Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!

General discussion


Email Header

By danielle ·
We have received several complaints from customers about emails coming from our company. Below is a sample header that contains the info:

(from bin@localhost) by (8.8.8/8.8. id EAA26971 for; Wed, 27 Aug 2003 04:38:55 ? 0400
X-Authentication-Warning: bin set send to using ?f
([]) by (8.8.8/8.8.9) with ESMTP id EAA26961 for; Wed, 27 Aug 2003 04:38:36 ? 0400
Subject: Re: Approved
Date Wed, 27 Aug 2003 3:52:46 ? 0500
X-Mailscanner: Found to be clean
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Msmail-Priority: Normal
X-Priority: 3 (Normal)
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=?_NextPart_000_025B87C8?
Status: O
X-Mozilla-Status: 8014
X-Mozilla-Status2: 00000000
X-UIDL: 3ed67fcd00003034
Content-Type: application/octet-stream;
Name=?application .pif:
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=?application.pif?

They feel that 66. (Located in Texas) is originating the email and that it should be coming straight through (Located in Florida). I?d like some input because I?ve never had to decipher email headers. I?ll be doing some research of my own too. Thanks!

BTW ? The attachment did originate from the SoBig virus.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by Joseph Moore In reply to Email Header

SoBig.F was really smart in this regard, in that you can't even trust the mail headers!

It spoofs who sent the mail in the first place, by selecting an e-mail address on the machine to send the mail from. It then selects another address to send the mail to.
So, BOB's computer is infected. SoBig.F runs, sending an e-mail to TOM, saying it is from JIM.

TOM contacts JIM, asking why he sent him the virus. JIM scans his computer, and does not come up with anything. JIM is confused as to what is going on, TOM never talks to JIM again, and BOB is just sitting there, going about his own business, completely ignorant to the whole mess.

I think that is the issue here. You see, the from address of COULD be spoofed.
According to Symantec, the virus sometimes will send messages from the "INTERNET.COM" domain instead of picking one from the infected computers address list.

And in your instance, this message is from an INTERNET.COM address.

So, IMHO, you can't really tell where this one came from. If anyother domain was listed, then you might have a shot, but I can't fully believe that right now.

Related Discussions

Related Forums