[Gllug] forged email - probably containing a virus

Anthony Newman anthony.newman at uk.clara.net
Thu Nov 24 10:33:19 UTC 2005 

t.clarke wrote:
> Hi
> 
> Can anyone throw a bit more light on the following email we received?

Yes :-)

> 
> It is clearly an attempt to get something nasty into our system (failed!)

It's just another virus-laden spam.

> 
> The email arrived by SMTP from 80.100.140.96  (in our email logs) which is
> curious, because initially I thought it was a genuine bounce of a forged message
> purporting to come from us.

It's just backscatter. The original mail was forged to come from your 
domain, which is where the bounces will go.


However the 'original' message being bounced also
> appears to come from 80.100.149.96.   

This is a standard spammer technique. Conceivably, badly 
configured/broken mail servers might be tricked into relaying by HELO 
<your own address> when sending mail, but I imagine this is exceedingly 
unlikely these days. Many people probably drop obviously forged HELOs 
now, but the spammers are generally stupid and slow to pick up on these 
trends it seems.


> I am also puzzled by the fact the the
> received headers in the original message are in 'descending' date/time order
> whereas all the emails I have seen in the past have the received headers in
> ascending order (ie each is written in by the receiving MTA prior to writing
> the contents of the received message!).

This is standard; you are mistaken. Each server "wraps" the incoming 
messages as it receives it, meaning the Received headers grow towards 
the top of the header block. The mail in your original message looks 
completely kosher, but only the administrator of the mail server accused 
of originating the message could verify that the message ID is genuine 
and didn't originate somewhere else along the Received path with spoofed 
Received headers inserted from the outset.


> I am inclined to try and contact the owner or ISP 'owning'  80.100.140.96
> (probably wont do much good), but really want to make sure before I do I am
> sounding off at the right party !

The hostname fia96-140-100.dsl.mxposure.nl [80.100.140.96] actually has 
correctly resolving forward and reverse DNS, which makes a change. It 
looks suspiciously like a zombie host on a DSL line, which the ISP may 
or may not be grateful to be informed about. Unless they are 
particularly strict, it is unlikely they will follow it up.


Ant
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list