Hey netscalibur! (was: Re: Hijacked email)
Christopher Chin
cchin at ack.Berkeley.EDU
Wed Aug 20 17:14:35 UTC 2003
Today at 10:40 (-0500), Richard Irving wrote:
> Date: Wed, 20 Aug 2003 10:40:25 -0500
> From: Richard Irving <rirving at onecall.net>
> To: nanog at merit.edu
> Subject: Re: Hijacked email
>
>
> Please people, of all the great feedback these joe jobbed
> addresses are receiving, from the anti-virus software...
>
> it really wouldn't hurt to include the -=IP=- (and possibly headers)
> of the system that contacted your server.....
>
> Rather than simply complain, it would allow us to track
> down, and triangulate the -=real=- perp, an infected
> M$ machine or two (million).
Okie doke.... is Netscalibur in the house? I might assume so
based on the "nanog-ish" return address on the received e-mail
from [195.157.87.253]. This IP is sourcing Sobig.F to me, and
*as* me.
The received mail:
From nanog at ehlke.net Wed Aug 20 10:03:00 2003
Received: from KYAN ([195.157.87.253])
by ack.Berkeley.EDU (8.11.3/8.11.3) with ESMTP id h7K9k2n04029
for <cchin at ack.Berkeley.EDU>; Wed, 20 Aug 2003 02:46:02 -0700 (PDT)
Message-Id: <200308200946.h7K9k2n04029 at ack.Berkeley.EDU>
From: <nanog at ehlke.net>
To: <cchin at ack.Berkeley.EDU>
Subject: Re: Details
Date: Wed, 20 Aug 2003 10:46:45 +0100
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_00623C6D"
Content-Length: 100007
See the attached file for details
[ Part 2, Application/OCTET-STREAM (Name: "details.pif") 100KB. ]
And the results of the joe-job:
The original message was received at Wed, 20 Aug 2003 03:42:13 -0700 (PDT)
from [195.157.87.253]
----- The following addresses had permanent fatal errors -----
<lyris at sega.com>
(reason: 550 <lyris at sega.com>... No such mailbox)
----- Transcript of session follows -----
... while talking to mail.sega.com.:
>>> RCPT To:<lyris at sega.com>
<<< 550 <lyris at sega.com>... No such mailbox
550 5.1.1 <lyris at sega.com>... User unknown
[ Part 2: "Delivery Status" ]
Reporting-MTA: dns; postal.segasoft.com
Received-From-MTA: DNS; [195.157.87.253]
Arrival-Date: Wed, 20 Aug 2003 03:42:13 -0700 (PDT)
Final-Recipient: RFC822; lyris at sega.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; mail.sega.com
Diagnostic-Code: SMTP; 550 <lyris at sega.com>... No such mailbox
Last-Attempt-Date: Wed, 20 Aug 2003 03:42:19 -0700 (PDT)
[ Part 3: "Included Message" ]
Return-Path: <cchin at ack.Berkeley.EDU>
Received: from KYAN ([195.157.87.253])
by postal.segasoft.com (8.12.9/8.11.0) with ESMTP id h7KAgCbV004367
for <lyris at sega.com>; Wed, 20 Aug 2003 03:42:13 -0700 (PDT)
Message-Id: <200308201042.h7KAgCbV004367 at postal.segasoft.com>
From: <cchin at ack.Berkeley.EDU>
To: <lyris at sega.com>
Subject: Re: Details
Date: Wed, 20 Aug 2003 11:42:56 +0100
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_0095ABA4"
Please see the attached file for details.
[ Part 3.2, Application/OCTET-STREAM (Name: "thank_you.pif") 101KB. ]
[ Unable to print this part. ]
More information about the NANOG
mailing list