Issues with your account? Bug us in the Discord!
Email Tracing...
Vertigo_1
Ranger
in Zocalo v2.0
Is there any way I can find some info on the origin of an email using the following information? The guy used a fake email address; something simple to do. I've done it before a few times to freak out my friends. I just never try to send them viruses like that.
Status: U
Return-Path:
Received: from INSU1 ([193.118.251.61])
by sparrow (EarthLink SMTP Server) with ESMTP id 192QbO5QM3NZFjV0
for ; Tue, 8 Apr 2003 03:18:52 -0700 (PDT)
From:
To:
Subject: Re: Document
Date: Tue, 8 Apr 2003 12:30:28 +0100
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="CSmtpMsgPart123X456_000_0016B7EB"
Message-Id: <200304080318.192QbO5QM3NZFjV0@sparrow>
The virus is known (at least at [url=http://www.avast.com/w95info.htm]this website[/url]) as the Sobig virus. I, in my infinite wisdom, wanted to know just why MS Outlook thought it was smarter than me and blocked my attachments. Fortunately, when I executed the file, I had my XP task manager handy, noticed the considerable CPU usage spike, and terminated the process. I did a search for the process name, and voila!, I found that site above. Got rid of all the registry keys and files that sneaky bugger put all over the place. I'll probably re-install my firewall just in case (It's been off since my latest reformat; I don't have cable or anything, I usually just install it so I can try to figure out what XP thinks is so important that it can eat up my bandwidth). Only thing left is to try and figure out who would do this...probably some bad mailing list I ended up on, but, then, there's always the possibility it's someone I know...
Boss.com, btw, is inaccessible using internet explorer and does not respond to pings.
Edit: Is there any way I can hack the executable to get info on who it's broadcasting my IP to?
Status: U
Return-Path:
Received: from INSU1 ([193.118.251.61])
by sparrow (EarthLink SMTP Server) with ESMTP id 192QbO5QM3NZFjV0
for ; Tue, 8 Apr 2003 03:18:52 -0700 (PDT)
From:
To:
Subject: Re: Document
Date: Tue, 8 Apr 2003 12:30:28 +0100
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="CSmtpMsgPart123X456_000_0016B7EB"
Message-Id: <200304080318.192QbO5QM3NZFjV0@sparrow>
The virus is known (at least at [url=http://www.avast.com/w95info.htm]this website[/url]) as the Sobig virus. I, in my infinite wisdom, wanted to know just why MS Outlook thought it was smarter than me and blocked my attachments. Fortunately, when I executed the file, I had my XP task manager handy, noticed the considerable CPU usage spike, and terminated the process. I did a search for the process name, and voila!, I found that site above. Got rid of all the registry keys and files that sneaky bugger put all over the place. I'll probably re-install my firewall just in case (It's been off since my latest reformat; I don't have cable or anything, I usually just install it so I can try to figure out what XP thinks is so important that it can eat up my bandwidth). Only thing left is to try and figure out who would do this...probably some bad mailing list I ended up on, but, then, there's always the possibility it's someone I know...
Boss.com, btw, is inaccessible using internet explorer and does not respond to pings.
Edit: Is there any way I can hack the executable to get info on who it's broadcasting my IP to?
Comments
What you might want to do is [url=http://www.spamcop.net]go here[/url]. It'll do the trace for you, and send a complaint notice to the idiot's ISP if you want.
"whois [email]193.118.251.61@whois.ripe.net[/email]" (Getting contact from whois.ripe.net)
Found inetnum admin-c = gm3560-ripe
Found inetnum tech-c = gm3560-ripe
whois.ripe.net 193.118.251.61 (nothing found)
host 193.118.251.61 (getting name) no name
Falling back on IP addressing:postmaster@[193.118.251.61]
193.118.251.61 not listed in dnsbl.njabl.org
193.118.251.61 not listed in proxies.blackholes.wirehub.net
193.118.251.61 not listed in proxies.relays.monkeys.com
193.118.251.61 not listed in dnsbl.njabl.org
193.118.251.61 not listed in relays.ordb.org.
193.118.251.61 not listed in query.bondedsender.org
So that means I'm SOL?
You know, the virus could have mailed itself to you via a friends address book without them even knowing it took place... I've seen that happen before too...
Virii suck! Those who make them should be shot.
:mad:
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See [url]http://www.ripe.net/ripencc/pub-services/db/copyright.html[/url]
inetnum: 193.118.251.0 - 193.118.251.255
netname: CARPHONE-WAREHOUSE-LTD-THE
descr: CARPHONE WAREHOUSE LTD (THE)
country: GB
admin-c: GM3560-RIPE
tech-c: GM3560-RIPE
status: ASSIGNED PA
notify: [email]ripe-notify@uk.psi.com[/email]
mnt-by: PSINET-UK-SYSADMIN
changed: [email]sysadmin@uk.psi.com[/email] 19990806
source: RIPE
route: 193.116.0.0/14
descr: EUNETGB-116-AGG
origin: AS1290
mnt-by: PSINET-MNT
changed: [email]network-ripe@uk.psi.com[/email] 20021015
source: RIPE
person: Greg McCall
address: CARPHONE WAREHOUSE LTD (THE)
address: Wales Farm Road
address: North Acton Business Park
address: North Acton
address: London
address: W3 6RS
phone: +44 181 896 5226
nic-hdl: GM3560-RIPE
notify: [email]ripe-notify@uk.psi.com[/email]
mnt-by: PSINET-UK-SYSADMIN
changed: [email]sysadmin@uk.psi.com[/email] 19990719
source: RIPE
Country: UNITED KINGDOM
Looking up 193.118.251.61 at whois.radb.net.
NOTE: More information appears to be available at AS1290.
route: 193.116.0.0/14
descr: EUNETGB-116-AGG
origin: AS1290
mnt-by: PSINET-MNT
changed: [email]network-ripe@uk.psi.com[/email] 20021015
source: RIPE
pri2.dns.psinet.ch. (an authoritative nameserver for 251.118.193.in-addr.arpa., which is in charge of the reverse DNS for 193.118.251.61)
says that there are no PTR records for 193.118.251.61.
Thanks guys. I appreciate this.
[B]Actually 'that outlook' blocked the file. I had to forward it to a webmail service to be able to download and run it. Curiosity. [/B][/QUOTE]
Don't count on it doing that in the future. Get a better e-mail client pronto.
[url=http://www.mozilla.org/]Use Mozilla[/url] instead.
[B]or use a Mac...:D [/B][/QUOTE]
Here in NY we have curbside recycling, and people toss their old computers, which i tend to bring home for spare parts.
Day before yesterday, i found a Performa 6320CD and a 15 inch Multiview Mac monitor, its only an 603 120mhz, BUT, its got the full video kit in it, so i can put it in my office and watch TV on it :)
Only took me about an hour of work to pull it apart and fix what was wrong with it.
Its amazing what people throw away. my FreeBSD server is a k6/2-450 that i found on the street as well :)
You should go dumpster diving sometime. :D You would be suprised how much good stuff that retailers throw out.
[B]heh
You should go dumpster diving sometime. :D You would be suprised how much good stuff that retailers throw out. [/B][/QUOTE]
Oh i do know, i noticed when i parked by the dumpster at staples and blockbuster,
Its amazing what people throw away!
[B]Hmm... Somehow someone I knew would see me and give me hell :D [/B][/QUOTE]
Yeah, but when you get yourself a perfectly good 3 gig hard drive that only had a fubared MBR out of it (easily fixed in like 3 seconds using fdisk), I don't really give a shit what people would say. :D