RE: e-mail tracing
From: David Gillett (gillettdavid_at_fhda.edu)
Date: 09/13/04
- Previous message: Jordan Bradley: "Re: tool for generating MD5 hash of a file (MS)"
- In reply to: Hayden Searle: "e-mail tracing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Hayden Searle'" <hayden.searle@safecom.co.nz>, <security-basics@securityfocus.com> Date: Mon, 13 Sep 2004 08:20:48 -0700
Suppose, though, that <hey.com.hk> resolves to 80.1.119.55,
because it is indeed attached to ntl.com's broadband service.
You've bounced the mail because ntl didn't set up a *custom*
PTR record for this customer, not because they're a spammer.
Dave Gillett
> -----Original Message-----
> From: Hayden Searle [mailto:hayden.searle@safecom.co.nz]
> Sent: Thursday, September 09, 2004 8:49 AM
> To: security-basics@securityfocus.com
> Subject: e-mail tracing
>
>
> The best way to combat these sorts of spam mailers as far as I am
> concerned is to setup your email server to do PTR lookups. If the
> sending domain IP doesn't match the IP where it comes from then don't
> accept it and send an error back.
>
> For example
>
> PTR record. <80.1.119.55> has a PTR record, but does not match HELO
> string <hey.com.hk>,
> Ptrs = spr1-walt1-6-0-cust55.asfd.broadband.ntl.com
>
> The message was sent from 80.1.119.55 which resolves to
> spr1-walt1-6-0-cust55.asfd.broadband.ntl.com but the mail says its
> coming from hey.com.hk.
>
> Most servers will do this by default anyway, you just need to
> enable the
> option to not accept the message.
>
> A company I support is under a spam attack and we have dropped/blocked
> 147,000 emails in the last 8 days....and they are one of 67
> companies I
> do the network security for. I hope they don't start hitting more of
> them.
>
> Regards
>
> Hayden Searle
> Network Security Specialist
>
> -----Original Message-----
> From: P S [mailto:seclistmail@hotmail.com]
> Sent: Sunday, 29 August 2004 2:27 a.m.
> To: security-basics@securityfocus.com
> Subject: e-mail tracing
>
> Hi,
> I have been getting e-mails about confirming my credit card number and
> pin
> at different banks
> and I decided to try to trace them back just to see where it
> is really
> coming from.
> At school in the network security class we learnt how e-mail goes
> through
> MTA's, and spammers can send e-mails through open mail servers but we
> didn't
> go into details and of course they didn't give us any hands on either.
>
> So I googled "reading e-mail headers" and went through lots
> of pages and
>
> learnt a lot but I still have a few questions and I would really
> apprechiate
> if somebody could help me.
>
> What I learnt is I have to read the headers from bottom to top, thats
> how it
> goes through the MTAs. Now I am reading these headers but the bottom
> "from"
> lines are confusing. I will copy 3 of the headers here:
>
> Received:
> from pmta04.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
> imta41.mta.everyone.net (Postfix) with ESMTP id 7547A50809for
> <xxxx@cbgb.net>; Sun, 22 Aug 2004 17:58:31 -0700 (PDT)
>
> from 216.200.145.35 (61.149.215.9 [61.149.215.9])by
> pmta04.mta.everyone.net
> (EON-PMTA) with SMTP id 894D1584for <xxxx@cbgb.net>; Sun, 22 Aug 2004
> 17:58:31 -0700
>
> from E39 (a222.53.141.148.oeo6.wsj.admin170@citibank.com
> [160.129.208.70])by
> mail67.k.yahoo.com
>
> (606.70.4q95/1.773.2) with SMTP id vvh21F66RMEpjz471;Mon, 23 Aug 2004
> 14:59:29 +0100
>
>
> Received:
> from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
> imta39.mta.everyone.net (Postfix) with ESMTP id EC06C4A619for
> <xxxx@cbgb.net>; Wed, 25 Aug 2004 13:25:59 -0700 (PDT)
>
> from 216.200.145.35 (4.16.55.202 [4.16.55.202])by
> pmta11.mta.everyone.net
> (EON-PMTA) with SMTP id F1842D83for <xxxx@cbgb.net>; Wed, 25 Aug 2004
> 13:25:59 -0700
>
> from 6.190.168.160 by 4.16.55.202; Wed, 25 Aug 2004 14:23:52 -0700
>
>
> Received:
> from pmta08.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
> imta38.mta.everyone.net (Postfix) with ESMTP id 718FF4A636for
> <xxxx@cbgb.net>; Wed, 25 Aug 2004 12:13:39 -0700 (PDT)
>
> from x1-6-00-08-0e-8a-58-75.k149.webspeed.dk (80.162.14.71
> [80.162.14.71])by
> pmta08.mta.everyone.net (EON-PMTA) with SMTP id 16ED3FB9for
> <xxxx@cbgb.net>;
> Wed, 25 Aug 2004 12:13:39 -0700
>
> from 30.34.132.240 by 80.162.14.71; Wed, 25 Aug 2004 16:09:33 -0400
>
> The first one says it's coming from
> a222.53.141.148.oeo6.wsj.admin170@citibank.com and from this
> I think the
> IP
> address should be 148.141.53.222 but in brackets it says
> 160.129.208.70.
>
> After this the received by says it was sent through yahoo's
> mail server.
> Now
> to me it looks like this field is fake, am I right?
>
> The second from field says 216.200.145.35 but the relaying mailserver
> put in
> the real IP as 61.149.215.9. Is this the real spammer IP
> where the mail
> is
> really coming from? Same with the other two headers, it looks like the
> first
> (bottom) fields are fake. Am I right when I think the spammer sent the
> mails
> from 4.16.55.202 and 80.162.14.71?
>
> Every answer and help will be really apprechiated, thank you.
>
> Peter
>
> _________________________________________________________________
> Scan and help eliminate destructive viruses from your inbound and
> outbound
> e-mail and attachments.
> http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&
DI=1034&SU
=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN(r) Premium right now and get
the
first two months FREE*.
------------------------------------------------------------------------
--- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ---- ############################################################################ ######### Important: This electronic message and attachments (if any) are confidential and may be legally privileged. If you are not the intended recipient do not copy, disclose or use the contents in any way. Please let us know by return e-mail immediately and then destroy this message. ############################################################################ ######### --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
- Previous message: Jordan Bradley: "Re: tool for generating MD5 hash of a file (MS)"
- In reply to: Hayden Searle: "e-mail tracing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
