nanog mailing list archives
Hey netscalibur! (was: Re: Hijacked email)
From: Christopher Chin <cchin () ack Berkeley EDU>
Date: Wed, 20 Aug 2003 10:14:35 -0700 (PDT)
Today at 10:40 (-0500), Richard Irving wrote:
Date: Wed, 20 Aug 2003 10:40:25 -0500 From: Richard Irving <rirving () onecall net> To: nanog () merit edu Subject: Re: Hijacked email Please people, of all the great feedback these joe jobbed addresses are receiving, from the anti-virus software... it really wouldn't hurt to include the -=IP=- (and possibly headers) of the system that contacted your server..... Rather than simply complain, it would allow us to track down, and triangulate the -=real=- perp, an infected M$ machine or two (million).
Okie doke.... is Netscalibur in the house? I might assume so based on the "nanog-ish" return address on the received e-mail from [195.157.87.253]. This IP is sourcing Sobig.F to me, and *as* me. The received mail: From nanog () ehlke net Wed Aug 20 10:03:00 2003 Received: from KYAN ([195.157.87.253]) by ack.Berkeley.EDU (8.11.3/8.11.3) with ESMTP id h7K9k2n04029 for <cchin () ack Berkeley EDU>; Wed, 20 Aug 2003 02:46:02 -0700 (PDT) Message-Id: <200308200946.h7K9k2n04029 () ack Berkeley EDU> From: <nanog () ehlke net> To: <cchin () ack Berkeley EDU> Subject: Re: Details Date: Wed, 20 Aug 2003 10:46:45 +0100 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_00623C6D" Content-Length: 100007 See the attached file for details [ Part 2, Application/OCTET-STREAM (Name: "details.pif") 100KB. ] And the results of the joe-job: The original message was received at Wed, 20 Aug 2003 03:42:13 -0700 (PDT) from [195.157.87.253] ----- The following addresses had permanent fatal errors ----- <lyris () sega com> (reason: 550 <lyris () sega com>... No such mailbox) ----- Transcript of session follows ----- ... while talking to mail.sega.com.: >>> RCPT To:<lyris () sega com> <<< 550 <lyris () sega com>... No such mailbox 550 5.1.1 <lyris () sega com>... User unknown [ Part 2: "Delivery Status" ] Reporting-MTA: dns; postal.segasoft.com Received-From-MTA: DNS; [195.157.87.253] Arrival-Date: Wed, 20 Aug 2003 03:42:13 -0700 (PDT) Final-Recipient: RFC822; lyris () sega com Action: failed Status: 5.1.1 Remote-MTA: DNS; mail.sega.com Diagnostic-Code: SMTP; 550 <lyris () sega com>... No such mailbox Last-Attempt-Date: Wed, 20 Aug 2003 03:42:19 -0700 (PDT) [ Part 3: "Included Message" ] Return-Path: <cchin () ack Berkeley EDU> Received: from KYAN ([195.157.87.253]) by postal.segasoft.com (8.12.9/8.11.0) with ESMTP id h7KAgCbV004367 for <lyris () sega com>; Wed, 20 Aug 2003 03:42:13 -0700 (PDT) Message-Id: <200308201042.h7KAgCbV004367 () postal segasoft com> From: <cchin () ack Berkeley EDU> To: <lyris () sega com> Subject: Re: Details Date: Wed, 20 Aug 2003 11:42:56 +0100 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_0095ABA4" Please see the attached file for details. [ Part 3.2, Application/OCTET-STREAM (Name: "thank_you.pif") 101KB. ] [ Unable to print this part. ]
Current thread:
- Hijacked email Jack.W.Parks (Aug 20)
- Re: Hijacked email Pascal Gloor (Aug 20)
- Re: Hijacked email jlewis (Aug 20)
- Re: Hijacked email Omachonu Ogali (Aug 20)
- Re: Hijacked email Richard Irving (Aug 20)
- Hey netscalibur! (was: Re: Hijacked email) Christopher Chin (Aug 20)
- Re: Hey netscalibur! (was: Re: Hijacked email) just me (Aug 20)
- Re: Hijacked email jlewis (Aug 20)
- Message not available
- Re: Hey netscalibur! (was: Re: Hijacked email) Christopher Chin (Aug 20)
- Re: Hijacked email Pascal Gloor (Aug 20)
- Re: Hijacked email Will Yardley (Aug 20)
- Re: Hijacked email Will Yardley (Aug 20)
- Re: Hijacked email Mr. James W. Laferriere (Aug 20)