Another Question Concerning Email Headers

Another Question Concerning Email Headers

Post by Marshall Lak » Wed, 10 Jul 2002 01:39:07



I received another apparent Klez-infected email.  The headers look like
this:



Received: from mail.nep.net (mail.nep.net [12.23.44.23])
        by melake.erols.com (Postfix) with SMTP id 521D91B8CD

Received: (qmail 26014 invoked from network); 8 Jul 2002 09:50:12 -0000
Received: from unknown (HELO Jrljxpg) (65.167.47.111)
  by 0 with SMTP; 8 Jul 2002 09:50:12 -0000


Subject: Look,my beautiful girl friend

It appears to me that the email is coming from 65.167.47.111 but when I
do a whois/nslookup/host/dig it comes up as unknown.  When I do a
traceroute I get:

...
...
...
13  sl-nepenn-2-0.sprintlink.net (160.81.48.6)  159.871 ms  159.907 ms  \
159.888 ms
14  65.167.47.1 (65.167.47.1)  159.976 ms  159.789 ms  159.941 ms
15  65.167.47.111 (65.167.47.111)  320.016 ms  319.937 ms  299.943 ms

Does this prove that 65.167.47.111 really does exist?  (I also get an
unknown response when I try to find 65.167.47.1)  Should I be writing to

--

 
 
 

Another Question Concerning Email Headers

Post by Rod Smi » Wed, 10 Jul 2002 02:24:01




> I received another apparent Klez-infected email.  The headers look like
> this:



> Received: from mail.nep.net (mail.nep.net [12.23.44.23])
>    by melake.erols.com (Postfix) with SMTP id 521D91B8CD

> Received: (qmail 26014 invoked from network); 8 Jul 2002 09:50:12 -0000
> Received: from unknown (HELO Jrljxpg) (65.167.47.111)
>   by 0 with SMTP; 8 Jul 2002 09:50:12 -0000


> Subject: Look,my beautiful girl friend

> It appears to me that the email is coming from 65.167.47.111

That's how it looks to me, too.

Quote:> but when I do a whois/nslookup/host/dig it comes up as unknown.

The nslookup and host commands can easily return "not found" messages if
the owner of the IP block hasn't properly configured reverse DNS
lookups. This is an annoying and increasingly common problem, but I
don't know offhand if it's an RFC violation. There are many different
whois tools, some of which do a better job than others. I'm using BW
whois (http://whois.bw.org), and here's what it returns:

$ whois 65.167.47.111
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2001 William E. Weinman
Request: 65.167.47.111
connecting to whois.arin.net [192.149.252.34:43] ...
Sprint (NETBLK-SPRINTLINK-2-BLKS) SPRINTLINK-2-BLKS65.160.0.0 - 65.174.255.255
THE NORTH-EASTERN PENNSYLVANIA (NETBLK-FON-110147379279752) FON-110147379279752
                                                   65.167.40.0 - 65.167.47.255

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

This means that the 65.160.0.0-65.174.255.255 block belongs to Sprint,
and they've farmed out part of that block (65.167.40.0-65.167.47.255) to
another party, the North-Eastern Pennsylvania. This can be further
looked up by entering the code in parentheses:

$ whois NETBLK-FON-110147379279752
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2001 William E. Weinman
Request: NETBLK-FON-110147379279752
connecting to whois.arin.net [192.149.252.22:43] ...
THE NORTH-EASTERN PENNSYLVANIA (NETBLK-FON-110147379279752)
   720 MAIN
   FOREST CITY, PA 18421
   US

   Netname: FON-110147379279752
   Netblock: 65.167.40.0 - 65.167.47.255

   Coordinator:

      (570)785-2227


track this complaint, I'd do a lookup on the Sprint block and complain

--

http://www.rodsbooks.com
Author of books on Linux & multi-OS configuration

 
 
 

Another Question Concerning Email Headers

Post by Kasper Dupon » Wed, 10 Jul 2002 04:21:56





> > I received another apparent Klez-infected email.  The headers look like
> > this:



> > Received: from mail.nep.net (mail.nep.net [12.23.44.23])
> >       by melake.erols.com (Postfix) with SMTP id 521D91B8CD

> > Received: (qmail 26014 invoked from network); 8 Jul 2002 09:50:12 -0000
> > Received: from unknown (HELO Jrljxpg) (65.167.47.111)
> >   by 0 with SMTP; 8 Jul 2002 09:50:12 -0000


> > Subject: Look,my beautiful girl friend

> > It appears to me that the email is coming from 65.167.47.111

> That's how it looks to me, too.

Unless some of the headers are forged. Unless your own
mailserver is broken you can know that it came through
12.23.44.23, if you believe 12.23.44.23 is properly
configured you will know from which host it came before
that, and so on. Do you trust all the hops back to the
claimed origin?

Quote:

> > but when I do a whois/nslookup/host/dig it comes up as unknown.

> The nslookup and host commands can easily return "not found" messages if
> the owner of the IP block hasn't properly configured reverse DNS
> lookups. This is an annoying and increasingly common problem, but I
> don't know offhand if it's an RFC violation.

RFC1912 section 2.1 talks about it:
http://rfc.sunsite.dk/rfc/rfc1912.html

--
Kasper Dupont -- der bruger for meget tid p? usenet.

 
 
 

Another Question Concerning Email Headers

Post by mrsa » Wed, 10 Jul 2002 18:19:30



> I received another apparent Klez-infected email.  The headers look
> like this:



> Received: from mail.nep.net (mail.nep.net [12.23.44.23])
> by melake.erols.com (Postfix) with SMTP id 521D91B8CD

> Received: (qmail 26014 invoked from network); 8 Jul 2002 09:50:12 -
> 0000 Received: from unknown (HELO Jrljxpg) (65.167.47.111)
>   by 0 with SMTP; 8 Jul 2002 09:50:12 -0000


> Subject: Look,my beautiful girl friend

> It appears to me that the email is coming from 65.167.47.111 but when
> I do a whois/nslookup/host/dig it comes up as unknown.  When I do a
> traceroute I get:

> ...
> ...
> ...
> 13  sl-nepenn-2-0.sprintlink.net (160.81.48.6)  159.871 ms  159.907
> ms  \ 159.888 ms
> 14  65.167.47.1 (65.167.47.1)  159.976 ms  159.789 ms  159.941 ms
> 15  65.167.47.111 (65.167.47.111)  320.016 ms  319.937 ms  299.943 ms

> Does this prove that 65.167.47.111 really does exist?  (I also get an
> unknown response when I try to find 65.167.47.1)  Should I be writing


www.network-tool.com

a cool and userfull utility. it knows your unknown ip address

--
sam
sam at tuxfamily dot org

 
 
 

Another Question Concerning Email Headers

Post by Marshall Lak » Wed, 10 Jul 2002 23:02:15


Quote:>> I received another apparent Klez-infected email.  The headers look like
>> this:
> You are wasting your time. Set up procmail and use that to delete klez
> virus files.

I'm also concerned with the Klez emails that are sent to others with
the From line forged with my email address.

--

 
 
 

Another Question Concerning Email Headers

Post by Kasper Dupon » Wed, 10 Jul 2002 23:25:18



> >> I received another apparent Klez-infected email.  The headers look like
> >> this:

> > You are wasting your time. Set up procmail and use that to delete klez
> > virus files.

> I'm also concerned with the Klez emails that are sent to others with
> the From line forged with my email address.

You can do nothing about that.

You can of course sue the people who are infected by Klez and
are thereby forging your address. Without knowing they are
probably breaking some laws. This of course depends on what
country they are living in.

And if you really care about the problem, start using digital
signatures on every email and usenet posting you send. It
doesn't stop the forged addresses, but you can tell people you
no longer send unsigned messages, and any unsigned message
with your address has got to be forged.

--
Kasper Dupont -- der bruger for meget tid p? usenet.

 
 
 

Another Question Concerning Email Headers

Post by Rod Smi » Wed, 10 Jul 2002 23:54:05





>> The nslookup and host commands can easily return "not found" messages if
>> the owner of the IP block hasn't properly configured reverse DNS
>> lookups. This is an annoying and increasingly common problem, but I
>> don't know offhand if it's an RFC violation.

> RFC1912 section 2.1 talks about it:
> http://rfc.sunsite.dk/rfc/rfc1912.html

That's an informational RFC, not a standard, so violating it isn't
really strong grounds for complaint or action.

--

http://www.rodsbooks.com
Author of books on Linux & multi-OS configuration

 
 
 

Another Question Concerning Email Headers

Post by Kasper Dupon » Thu, 11 Jul 2002 00:22:24






> >> The nslookup and host commands can easily return "not found" messages if
> >> the owner of the IP block hasn't properly configured reverse DNS
> >> lookups. This is an annoying and increasingly common problem, but I
> >> don't know offhand if it's an RFC violation.

> > RFC1912 section 2.1 talks about it:
> > http://rfc.sunsite.dk/rfc/rfc1912.html

> That's an informational RFC, not a standard, so violating it isn't
> really strong grounds for complaint or action.

Nope, it was just the only RFC I could remember on the
subject, and it doesn't have references to relevant
parts of the specification so...

--
Kasper Dupont -- der bruger for meget tid p? usenet.