
What does the two other "Received:" entry mean above?
If you were to track this dial-up subscriber down, which log file do you open?
Mail headers can be spoofed but an envelope headers be spoofed? How?
----------------------------------------------HEADERS CONTINUED BELOW
Date: Fri, 9 Jun 2000 09:55:43 +0800
Message-ID: <[EMAIL PROTECTED]>
From: Administrator <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
X-Mailer: PUPI-MAIL v.0.1
----------------------------------------------MY QUESTIONS BELOW
Does the X-Mailer entry above refer to the MUA used to send this email?
----------------------------------------------END
-
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
