Questions

.exe files coming through email from the DoD?

+
0 Votes

.exe files coming through email from the DoD?

cpguru21
Hi!

I have certain content blocked on my mail server, like .exe etc..

Typically what I try to do is review the header information, lookup sources based on ip's at http://cqcounter.com/whois/, and if I feel i can safely block the ip's I do so. IE if the IP is somewhere in China, well we dont associate with anyone over there so safe to block.

What is concerning to me is when I perform a lookup based on the header information and the response comes back that the email originated from a DoD network like in this example here:

************************************************************
144.144.111.205 - Geo Information
IP Address 144.144.111.205
Host 144.144.111.205
Location US, United States
City Columbus, OH 43218
Organization DoD Network Information Center
ISP DoD Network Information Center
AS Number -
Latitude 3996'12" North
Longitude 8299'88" West
Distance 8218.10 km (5106.49 miles)
Map Location World Map Google Maps Yahoo Maps Microsoft Live Maps

144.144.111.205 - Whois Information

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# Query terms are ambiguous. The query is assumed to be:
# "n 144.144.111.205"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=144.144.111.205?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 144.144.0.0 - 144.144.255.255
CIDR: 144.144.0.0/16
OriginAS:
NetName: DNIC-SNET-144-144
NetHandle: NET-144-144-0-0-1
Parent: NET-144-0-0-0-0
NetType: Direct Assignment
RegDate: 1990-12-12
Updated: 2009-04-16
Ref: http://whois.arin.net/rest/net/NET-144-144-0-0-1

OrgName: DoD Network Information Center
OrgId: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
RegDate:
Updated: 2011-08-17
Ref: http://whois.arin.net/rest/org/DNIC

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-800-365-3642
OrgTechEmail: HOSTMASTER@nic.mil
OrgTechRef: http://whois.arin.net/rest/poc/MIL-HSTMST-ARIN

OrgAbuseHandle: REGIS10-ARIN
OrgAbuseName: Registration
OrgAbusePhone: +1-800-365-3642
OrgAbuseEmail: registra@nic.mil
OrgAbuseRef: http://whois.arin.net/rest/poc/REGIS10-ARIN

OrgTechHandle: REGIS10-ARIN
OrgTechName: Registration
OrgTechPhone: +1-800-365-3642
OrgTechEmail: registra@nic.mil
OrgTechRef: http://whois.arin.net/rest/poc/REGIS10-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
*****************************************************************************
so based on this header information:

*****************************************************************************
Return-Path: <alert@dnb.com>
Received: from host6.monotypeimaging.co.uk (unknown [195.224.186.55])
by mail.zzzzzzzzzz.com (Postfix) with ESMTP id 00BE19AF146A
for <zzz.zzzzzzz@zzzzzzzz.com>; Wed, 26 Jun 2013 10:13:14 -0400 (EDT)
Received: from [144.144.111.205] (port=54812 helo=[192.168.2.31]) by 195.224.186.55 with asmtp id 1rqLaL-0001D-00 for zzz.zzzzzzz@zzzzzzz.com; Wed, 26 Jun 2013 14:14:11 +0000
Message-ID: <51CAEFC5.8040604@hsbc.com.hk>
Date: Wed, 26 Jun 2013 14:14:11 +0000
From: "HSBC Bank" <payment.advice@hsbc.com.hk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: zzz.zzzzzzz@zzzzzzz.com
Subject: UPS - Your package is available for pickup ( Parcel 3JV1Z1U6 )
Content-Type: multipart/mixed;
boundary="----=_Part_22486_6648941014.0898809575069"
X-Spam: Not detected
X-Mras: Ok
*****************************************************************************

Did this really originate at the 144.144. address and came from a system inside the DoD?

I asked this question before and never got a definitive answer:
Can header information be spoofed? Is it possible that this peice of spam came no where near the DoD?

Have any of you seen spam and or virus activities that traced back to the DoD?

Just curious. Thanks for any thoughts.

Member Answers

    +
    0 Votes
    robo_dev

    DEFENSE FINANCE & ACCOUNTING SERVICE
    3990 E BROAD ST, BLDG 21
    COLUMBUS, OH 43213-1152

    Do a google map street view...this is a strip mall.

    I say they have a malware infected PC

    +
    0 Votes
    cpguru21

    hmm when I do a street view, it shows the Ohio state house. Regardless I agree that they have a machine infected.

    +
    0 Votes

    hmm

    widd11e

    I shall let someone else inform them that their Intranet is infected. Kind of odd though the place looks like a bank. /scratches head

    +
    0 Votes
    cpguru21

    I sent an email to the technical contact listed and never heard anything back. We have no secrets to hide or anything as saucy as that but it is interesting.

    +
    1 Votes
    a.portman

    In your work would you normally get emails from the DoD? No? Malware! Headers can be spoofed.

    +
    0 Votes
    cpguru21

    no we wouldn't normally get from DoD. It deff seems like malware from an infected system. Thanks.

    +
    0 Votes
    cpguru21

    just curious what other admins do with spam. We don't get a ton (well a ton to the user anyway, a lot gets thwarted and the mail server and never makes it to the users mailbox) do you guys go through headers and do additional blocking/denying of ip's, or just send to junk folder for learning?