Hi!
I have certain content blocked on my mail server, like .exe etc..
Typically what I try to do is review the header information, lookup sources based on ip’s at http://cqcounter.com/whois/, and if I feel i can safely block the ip’s I do so. IE if the IP is somewhere in China, well we dont associate with anyone over there so safe to block.
What is concerning to me is when I perform a lookup based on the header information and the response comes back that the email originated from a DoD network like in this example here:
************************************************************
144.144.111.205 – Geo Information
IP Address 144.144.111.205
Host 144.144.111.205
Location US, United States
City Columbus, OH 43218
Organization DoD Network Information Center
ISP DoD Network Information Center
AS Number –
Latitude 3996’12” North
Longitude 8299’88” West
Distance 8218.10 km (5106.49 miles)
Map Location World Map Google Maps Yahoo Maps Microsoft Live Maps
144.144.111.205 – Whois Information
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
#
# Query terms are ambiguous. The query is assumed to be:
# “n 144.144.111.205”
#
# Use “?” to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=144.144.111.205?showDetails=true&showARIN=false&ext=netref2
#
NetRange: 144.144.0.0 – 144.144.255.255
CIDR: 144.144.0.0/16
OriginAS:
NetName: DNIC-SNET-144-144
NetHandle: NET-144-144-0-0-1
Parent: NET-144-0-0-0-0
NetType: Direct Assignment
RegDate: 1990-12-12
Updated: 2009-04-16
Ref: http://whois.arin.net/rest/net/NET-144-144-0-0-1
OrgName: DoD Network Information Center
OrgId: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
RegDate:
Updated: 2011-08-17
Ref: http://whois.arin.net/rest/org/DNIC
OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-800-365-3642
OrgTechEmail: HOSTMASTER@nic.mil
OrgTechRef: http://whois.arin.net/rest/poc/MIL-HSTMST-ARIN
OrgAbuseHandle: REGIS10-ARIN
OrgAbuseName: Registration
OrgAbusePhone: +1-800-365-3642
OrgAbuseEmail: registra@nic.mil
OrgAbuseRef: http://whois.arin.net/rest/poc/REGIS10-ARIN
OrgTechHandle: REGIS10-ARIN
OrgTechName: Registration
OrgTechPhone: +1-800-365-3642
OrgTechEmail: registra@nic.mil
OrgTechRef: http://whois.arin.net/rest/poc/REGIS10-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
*****************************************************************************
so based on this header information:
*****************************************************************************
Return-Path:
Received: from host6.monotypeimaging.co.uk (unknown [195.224.186.55])
by mail.zzzzzzzzzz.com (Postfix) with ESMTP id 00BE19AF146A
for
Received: from [144.144.111.205] (port=54812 helo=[192.168.2.31]) by 195.224.186.55 with asmtp id 1rqLaL-0001D-00 for zzz.zzzzzzz@zzzzzzz.com; Wed, 26 Jun 2013 14:14:11 +0000
Message-ID: <51CAEFC5.8040604@hsbc.com.hk>
Date: Wed, 26 Jun 2013 14:14:11 +0000
From: “HSBC Bank”
MIME-Version: 1.0
To: zzz.zzzzzzz@zzzzzzz.com
Subject: UPS – Your package is available for pickup ( Parcel 3JV1Z1U6 )
Content-Type: multipart/mixed;
boundary=”—-=_Part_22486_6648941014.0898809575069″
X-Spam: Not detected
X-Mras: Ok
*****************************************************************************
Did this really originate at the 144.144. address and came from a system inside the DoD?
I asked this question before and never got a definitive answer:
Can header information be spoofed? Is it possible that this peice of spam came no where near the DoD?
Have any of you seen spam and or virus activities that traced back to the DoD?
Just curious. Thanks for any thoughts.