Re: Strange email

[Greg Broiles <gbroiles () netbox com>]

I got it too, also noticed that the headers were suspicious - couldn't find 
any record of a Sarah Pricer at UCB via their directory. The email I 
received didn't include a GIF.

These are the headers I got -

Received: from home.netbox.com ([64.124.87.11] verified)
  by mailsys01.intnet.net (CommuniGate Pro SMTP 3.3.2)
  with ESMTP id 8222789 for gbroiles () wwc com; Wed, 16 May 2001 02:01:44 -0400
Received: (from gbroiles@localhost)
        by home.netbox.com (8.8.8/8.8.7) id XAA44683
        for gbroiles () wwc com; Tue, 15 May 2001 23:02:35 -0700 (PDT)
        (envelope-from gbroiles)
Received: from localhost.localdomain (root () s211-33-122-158 thrunet ne kr 
[211.33.122.158])
        by home.netbox.com (8.8.8/8.8.7) with ESMTP id XAA44675
        for <gbroiles () NETBOX COM>; Tue, 15 May 2001 23:02:34 -0700 (PDT)
        (envelope-from linuxone@localhost.localdomain)
Received: (from linuxone@localhost)
        by localhost.localdomain (8.10.1/8.10.1) id f4GE3Q214200
        for gbroiles () NETBOX COM; Wed, 16 May 2001 23:03:26 +0900
Date: Wed, 16 May 2001 23:03:26 +0900
Message-Id: <200105161403.f4GE3Q214200@localhost.localdomain>
From: Sarah Pricer <sarah_pricer () hotmail com>
Sender: Sarah.Pricer@localhost.localdomain
Subject: Regarding ip block 199.165.136.0 - 199.165.136.255
Content-Type: text/html

At 07:55 PM 5/15/2001 -0400, you wrote:
> Real-To:  "Jason Lewis" <jlewis () jasonlewis net>
>
> I received this email today.  The headers show it being sent from a machine
> in Korea.  Everything in the headers is forged, but I just can't figure out
> what the motive is behind it.  Also, at the end of the email, there was a
> gif and I included the embedded html link.  Has anyone else seen this?    I
> have munged the IP's.
>
>
>
> Hi my name is Sarah Pricer, a CS graduate student at UC Berkeley.  I
> obtained your email address from www.arin.net when searching for the IP
> block(192.168.64.0 - 192.168.64.255 ) that you coordinate.
>
> I'm currently writing a thesis on the network topology and would very much
> appreciate your cooperation. I am trying to draw out a map of how the IPs
> are distributed geographically. I realize that the IP registration data
> often times have country/state/city information that are different from the
> actual physical location of where the IPs are used.
>
> Arin data currently shows that 192.168.64.0 - 192.168.64.255 is registered
> to:
>
> Country: US
> State: VA
> City: MCLEAN
>
> Can you please tell me if this is the actual physical location of the IPs?
> If not, can you please tell me the actual location?  Again, thank you for
> your cooperation.
>
> warm regards,
> Sarah P.
>
> <http://211.33.122.158/icons/1/cal_1506.gif>
>
>
>
>
> Jason Lewis
> http://www.packetnexus.com
> "All you can do is manage the risks. There is no security."

--
Greg Broiles
gbroiles () well com