Help tracing Example email headers of received virus

  • Thread starter Thread starter Englander
  • Start date Start date
E

Englander

Hi All

I received This email with a w32.hybris worm attached seems to have been
sent using IP address 66.194.2.167,

when I traced this

[$]host 66.194.2.167
167.2.194.66.in-addr.arpa domain name pointer 66-194-2-167.nctimes.net.

then whois nctimes.net gave me the contact name, having reported viruses
before and then been bombarded with massive amounts of viruses the next
day, I suspect some of the host nets (not necessarily this one, I will
find out tomorrow, as I sent a complaint email) are complicit in the
process

I was wondering if there is anyone trying to stop this, i.e. a central
organisation collecting data, after all there are some big rewards from
microsoft and sco now, can anyone help?

Can you even trust the IP address mentioned in the headers, or can that be
forged/spoofed as well?
-----------------------------------------

Received: from smtp-out4.blueyonder.co.uk ([172.23.146.7]) by cluster4
with
Microsoft SMTPSVC(5.0.2195.5329); Wed, 28 Jan 2004 22:43:54 +0000
Received: from computer ([66.194.2.167]) by smtp-out4.blueyonder.co.uk
with
Microsoft SMTPSVC(5.0.2195.5600); Wed, 28 Jan 2004 22:43:42 +0000
From: Hahaha <[email protected]>
Subject: Snowhite and the Seven Dwarfs - The REAL story! MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--VEDIZ49MR01IZOPYZ45UBOTURKPYB0DMNK5" Bcc:
Return-Path: <>
 
Englander said:
Hi All

I received This email with a w32.hybris worm attached seems to have been
sent using IP address 66.194.2.167,

when I traced this

[$]host 66.194.2.167
167.2.194.66.in-addr.arpa domain name pointer 66-194-2-167.nctimes.net.

then whois nctimes.net gave me the contact name, having reported viruses
before and then been bombarded with massive amounts of viruses the next
day, I suspect some of the host nets (not necessarily this one, I will
find out tomorrow, as I sent a complaint email) are complicit in the
process

I was wondering if there is anyone trying to stop this, i.e. a central
organisation collecting data, after all there are some big rewards from
microsoft and sco now, can anyone help?

Can you even trust the IP address mentioned in the headers, or can that be
forged/spoofed as well?
-----------------------------------------

Received: from smtp-out4.blueyonder.co.uk ([172.23.146.7]) by cluster4
with
Microsoft SMTPSVC(5.0.2195.5329); Wed, 28 Jan 2004 22:43:54 +0000
Received: from computer ([66.194.2.167]) by smtp-out4.blueyonder.co.uk
with
Microsoft SMTPSVC(5.0.2195.5600); Wed, 28 Jan 2004 22:43:42 +0000
From: Hahaha <[email protected]>
Subject: Snowhite and the Seven Dwarfs - The REAL story! MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--VEDIZ49MR01IZOPYZ45UBOTURKPYB0DMNK5" Bcc:
Return-Path: <>
Click to expand...

_IF_ it is from 66.194.2.167, you could bitch to:
(e-mail address removed)

J
 
Back
Top