Re: Is it possible to trace source of messages bearing Netsky.R or .Q?
- From: Virus Guy <Virus@xxxxxxx>
- Date: Sat, 02 Jul 2005 21:33:22 -0400
When looking at the first received line:
- the ip address after the canonical name is the last true source
of the e-mail. That is the machine that sent the e-mail to
your server, which you probably grabbed using a pop client (or
a web-based mail reader).
- If nslookup on the ip (above) fails, most likely the computer
using that ip is not a real mail server but has been "trojaned"
or "zombified" to directly send e-mail (ie smtp engine). If
the e-mail being sent has practically no body, and includes
an attachment that is viral, then the machine is not being
used as a proxy but instead either was infected with a pre-
crafted e-mail list (to send to) or is scanning the infected
computer for anything resembing an e-mail address in any or
all likely source files. If a whois or arin (or ripe, or...)
shows that the ip belongs to a residential DSL or cable ISP,
(and the domain in the "from:" or "reply-to:" doesn't match
the whois) then it's 100% certain that the computer sending
the e-mail is not a legit e-mail server.
- if the canonical name is not a name but instead an ip address,
and if it's the ip address of the *receiving* server (ie your
server), then we have the same situation described above
(the computer is trojanized and is not a legit smtp server).
- if everything points to the sending "server" being an
infected computer, and if there are second or third
received lines, then they will be forged and certainly
they will not contain valid information. The logic behind
this is that if a hacker is directing spam (or viruses)
through the infected machine, he will not have a
second received line contain correct information that
points back to him and his computer as the source of
the e-mail. He wants to break the linkage of where the
e-mail really came from (if indeed it really did come from
some alternate machine originally, which a lot of spam
probably does, but rarely viral e-mail).
Again, still looking at the first received line:
- if the canonical name and the ip match (ie if, say, the
canonical name is "mail.ucla.edu" and the ip address comes
back as belonging to ucla) and if an nslookup on the ip
also comes back with "mail.ucla.edu" or close to it,
then we can be reasonably certain that (a) the e-mail
came from ucla and (b) that it actually came from a legit
e-mail server at ucla. In which case there must be a
second received line (which may or may not include a
canonical name or even ip address of the ultimate source
of the e-mail).
Spam has exploded since 2002, and has grown roughly with the number of
residential DSL or high-speed cable customers, which also coincides
with the appearance of cheap home computers that came with Windows XP
pre-installed. Windows XP, as it came "out of the box" in 2001
through 2003, could be infected in at most 5 minutes of being
connected to a residential high-speed network.
Up until maybe 6 months ago, it was the rule that these infected
machines (the ones that sent spam) sent it directly to the destination
servers (they did not send their spam via the smtp servers of the ISP
that was connecting them to the internet). They could do this because
the ISP wasn't blocking port-25 packets from the infected machines to
the internet at large. There has been increasing pressure on ISP's to
lock-down port-25 and prevent these packets from getting past the
ISP's network. If the ISP's (like comcast, road runner, charter,
shaw, etc) smarten up and put port-25 blocking into place, then the
spammers/hackers will have no choice but to have the infected
computers send spam through the ISP's own servers. That is when you
will have to look at the second received line in the header to
identify the machine that was the source of the spam (or virus). But
spam or viruses sent this way will be few and far between if the ISP's
have decent software to identify the e-mail as spam or viral.
In my experience, the reception of viral e-mail (when it happens)
comes from the same machine (which usually means a some-what constant
IP address) and will usually happen once or twice a day (multiple
times a day is rare). The ip address in the first received line will
tell you where it's coming from (ie it will either be residential or
institutional, you may be able to indentify the city and certainly the
country of origin, and based on this you may know who in that city or
country has your e-mail address somewhere on their computer, and you
may have legitimate e-mail from them where you can compare the IP
addresses). If you receive enough of these viral e-mails, and you
build up a list of the "from:" addresses, you may be able to identify
the sender based on the commonality of the from names being used. In
some cases I have sent an e-mail to all the "from:" names asking them
if they know who (is city X or country Y) we all have in common.
If you have control over your e-mail server, the last resort is to
block the IP address (or sub-net) of the computer sending the viral
e-mail. Again this is the ip address in the first recieved line.
.
- References:
- Is it possible to trace source of messages bearing Netsky.R or .Q?
- From: Richard Price
- Re: Is it possible to trace source of messages bearing Netsky.R or .Q?
- From: Virus Guy
- Is it possible to trace source of messages bearing Netsky.R or .Q?
- Prev by Date: Re: ZoneAlarm Security Suite 2005 Ver 5.5
- Next by Date: Re: Spybot 1.4 & Win 95
- Previous by thread: Re: Is it possible to trace source of messages bearing Netsky.R or .Q?
- Next by thread: ZoneAlarm Security Suite 2005 Ver 5.5
- Index(es):
Relevant Pages
|
