.exe files coming through email from the DoD?

By cpguru21 ·

I have certain content blocked on my mail server, like .exe etc..

Typically what I try to do is review the header information, lookup sources based on ip's at, and if I feel i can safely block the ip's I do so. IE if the IP is somewhere in China, well we dont associate with anyone over there so safe to block.

What is concerning to me is when I perform a lookup based on the header information and the response comes back that the email originated from a DoD network like in this example here:

************************************************************ - Geo Information
IP Address
Location US, United States
City Columbus, OH 43218
Organization DoD Network Information Center
ISP DoD Network Information Center
AS Number -
Latitude 3996'12" North
Longitude 8299'88" West
Distance 8218.10 km (5106.49 miles)
Map Location World Map Google Maps Yahoo Maps Microsoft Live Maps - Whois Information

# ARIN WHOIS data and services are subject to the Terms of Use
# available at:

# Query terms are ambiguous. The query is assumed to be:
# "n"
# Use "?" to get help.

# The following results may also be obtained via:

NetRange: -
NetName: DNIC-SNET-144-144
NetHandle: NET-144-144-0-0-1
Parent: NET-144-0-0-0-0
NetType: Direct Assignment
RegDate: 1990-12-12
Updated: 2009-04-16

OrgName: DoD Network Information Center
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
Updated: 2011-08-17

OrgTechName: Network DoD
OrgTechPhone: +1-800-365-3642

OrgAbuseHandle: REGIS10-ARIN
OrgAbuseName: Registration
OrgAbusePhone: +1-800-365-3642

OrgTechHandle: REGIS10-ARIN
OrgTechName: Registration
OrgTechPhone: +1-800-365-3642

# ARIN WHOIS data and services are subject to the Terms of Use
# available at:
so based on this header information:

Return-Path: <>
Received: from (unknown [])
by (Postfix) with ESMTP id 00BE19AF146A
for <>; Wed, 26 Jun 2013 10:13:14 -0400 (EDT)
Received: from [] (port=54812 helo=[]) by with asmtp id 1rqLaL-0001D-00 for; Wed, 26 Jun 2013 14:14:11 +0000
Message-I <>
Date: Wed, 26 Jun 2013 14:14:11 +0000
From: "HSBC Bank" <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
Subject: UPS - Your package is available for pickup ( Parcel 3JV1Z1U6 )
Content-Type: multipart/mixed;
X-Spam: Not detected
X-Mras: Ok

Did this really originate at the 144.144. address and came from a system inside the DoD?

I asked this question before and never got a definitive answer:
Can header information be spoofed? Is it possible that this peice of spam came no where near the DoD?

Have any of you seen spam and or virus activities that traced back to the DoD?

Just curious. Thanks for any thoughts.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Lookup the physical address for that IP

by robo_dev In reply to .exe files coming through ...

3990 E BROAD ST, BLDG 21
COLUMBUS, OH 43213-1152

Do a google map street view...this is a strip mall.

I say they have a malware infected PC

Collapse -

Reponse To Answer

by cpguru21 In reply to Lookup the physical addre ...

hmm when I do a street view, it shows the Ohio state house. Regardless I agree that they have a machine infected.

Collapse -


by widd11e In reply to .exe files coming through ...

I shall let someone else inform them that their Intranet is infected. Kind of odd though the place looks like a bank. /scratches head

Collapse -

Reponse To Answer

by cpguru21 In reply to hmm

I sent an email to the technical contact listed and never heard anything back. We have no secrets to hide or anything as saucy as that but it is interesting.

Collapse -

What Line of Work Are you in?

by a.portman In reply to .exe files coming through ...

In your work would you normally get emails from the DoD? No? Malware! Headers can be spoofed.

Collapse -

Reponse To Answer

by cpguru21 In reply to What Line of Work Are you ...

no we wouldn't normally get from DoD. It deff seems like malware from an infected system. Thanks.

Collapse -

Does anyone else monitor spam/junk/virus headers?

by cpguru21 In reply to .exe files coming through ...

just curious what other admins do with spam. We don't get a ton (well a ton to the user anyway, a lot gets thwarted and the mail server and never makes it to the users mailbox) do you guys go through headers and do additional blocking/denying of ip's, or just send to junk folder for learning?

Related Discussions

Related Forums