General discussion

Locked

Email Header

By danielle ·
We have received several complaints from customers about emails coming from our company. Below is a sample header that contains the info:

Return-Path:
CustomerService@MyCompany.com
Received:
(from bin@localhost) by Saturn.skyport.net (8.8.8/8.8. id EAA26971 for
bird-net@bird-net.com; Wed, 27 Aug 2003 04:38:55 ? 0400
From:
CustomerService@MyCompany.com
X-Authentication-Warning:
Saturn.skyport.net: bin set send to CustomerService@MyCompany.com using ?f
Received:
From DAVILLE
(cdm-66-128-136-frnk.cox-internet.com[66.233.128.136]) by Saturn.skyport.net (8.8.8/8.8.9) with ESMTP id EAA26961 for birds@bird-net.com; Wed, 27 Aug 2003 04:38:36 ? 0400
Message-ID
200308270838.EAA26961@saturn.skyport.net
To: birds@bird-net.com
Subject: Re: Approved
Date Wed, 27 Aug 2003 3:52:46 ? 0500
X-Mailscanner: Found to be clean
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Msmail-Priority: Normal
X-Priority: 3 (Normal)
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=?_NextPart_000_025B87C8?
X-Loop:
birds@bird-net.com
Status: O
X-Mozilla-Status: 8014
X-Mozilla-Status2: 00000000
X-UIDL: 3ed67fcd00003034
Application.pif
Content-Type: application/octet-stream;
Name=?application .pif:
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=?application.pif?

They feel that 66. 66.233.128.136 (Located in Texas) is originating the email and that it should be coming straight through Saturn.skyport.net (Located in Florida). I?d like some input because I?ve never had to decipher email headers. I?ll be doing some research of my own too. Thanks!

BTW ? The attachment did originate from the SoBig virus.

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Joseph Moore In reply to Email Header

SoBig.F was really smart in this regard, in that you can't even trust the mail headers!

It spoofs who sent the mail in the first place, by selecting an e-mail address on the machine to send the mail from. It then selects another address to send the mail to.
So, BOB's computer is infected. SoBig.F runs, sending an e-mail to TOM, saying it is from JIM.

TOM contacts JIM, asking why he sent him the virus. JIM scans his computer, and does not come up with anything. JIM is confused as to what is going on, TOM never talks to JIM again, and BOB is just sitting there, going about his own business, completely ignorant to the whole mess.

I think that is the issue here. You see, the from address of cdm-66-128-136-frnk.cox-internet.com COULD be spoofed.
According to Symantec, the virus sometimes will send messages from the "INTERNET.COM" domain instead of picking one from the infected computers address list.

And in your instance, this message is from an INTERNET.COM address.

So, IMHO, you can't really tell where this one came from. If anyother domain was listed, then you might have a shot, but I can't fully believe that right now.

Back to Software Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums