Sam Spade Output

Discussion in 'other anti-malware software' started by George_S, Jun 11, 2004.

Thread Status:
Not open for further replies.
  1. George_S

    George_S Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    11
    Can anyone tell me what this means?

    " ms-mss-03.socal.rr.com received this from someone claiming
    to be ms-mta-02.socal.rr.com
    but really from 10.10.4.126(No rDNS)

    All headers below may be forged"

    Thanks.
     
  2. dak

    dak Registered Member

    Joined:
    May 11, 2004
    Posts:
    52
    I'll give it a shot....
    -"ms-mss-03.socal.rr.com" is 10.127.255.30 (an iPlanet Messaging Server)
    -"ms-mta-02.socal.rr.com" is 10.127.255.126 (an iPlanet Messaging Server)
    -"socal.rr.com" is Southern California RoadRunner
    -rDNS is Reverse DNS (looking a number up to get a name)
    -10.0.0.0-10.255.255.255 is one of the Internet's IP ranges that are special purpose. In this case it is normally allocated for use in LAN (Local Area Networks), or internal usage. These addresses should not be visible to (have direct access to or be directly accessible by) the Internet.
    -As email passes from machine to machine the latest header is added to the top, so you have to read from bottom up to follow source to destination.

    With that said...this appears to be an internal mail hand-off, from computer to computer, or server to server, within RoadRunner.
    "mss-03" (at 10.127.255.30) received an email from a machine that said it was "mta-02" (at 10.127.255.126) but was really a no-name machine at 10.10.4.126. Since this doesn't match, everything before (the received headers below) this mail transfer is suspect (possibly forged/spoofed) and therefore shouldn't be trusted.

    While this could be an internal configuration error in the RoadRunner mail setup, it could also be the (direct) insertion point of a spammed email.
    I believe the received header just below the one you are questioning, in a legitimately handed off RoadRunner email, would show the information of the RR mail exchanger (something like tnmx01.mgw.rr.com) that sent it to "ms-mta-02"; and the header before/below that one would show where the RR mail exchanger received it from outside the RR mail system - not necessarily the source/origin of the email, but the last machine to touch it before RR did.

    The complete header would tell a better "story" by having everything in context, but based on the information provided that's the best I can do.

    --
    dak
     
  3. George_S

    George_S Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    11
    dak, thanks for the detailed reply. Here is another example from a different email. I'm using XXX in my stuff to stop the spiders from getting my addy.

    Return-path: <XXX@XX.XX.rr.com>
    Received: from ms-mta-02.socal.rr.com
    (ms-mta-02-smtp.socal.rr.com [10.10.4.126]) by
    ms-mss-03.socal.rr.com (iPlanet Messaging Server 5.2 HotFix
    1.21 (built Sep 8 2003)) with ESMTP id
    <0HV000KBXH7EEO@ms-mss-03.socal.rr.com> for
    XXX@XX.XX.rr.com; Mon, 22 Mar 2004 20:16:30 -0800
    (PST)
    This received header was added by your mailserver
    ms-mss-03.socal.rr.com received this from someone claiming
    to be ms-mta-02.socal.rr.com
    but really from 10.10.4.126(No rDNS)

    All headers below may be forged


    Received: from lamx02.mgw.rr.com (lamx02.mgw.rr.com
    [66.75.160.13]) by ms-mta-02.socal.rr.com (iPlanet
    Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with
    ESMTP id <0HV0006XKH7FIN@ms-mta-02.socal.rr.com> for
    XXX@XX.XX.rr.com (ORCPT XXX@XX.XX.rr.com); Mon,
    22 Mar 2004 20:16:27 -0800 (PST)
    ms-mta-02.socal.rr.com received this from lamx02.mgw.rr.com
    (IP addresses match)

    Received: from oemcomputer.net
    (66-214-176-93.mpk-eres.charterpipeline.net
    [66.214.176.93]) by lamx02.mgw.rr.com (8.12.10/8.12.:cool: with
    SMTP id i2N4GNvf012192 for <XXX@XX.XX.rr.com>; Mon,
    22 Mar 2004 23:16:23 -0500 (EST)
    lamx02.mgw.rr.com received this from someone claiming
    to be oemcomputer.net
    This doesn't match the IP address in the headers, so this
    may be a relay point. If so all headers below are probably
    forged.
    It really came from 66-214-176-93.mpk-eres.charterpipeline.net

    Date: Mon, 22 Mar 2004 20:16:22 -0800
    From: support@rr.com
    Subject: Email account utilization warning.
    To: XXX@XX.XX.rr.com
    Message-id: <utxbjewsjvkkhgvbjnb@bak.rr.com>
    MIME-version: 1.0
    Content-type: multipart/mixed;
    boundary=--------sakpfsjfjqkjhaaxgpnm
    X-Virus-Scanned: Symantec AntiVirus Scan Engine
    X-Virus-Scan-Result: Repaired 40186 W32.Beagle.M@mm
    Original-recipient: rfc822;XXX@XX.XX.rr.com
    Hmmm original-recipient: isn't a header I recognise
     
  4. dak

    dak Registered Member

    Joined:
    May 11, 2004
    Posts:
    52
    Normal internal RR handoff, except it appears there is a slight misconfiguration in the RR mail system causing this header to be flagged for mis-matched name and IP pair. "ms-mta-02-smtp.socal.rr.com" is legitimate, it's just not "10.10.4.126" like it thinks it is.


    Normal internal RR handoff (from a Los Angeles mail exchanger, which is the machine sitting between the internal RR mail handling system and the Internet at large).


    Here's where the email first entered the RR mail handling system from the Internet. The message claimed to be from "oemcomputer.net", but was actually from "charterpipeline.net". If there were no received headers below this one, this is the source.

    Also note that the timeline is correct for these headers.


    I've seen this before, both as a header and in the body of undeliverable replies. Seems the mail-daemon adds it when there are multiple recipients of, or a redirection of, an address, so the "sent to" address is preserved for all recipients.
    For example, you send an email to "department@example.com" and when "example.com" receives it, it sends a copy of the message to "person1@example.com", "person2@example.com" and "person3@example.com" because "department@example.com" isn't a "real" mailbox, but an alias for the other three. Since there can be multiple aliases redirecting to the same three, or combinations of them, this is a way of tracking which address it was originally sent to.

    Let me go out on a limb here - I assume this isn't a spam you have received, but a bounce of an email that contained a virus and showed to have been sent by you (though you in fact didn't send it). Am I even close?

    --
    dak
     
    Last edited: Jun 14, 2004
  5. George_S

    George_S Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    11
    Yes, that's exactly right, which is why I decided to post these headers instead. More to them. Thanks again. Virus scans and TDS-3 scans turn up nothing though.
     
  6. dak

    dak Registered Member

    Joined:
    May 11, 2004
    Posts:
    52
    And they shouldn't/won't turn up anything, you're not infected.
    But someone that has your email address in their address book, or an email from you sitting in their inbox, is infected (and the odds are they don't know it).
    The infected machine is sending out the virus laden emails, using you as the FROM: address so you get all the bounces and complaints. You've been spoofed. Had you been selected maliciously and purposefully it would be a Joe-job.

    That means charterpipeline.net, from the last set of headers you posted, is the origin of the bounce, but not the infected machine.
    You would need to see the complete, actual headers from one of the virus carrying emails to determine the actual source of the problem.

    There's not much you can do about this.
    You can notify your entire address book, explain the problem and ask them to check their systems (and hope the infected one does and cures the problem). One problem with this is if something you sent someone has been forwarded and forwarded and forwarded, then the infected machine's owner wouldn't be in your address book and more than likely you don't know them, either.
    You can contact the ISPs you receive the bounces from and hope one of them will send you a set of headers so you can track down the real problem computer. The chances are slim, but that's better than absolutely none. Of course, if these ISPs knew what they were doing you wouldn't be receiving the bounces in the first place. I guess you could always contact them to tell them what incompetent morons they are (It made me feel better and stopped some of the bounces, but not the root of the problem.), but mostly all you can do is wait for them to eventually stop.

    I've suffered through this several times over the last few years, from being both spoofed and Joe-jobbed.

    --
    dak
     
  7. George_S

    George_S Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    11
    dak, thanks again for the detailed reply. Very helpful. I guess my suspicion that it wasn't really sent from my ISP at all is not the case, which is good to know. Evidently, my ISP is indeed doing virus checks at their servers.

    I just installed Sam Spade and it's cool, but am just learning. Thanks for the help.
     
Thread Status:
Not open for further replies.