Re: Suspected Intruder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Don Flinn wrote:

|On Thu, 2005-01-06 at 15:49 +0000, Paul Howarth wrote:
|
|>Don Flinn wrote:
|>
|>>I suspect that an intruder may be using my node to send e-mail, because
|>>I have received some notices from my e-mail daemon that such and such
|>>was not available when I never sent e-mail to that person/address.
|>>
|>>How do I check if someone is logged in/using my machine?  I'm running
|>>FC3.
|>
|>Please post the full headers of one of these notices. It's possible
that
|>you're just getting backscatter due to a virus somewhere else forging
|>your address as the sender.
|>
|>Paul.
|>
|
|Paul
|
|Here is the info from the Mail Daemon (For clarity my name is not
|Monika :-).  Some others on this mailing list also speculated that
|someone is spoofing my address and have not compromised my machine.
|Thanks to all for your suggestions.
|
|Don
|
|------ Mail daemon message follows ------------
|Reporting-MTA: dns; rly-nc05.mx.aol.com
|Arrival-Date: Thu, 30 Dec 2004 10:50:31 -0500 (EST)
|
|Final-Recipient: RFC822; beachboy99@xxxxxxxxxxxx
|Action: failed
|Status: 5.1.1
|Remote-MTA: DNS; air-nc02.mail.aol.com
|Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
|Last-Attempt-Date: Thu, 30 Dec 2004 10:50:55 -0500 (EST)
|
|
|Received: from  31.red-212-40-232.user.auna.net
|(31.red-212-40-232.user.auna.net [212.40.232.31]) by rly-nc05.mx.aol.com
|(v103.7) with ESMTP id MAILRELAYINNC56-68c41d423a72b4; Thu, 30 Dec 2004
|10:50:18 -0500
|Date: Thu, 30 Dec 2004 15:43:33 +0000
|From: Monika <flinn@xxxxxxxxxxxx>
|To: beachboy99@xxxxxxxxxxxx
|Subject: =?Windows-1251?B?1OXp5fDi5fDq6CDu8iDv8O7o5+Lu5Ojy5ev/IO/uIO3o5
|+ro7CD25e3g7C4=?=
|MIME-Version: 1.0
|Content-Type: multipart/related;
| boundary="----------6BE01FA8FBDE43307081C8A850"
|X-AOL-IP: 212.40.232.31
|X-AOL-SCOLL-SCORE: 0:2:31266268:1342177
|X-AOL-SCOLL-URL_COUNT: 0
|Message-ID: <200412301050.68c41d423a72b4@xxxxxxxxxxxxxxxxxxx>
|
|
(1)  AOL doesn't relay messages for non members, that I'm aware of.
(2)  The IP address in question:  212.40.232.31 has a slow response
time at the destination...  probably due to the 100's of emails being
sent out.

In conclusion:
~  The email is probably a VIRUS, sent directly from the above IP...
spoofing as AOL sending a return notice back to you.
~  I've had this happen a few times.  The best you can do is email the
domain administrator for the domain that owns the IP address in
question asking them to investigate the matter.

Thanks,
James

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB3tuUkNLDmnu1kSkRAlviAJ9OfEf0ZNE70aI4a3Xn/tBwlcFDSACfbEcO
yu1uysPQfXFxAlNowCNFxf4=
=Mef3
-----END PGP SIGNATURE-----


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux