Paul Howarth wrote:
On Thu, 2006-09-14 at 13:05 -0500, Mike McCarty wrote:
Ok, here's an example. I turned on all headers. The actual message
in this case is one that my ISP caught, and clobbered the attachment
which the ISP claims contains a copy of a virus. In cases like this,
Subject: Delivery reports about your e-mail
From: "Mail Administrator" <MAILER-DAEMON@xxxxxxxxxxxxx>
Date: Wed, 13 Sep 2006 14:23:40 +0000
X-Apparently-To: mike.mccarty@xxxxxxxxxxxxx via 126.96.36.199; Wed, 13
Sep 2006 11:07:33 -0700
mta101.sbc.mail.mud.yahoo.com from=sbcglobal.net; domainkeys=neutral (no
Received: from 188.8.131.52 (EHLO ylpvm48.prodigy.net) (184.108.40.206)
by mta101.sbc.mail.mud.yahoo.com with SMTP; Wed, 13 Sep 2006 11:07:33 -0700
I'm guessing that SBC are outsourcing some of their mail handling to
Yahoo! - is that right?
They have some sort of reciprocal agreement. Exactly what that is
I'm not sure.
220.127.116.11 is within the network that SBC's inbound mail servers use,
so since the mail was addressed to you at sbcglobal.net, it looks like a
valid Received: header and that the mail is then forwarded to Yahoo! for
virus scanning etc.
So this one looks genuine to me.
What I thought. It looks like someone is sending e-mail, and spoofing
my address as the originator. When it is undeliverable, it gets bounced
(back to me) with the (viral) attachment still there. Yahoo finds
the infection, cleans it, and forwards the bounced message on to me.
Received: from sbcglobal.net (h18.104.22.168.ip.alltel.net
[22.214.171.124]) by ylpvm48.prodigy.net (8.13.6 inb/8.13.6) with ESMTP
id k8DI7NKK019802 for <mike.mccarty@xxxxxxxxxxxxx>; Wed, 13 Sep 2006
This is the only remaining Received: header so it stands to reason that
the source identified here (h126.96.36.199.ip.alltel.net
[188.8.131.52]) is where the infection is. A further giveaway is that
That was the way I analyzed it.
the sender pretended to be sbcglobal.net (i.e. your domain), in order to
try to throw people off the scent when identifying the source; this is a
typical trick employed by spammers, yet it gives them away so easily to
people that understand Received: headers.
That's what I thought as well. The *numerical* IP addresses in the
"Received by" field (I thought) was always correct.
Since this is almost certainly a dynamic IP address, there's not a lot
further you can do to identify the actual person that's infected short
of forwarding the message to abuse@xxxxxxxxxx and let them figure out
who was connected at that time.
Perhaps not, but I thought that at least I might at least identify
the ISP and get them to investigate.
Thanks for the reply.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!