Thank you Bill, Christopher and Neil, for all your input. I misunderstood which pieces of the header were actually somewhat reliable.
Thank you for clearing that up. Chris > From: Bill Cole <[EMAIL PROTECTED]> > Reply-To: "SIMS Discussions" <[EMAIL PROTECTED]> > Date: Mon, 10 Feb 2003 14:33:59 -0500 > To: "SIMS Discussions" <[EMAIL PROTECTED]> > Subject: Re: Verifying return-paths > > At 9:55 AM -0600 2/10/03, Chris Wagner imposed structure on a stream > of electrons, yielding: >> Quick question about a recent trend in incoming viruses to our network: >> >> The following is three different headers from messages that came into my >> mailbox. >> >> ============================================================================ >> ========================= >> >> Return-Path: [EMAIL PROTECTED] >> Received: from [207.241.128.20] (HELO smtp00.journey.com) >> by atchisonkansas.net (Stalker SMTP Server 1.8b9d14) >> with ESMTP id S.0000207182 for <[EMAIL PROTECTED]>; Sat, 08 Feb 2003 >> 19:47:30 -0600 >> Received: from Dbspa (mkc-24-166-176-56.kc.rr.com [24.166.176.56]) >> by smtp00.journey.com (Postfix) with SMTP id 2D295246E1 >> for <[EMAIL PROTECTED]>; Sat, 8 Feb 2003 21:31:18 -0500 (EST) >> From: postmaster <[EMAIL PROTECTED]> >> To: [EMAIL PROTECTED] >> Subject: Returned mail--"Specials" >> MIME-Version: 1.0 >> Content-Type: multipart/alternative; >> boundary=X7J8CX82217 >> Message-Id: <[EMAIL PROTECTED]> >> Date: Sat, 8 Feb 2003 21:31:18 -0500 (EST) >> >> ============================================================================ >> ========================= >> >> Return-Path: [EMAIL PROTECTED] >> Received: from [207.241.128.20] (HELO smtp00.journey.com) >> by atchisonkansas.net (Stalker SMTP Server 1.8b9d14) >> with ESMTP id S.0000207112 for <[EMAIL PROTECTED]>; Fri, 07 Feb 2003 >> 19:52:37 -0600 >> Received: from Iqeciruao (mkc-24-166-176-56.kc.rr.com [24.166.176.56]) >> by smtp00.journey.com (Postfix) with SMTP id E4ECC246D6 >> for <[EMAIL PROTECTED]>; Fri, 7 Feb 2003 21:36:24 -0500 (EST) >> From: degatewood <[EMAIL PROTECTED]> >> To: [EMAIL PROTECTED] >> Subject: Sos! >> MIME-Version: 1.0 >> Content-Type: multipart/alternative; >> boundary=M0NZA168KWbY89h9P2l52iNZXP5Hd4 >> Message-Id: <[EMAIL PROTECTED]> >> Date: Fri, 7 Feb 2003 21:36:24 -0500 (EST) >> >> ============================================================================ >> ========================= >> >> Return-Path: [EMAIL PROTECTED] >> Received: from [207.241.128.20] (HELO smtp00.journey.com) >> by atchisonkansas.net (Stalker SMTP Server 1.8b9d14) >> with ESMTP id S.0000207109 for <[EMAIL PROTECTED]>; Fri, 07 Feb 2003 >> 19:32:25 -0600 >> Received: from Sxgwzgw (mkc-24-166-176-56.kc.rr.com [24.166.176.56]) >> by smtp00.journey.com (Postfix) with SMTP id E77EA24702 >> for <[EMAIL PROTECTED]>; Fri, 7 Feb 2003 21:16:13 -0500 (EST) >> From: postmaster <[EMAIL PROTECTED]> >> To: [EMAIL PROTECTED] >> Subject: Returned mail--"BACKGROUND" >> MIME-Version: 1.0 >> Content-Type: multipart/alternative; >> boundary=F9P1Q06j638jj20k48i9G7sk8 >> Message-Id: <[EMAIL PROTECTED]> >> Date: Fri, 7 Feb 2003 21:16:13 -0500 (EST) >> >> ============================================================================ >> ========================= >> >> I know that I have asked something along these lines before, but wanted to >> make sure that I am not misunderstanding this. >> >> If I have SIMS setup to verify return paths, can I assume that the mailbox >> SIMS says it's coming from is accurate and not spoofed in any way? > > No. All SIMS can do is verify that the domain part of the Return-Path > exists and has enough DNS to attempt delivery. > > It is theoretically possible for an MTA to verify that the address in > question is one that a mail server would accept mail for, but even > that is a bit problematic to try, and SIMS doesn't try. There is no > way for any MTA to positively verify that the Return-Path is in fact > the address of the sender. > >> The reason I ask is this - at least ONE of these accounts hasn't been used >> for a very long time, and is coming from a local provider, journey.com. >> >> I talked with the woman who owned that mailbox and she said she hasn't used >> that address in many months. >> >> I guess I'm trying to track down and see where these messages are REALLY >> coming from. > > The Return-Path is iffy, but the Received headers are not. > > This looks like some variant of Klez, which grabs targets and forged > Return-Paths from many places on the infected machine, then uses > whatever mail relay is configured on the machine to send mail out. In > this case, you can see that the mail came to you from 207.241.128.20, > and that machine got the messages from 24.166.176.56. 24.166.176.56 > is the Klez-infected machine. > >> >> The attachments vary, from .scr to .bat, but the second file seems to be the >> same. > > Those are the Klez payload. > -- > Bill Cole > [EMAIL PROTECTED] > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <[EMAIL PROTECTED]>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
