Re: Virus origin

From: Travis Casey (efindel_at_earthlink.net)
Date: 11/21/04 

Date: Sun, 21 Nov 2004 17:41:13 GMT

srm wrote:

> I've installed Amavis/AntiVir on my Linux system and this seems to be
> doing a good job of intercepting nasties. But I have a question about the
> information supplied by these packages.
>
> I know that malware programs typically spoof the 'From' header, so I'm
> ignoring that. However, I'm intrigued by the 'Received:' headers. Amavis
> highlights the earliest 'Received:' header in the chain. Here's an
> example:
>
> According to the 'Received:' trace, the message originated at:
> host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
> helo=frenchentree.com)

"Received:" headers are faked by many spammers and viruses. I generally
only trust the "Received:" headers from my own boxes, and there, only trust
the IP given, not the "HELO" information.

> Now, that 'helo=frenchentree.com' interests me. That's a site for which my
> wife (to whom all these virus-bearing messages were addressed) has just
> started working. We've had a bunch of these and there are other
> indications that the guy she's working for might actually be the source of
> the malware.

The IP given is in the UK. You can look it up at www.ripe.net -- if you do,
you'll get the name of the ISP it belongs to. If it's the same ISP that
frenchentree.com gets their service from, then it's much more plausible.

Doing a ping on www.frenchentree.com gives 217.199.167.27 as the IP. That
doesn't appear to belong to the same ISP, but it's possible that they use a
web hosting service, of course, so that's not conclusive.

> So, the question is, do malware programs also somehow spoof the HELO? Or
> is this actual proof that the malware originated from the frenchentree.com
> domain? I need to know before I give the guy a bollocking and tell him to
> sort out his system.

This in itself isn't proof, but it still looks plausible. 

-- 
ZZzz   |\      _,,,---,,_     Travis S. Casey  <efindel@earthlink.net>
       /,`.-'`'    -.  ;-;;,_   No one agrees with me.  Not even me.
      |,4-  ) )-,_..;\ (  `'-'
     '---''(_/--'  `-'\_)

Relevant Pages

  • Re: attachment and e-mail where to report these security issues?
    ... THAT is why the ENTIRE headers should be ... sent to the originating ISP, so the ISP can look up the correct originating ... report that DOES include the headers. ... >> has an infected system, don't you think they would like to know about it ...
    (microsoft.public.security.virus)
  • Re: attachment and e-mail where to report these security issues?
    ... As far as the "looking up" I was referring to looking into the headers. ... headers, how to figure out the originating ISP to send the information to, ... the address listed as the sender is not likely to be the actual sender. ... > report that DOES include the headers. ...
    (microsoft.public.security.virus)
  • Re: Computer ID / IP Address Questions
    ... As for the IP you have, that is assigned by your ISP and changes from time ... When you read an email's Headers, the TOPmost header is the most recent. ... Some places, like Yahoo, can ma,e a mess out of Headers, ... How in the heck did yahoo know my web mail message originated from ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: SPAM bill - ineffective government regulation ??
    ... >]the headers attached after it leaves the source. ... I believe most of the crap I'm seeing is coming via my ISP, ... Take a look at the regulations on ... The 1% in question could go to a local committee ...
    (comp.security.misc)
  • Re: [kde-linux] Kmail Problems. Was: Installing KDE4 on Sid
    ... I was wondering whether the headers could say whether one or more ... SuSE updates? ... these are all coming from the ISP's servers. ... I was tempted to become an ISP and run my own servers. ...
    (KDE)