Re: Email Virus

From: devil (
Date: 07/08/02

From: devil <>
Date: Mon, 08 Jul 2002 03:35:25 GMT

Rod Smith wrote:
> In article <>,
> Marshall Lake <> writes:
>>>Reading headers is easy enough.
>>>You read from the bottom up.
>>>Each Received is a postmaster receiving the message with
>>>the information of who the message was relayed from with
>>>who it is to be sent to.
>>>Only the postmaster on the first hop
>>>can use the Message ID to see who realy sent the message.
>>Here are the headers from one such eamil I received. What is the
>>originating site? ?
>>Return-Path: <>
>>Received: from ( [])
>> by (Postfix) with ESMTP id 5FED71B8CD
>> for <>; Sun, 7 Jul 2002 12:42:49 -0400 (EDT)
>>Received: from Izmnsyso ([]) by
>> (InterMail vM. 201-253-122-126-105-20020426) with SMTP
>> id <>
>> for <>; Sun, 7 Jul 2002 11:41:39 -0500
> This is the first Received header. It indicates that,
> which identified itself with a fake or incomplete hostname ("Izmnsyso")
> sent the message to a computer that's identified itself in the message
> header as but didn't include an IP address. You'd
> need to use tools like host, nslookup, or whois to figure out who "owns"
> For instance:
> $ host
> domain name pointer
> This seems to suggest that somebody using a dial-up account with the
> ISP is the true sender.
> One caution: Received headers can be forged. Spammers sometimes insert
> a fake Received header before (that is, later in the file) than the
> first legitimate one. This is usually easily spotted by a gap with
> other headers between Received headers. The first (that is, last in the
> file) Received header might also point to a machine under the control
> of whatever bad guy you want to avoid. As a general rule, the most
> trustworthy Received header is the last one (that is, the top one in the
> file), which usually tells you the system from which your ISP or mail
> server received the message. Anything earlier than that could
> conceivably be at least partly forged.

True. But you almost invariably can tell: something doesn't fit. At
some point upstream, some header will tell the truth and a mismatch will
be apparent.

Anyway, it doesn't seem to be the case here. Source is almost certainly