[ale] E-mail Virus (with header)

Fulton Green ale at FultonGreen.com
Mon Dec 17 22:29:23 EST 2001


Having been the victim of many a spam recently, I've really had to get my
"mad email sleuthing skillz" on. :)

The key is always in the "Received:" headers. It used to be that the first
few "Received:" headers would tend to be more accurate than the later ones,
but most of the MTAs out there seem to have gotten more fake-proof. Anyhow,
if you look at the first Received header:

Received: from imf01bis.bellsouth.net (mail201.mail.bellsouth.net [205.152.58.141])
	by magneto.troycable.net (8.9.3/8.9.3) with ESMTP id MAA46322
	for <mlecroy at troycable.net>; Mon, 17 Dec 2001 12:18:06 -0600 (CST)
	(envelope-from sangell at bellsouth.net)

You'll notice three addresses in the "From:" field: the "imf01bis", the
"mail201.mail" (both in the BellSouth ISP domain, obviously) and an IP.
Other MTAs (most notably Exim) use a different format, but in this case:

- "imf01bis" represents the address that the BellSouth mail relay identified
itself as to Troy Cable's mail relay
- This address is reported by the originator in the SMTP "HELO" command
- "mail201.mail" represents the successful reverse lookup of ...
- 205.152.58.141, which is the "actual" IP of the originating host (assuming
no funky low-level spoofing is in effect)

Looking at the next header, the destination address reported appears to
match up with at least some of the previous header's info, so the confidence
level is high that this header is legit and not faked. OTOH, the origination
address is claimed to be "aol.com" by this header's originator. That's the
first tip-off for me, as this didn't look like a typical header from an
AOL relay. So I looked at the "actual" part of the "from" address info and
attempted my own reverse lookup, which yielded the ADSL canonical. Note
that the canonical part didn't appear in this header, most likely because
BellSouth opted not to perform reverse lookups, perhaps in an effort to
conserve spare CPU and/or bandwidth resources.

Now most of the spam I've received lately seems to come from specially
opened Internet access accounts used solely for the purpose of connecting
to an open mail relay. Over half of the spams originate from AT&T Managed
Services (prserv.net), and over half of them use an open mail relay in
China. A lot of times, the reverse lookup fails, so I lookup the IP in
ARIN's Whois DB:
	whois a.b.c.d at whois.arin.net
and repeat (going to other regions' whois servers, if necessary) until I find
what I need. 

Hey, you asked. :)

On Mon, Dec 17, 2001 at 09:28:09PM -0500, Frank Zamenski wrote:
> Perhaps it should be obvious by inspection, but I'm not an
> email guru either. How did you deduce that?
> 
> > The "AOL.com" was spoofed. OTOH, the accompanying origination IP maps to
> the
> > canonical adsl-156-62-200.asm.bellsouth.net . Look familiar?
> >
> > On Mon, Dec 17, 2001 at 02:30:19PM -0500, sangell at nan.net wrote:
> > >  Return-Path: <sangell at bellsouth.net>
> > >  Received: from imf01bis.bellsouth.net (mail201.mail.bellsouth.net
> [205.152.58.141])
> > >  by magneto.troycable.net (8.9.3/8.9.3) with ESMTP id MAA46322
> > >  for <mlecroy at troycable.net>; Mon, 17 Dec 2001 12:18:06 -0600 (CST)
> > >  (envelope-from sangell at bellsouth.net)
> > >  Received: from aol.com ([66.156.62.200]) by imf01bis.bellsouth.net
> > >  (InterMail vM.5.01.04.00 201-253-122-122-20010827) with SMTP
> > >  id <20011217181301.IGN21185.imf01bis.bellsouth.net at aol.com>
> > >  for <mlecroy at troycable.net>; Mon, 17 Dec 2001 13:13:01 -0500

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list