Very Computer

I received another apparent Klez-infected email.  The headers look like
this:

Received: from mail.nep.net (mail.nep.net [12.23.44.23])
        by melake.erols.com (Postfix) with SMTP id 521D91B8CD

Received: (qmail 26014 invoked from network); 8 Jul 2002 09:50:12 -0000
Received: from unknown (HELO Jrljxpg) (65.167.47.111)
  by 0 with SMTP; 8 Jul 2002 09:50:12 -0000


Subject: Look,my beautiful girl friend

It appears to me that the email is coming from 65.167.47.111 but when I
do a whois/nslookup/host/dig it comes up as unknown.  When I do a
traceroute I get:

...
...
...
13  sl-nepenn-2-0.sprintlink.net (160.81.48.6)  159.871 ms  159.907 ms  \
159.888 ms
14  65.167.47.1 (65.167.47.1)  159.976 ms  159.789 ms  159.941 ms
15  65.167.47.111 (65.167.47.111)  320.016 ms  319.937 ms  299.943 ms

Does this prove that 65.167.47.111 really does exist?  (I also get an
unknown response when I try to find 65.167.47.1)  Should I be writing to

--

That's how it looks to me, too.

Quote:> but when I do a whois/nslookup/host/dig it comes up as unknown.

The nslookup and host commands can easily return "not found" messages if
the owner of the IP block hasn't properly configured reverse DNS
lookups. This is an annoying and increasingly common problem, but I
don't know offhand if it's an RFC violation. There are many different
whois tools, some of which do a better job than others. I'm using BW
whois (http://whois.bw.org), and here's what it returns:

$ whois 65.167.47.111
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2001 William E. Weinman
Request: 65.167.47.111
connecting to whois.arin.net [192.149.252.34:43] ...
Sprint (NETBLK-SPRINTLINK-2-BLKS) SPRINTLINK-2-BLKS65.160.0.0 - 65.174.255.255
THE NORTH-EASTERN PENNSYLVANIA (NETBLK-FON-110147379279752) FON-110147379279752
                                                   65.167.40.0 - 65.167.47.255

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

This means that the 65.160.0.0-65.174.255.255 block belongs to Sprint,
and they've farmed out part of that block (65.167.40.0-65.167.47.255) to
another party, the North-Eastern Pennsylvania. This can be further
looked up by entering the code in parentheses:

$ whois NETBLK-FON-110147379279752
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2001 William E. Weinman
Request: NETBLK-FON-110147379279752
connecting to whois.arin.net [192.149.252.22:43] ...
THE NORTH-EASTERN PENNSYLVANIA (NETBLK-FON-110147379279752)
   720 MAIN
   FOREST CITY, PA 18421
   US

   Netname: FON-110147379279752
   Netblock: 65.167.40.0 - 65.167.47.255

   Coordinator:

      (570)785-2227

track this complaint, I'd do a lookup on the Sprint block and complain

--

http://www.rodsbooks.com
Author of books on Linux & multi-OS configuration

Unless some of the headers are forged. Unless your own
mailserver is broken you can know that it came through
12.23.44.23, if you believe 12.23.44.23 is properly
configured you will know from which host it came before
that, and so on. Do you trust all the hops back to the
claimed origin?

Quote:

> > but when I do a whois/nslookup/host/dig it comes up as unknown.

> The nslookup and host commands can easily return "not found" messages if
> the owner of the IP block hasn't properly configured reverse DNS
> lookups. This is an annoying and increasingly common problem, but I
> don't know offhand if it's an RFC violation.

RFC1912 section 2.1 talks about it:
http://rfc.sunsite.dk/rfc/rfc1912.html

--
Kasper Dupont -- der bruger for meget tid p? usenet.

www.network-tool.com

a cool and userfull utility. it knows your unknown ip address

--
sam
sam at tuxfamily dot org

Quote:>> I received another apparent Klez-infected email.  The headers look like
>> this:
> You are wasting your time. Set up procmail and use that to delete klez
> virus files.

I'm also concerned with the Klez emails that are sent to others with
the From line forged with my email address.

--

You can do nothing about that.

You can of course sue the people who are infected by Klez and
are thereby forging your address. Without knowing they are
probably breaking some laws. This of course depends on what
country they are living in.

And if you really care about the problem, start using digital
signatures on every email and usenet posting you send. It
doesn't stop the forged addresses, but you can tell people you
no longer send unsigned messages, and any unsigned message
with your address has got to be forged.

--
Kasper Dupont -- der bruger for meget tid p? usenet.

That's an informational RFC, not a standard, so violating it isn't
really strong grounds for complaint or action.

--

http://www.rodsbooks.com
Author of books on Linux & multi-OS configuration

Nope, it was just the only RFC I could remember on the
subject, and it doesn't have references to relevant
parts of the specification so...

--
Kasper Dupont -- der bruger for meget tid p? usenet.