Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Hey netscalibur! (was: Re: Hijacked email)

  • From: Christopher Chin
  • Date: Wed Aug 20 13:21:48 2003

Today at 10:40 (-0500), Richard Irving wrote:

> Date: Wed, 20 Aug 2003 10:40:25 -0500
> From: Richard Irving <rirving@onecall.net>
> To: nanog@merit.edu
> Subject: Re: Hijacked email
>
>
>    Please people, of all the great feedback these joe jobbed
> addresses are receiving, from the anti-virus software...
>
>   it really wouldn't hurt to include the -=IP=- (and possibly headers)
> of the system that contacted your server.....
>
>   Rather than simply complain, it would allow us to track
> down, and triangulate the -=real=- perp, an infected
> M$ machine or two (million).


Okie doke....  is Netscalibur in the house?  I might assume so
based on the "nanog-ish" return address on the received e-mail
from [195.157.87.253].  This IP is sourcing Sobig.F to me, and
*as* me.

The received mail:

  From nanog@ehlke.net Wed Aug 20 10:03:00 2003
  Received: from KYAN ([195.157.87.253])
  	by ack.Berkeley.EDU (8.11.3/8.11.3) with ESMTP id h7K9k2n04029
  	for <cchin@ack.Berkeley.EDU>; Wed, 20 Aug 2003 02:46:02 -0700 (PDT)
  Message-Id: <200308200946.h7K9k2n04029@ack.Berkeley.EDU>
  From: <nanog@ehlke.net>
  To: <cchin@ack.Berkeley.EDU>
  Subject: Re: Details
  Date: Wed, 20 Aug 2003 10:46:45 +0100
  X-MailScanner: Found to be clean
  Importance: Normal
  X-Mailer: Microsoft Outlook Express 6.00.2600.0000
  X-MSMail-Priority: Normal
  X-Priority: 3 (Normal)
  MIME-Version: 1.0
  Content-Type: multipart/mixed;
  	boundary="_NextPart_000_00623C6D"
  Content-Length: 100007

  See the attached file for details
      [ Part 2, Application/OCTET-STREAM (Name: "details.pif")  100KB. ]


And the results of the joe-job:

  The original message was received at Wed, 20 Aug 2003 03:42:13 -0700 (PDT)
  from [195.157.87.253]

     ----- The following addresses had permanent fatal errors -----
  <lyris@sega.com>
      (reason: 550 <lyris@sega.com>... No such mailbox)

     ----- Transcript of session follows -----
  ... while talking to mail.sega.com.:
  >>> RCPT To:<lyris@sega.com>
  <<< 550 <lyris@sega.com>... No such mailbox
  550 5.1.1 <lyris@sega.com>... User unknown

      [ Part 2: "Delivery Status" ]

  Reporting-MTA: dns; postal.segasoft.com
  Received-From-MTA: DNS; [195.157.87.253]
  Arrival-Date: Wed, 20 Aug 2003 03:42:13 -0700 (PDT)

  Final-Recipient: RFC822; lyris@sega.com
  Action: failed
  Status: 5.1.1
  Remote-MTA: DNS; mail.sega.com
  Diagnostic-Code: SMTP; 550 <lyris@sega.com>... No such mailbox
  Last-Attempt-Date: Wed, 20 Aug 2003 03:42:19 -0700 (PDT)


      [ Part 3: "Included Message" ]

  Return-Path: <cchin@ack.Berkeley.EDU>
  Received: from KYAN ([195.157.87.253])
  	by postal.segasoft.com (8.12.9/8.11.0) with ESMTP id h7KAgCbV004367
  	for <lyris@sega.com>; Wed, 20 Aug 2003 03:42:13 -0700 (PDT)
  Message-Id: <200308201042.h7KAgCbV004367@postal.segasoft.com>
  From: <cchin@ack.Berkeley.EDU>
  To: <lyris@sega.com>
  Subject: Re: Details
  Date: Wed, 20 Aug 2003 11:42:56 +0100
  X-MailScanner: Found to be clean
  Importance: Normal
  X-Mailer: Microsoft Outlook Express 6.00.2600.0000
  X-MSMail-Priority: Normal
  X-Priority: 3 (Normal)
  MIME-Version: 1.0
  Content-Type: multipart/mixed;
  	boundary="_NextPart_000_0095ABA4"

  Please see the attached file for details.
      [ Part 3.2, Application/OCTET-STREAM (Name: "thank_you.pif")  101KB. ]
      [ Unable to print this part. ]





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.