cancel
Showing results for 
Search instead for 
Did you mean: 

Puzzled

N/A

Puzzled

Below are the headers from an e-mail I recieved actually it is one of quite a few I have recieved of late I normally consign them straight to the trash can as I suspect the zip file attached to them is up to no good it being 46.3KB in size.... not that it matters too much as my Mac does'nt understand those sort of zip files (I wonder what is in them) but the wife's Windows machine would.

But what has caught my eye and the bit I am curious about and would appreciate someone having a look at the headers........ is how do the villains work it so it is apparently sent from a non existent person in this case "info" to another non existent person "sam" on the same e-mail address.

The only indication that it did not originate from this machine (I hope) is the line that states "Date: Mon, 6 Jun 2005 10:05:17 -0500" but no doubt that information could be false as well.Here are the headers.

just to set my mind at rest is there any likelyhood whatsoever: that based on these headers it has come from my own machine?

Thanks for any information

Envelope-to: sam@sunhouse.plus.com
Delivery-date: Mon, 06 Jun 2005 16:05:21 +0100
Received: from [69.15.163.242] (helo=sunhouse.plus.com) by pih-mxcore10.plus.net with esmtp (PlusNet MXCore v2.00) id 1DfJAF-0005bO-Bk for sam@sunhouse.plus.com; Mon, 06 Jun 2005 16:05:20 +0100
From: info@sunhouse.plus.com
To: sam@sunhouse.plus.com
Subject: Your Account is Suspended For Security Reasons
Date: Mon, 6 Jun 2005 10:05:17 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=----=_NextPart_000_0008_FEB864E9.3AA1DFF7
X-Priority: 3
X-MSMail-Priority: Normal
8 REPLIES
N/A

Puzzled

Nope your not going mad, the from lines etc are junk...

The clue is in the received from line:-
Received: from [69.15.163.242] (helo=sunhouse.plus.com) by

The helo string can be any name if the server isn't configured to reject invalid names...

The IP Address however translates to an address owned by Systems Evolutions

Server Used: [ rwhois.cbeyond.net ]

69.15.163.242 = [ ]
network: Class-Name: network
network: ID: NET-69-15-0-0-1
network: Auth-Area: 69.15.160.0
network: Network-Name: CBEY-69.15.163.240
network: IP-Network: 69.15.163.240/28
network: IP-Network-Block: 69.15.163.240 - 69.15.163.255
network: Org-Name: Systems Evolution Inc
network: Street-Address: 10777 WESTHEIMER STE 810
network: City: HOUSTON
network: State: TX
network: Postal-Code: 77042
network: Country-Code: US
network: Tech-Contact;I: ip-admin@cbeyond.net

network: Admin-Contact;I: ip-admin@cbeyond.net

network: Abuse-Contact;I: abuse@cbeyond.net

network: Created: 8/20/2004
network: Updated: 20050604
network: Updated-By: ip-admin@cbeyond.net

network: Class-Name: network
network: ID: NET-69-15-0-0-1
network: Auth-Area: 69.15.160.0/19
network: Network-Name: CBEY-69.15.160.0
network: IP-Network: 69.15.160.0/19
network: IP-Network-Block: 69.15.160.0 - 69.15.191.255
network: Org-Name: Cbeyond Communications
network: Street-Address: 320 Interstate North Parkway Suite 300
network: City: Atlanta
network: State: GA
network: Postal-Code: 30339
network: Country-Code: US
network: Tech-Contact;I: ip-admin@cbeyond.net

network: Admin-Contact;I: ip-admin@cbeyond.net

network: Abuse-Contact;I: abuse.net
network: Created: 8/20/2004
network: Updated: 20050604
network: Updated-By: ip-admin@cbeyond.net


Though looking at their website I'd suspect the IP address has either been forged or is from one of their customer's machines (I'd hope an IT consultancy wouldn't be in a position to have a compromised machine).

To check IP details etc one site I find invaluable is http://www.samspade.org
N/A

Puzzled

Try amending your mail name to include a non-letter
i.e. $am@ or 2sam@ or sam_@ this stops spammers using their bots to spam all possible letter combinations. Now you set to collect only this mail and you will get almost no spam.
If you had included a non-letter in the @sunhouse part then all users would have been safer.

This will not protect you 100% but is a major and simple step forward.
N/A

Puzzled

Becareful which non alphanumeric character you use as not all are supported...
N/A

Puzzled

Thanks folks for the informative replies, it seems it has run it's course as have not had any more now for a couple of days.So back to the normal low level of spam :-)

It was useful in that although the payload of the zip file would have had no effect on my Mac it was interesting to note that when I attempted to transfer the file to my desktop to see what the virus was; the ant-virus that I do have on my computer that most of the time has nothing to do pounced on it straight away.

It was also gratifiying to see that when as an experiment I forwarded it to my wifes XP computer the way Outlook Express was set up would not allow it to be either saved or opened, and when that security was bypassed and I attempted to save the attachment to the desktop her anti-virus jumped onto it and did not allow anything to be done with it....... quarantined it straight away.

So some good did come out of this episode...... I was able to check the anti-virus on both machines.

Once again thanks.
N/A

Puzzled

Sunhouse, that was taking a risk - what if it had been new virus that your checker wasn't aware of?
N/A

Puzzled

Quote
Sunhouse, that was taking a risk - what if it had been new virus that your checker wasn't aware of?


Minimal risk I consider because
1) My Mac ant-virus had already told me what it was
2) there was never any intention to actually unzip the folder
3)Her ant-virus updates practically every day so it would have to be an extremely new one because I ran the update before I forwarded it to her computer...... in which case I think that the heuristics would have queried it as having virus attributes.
4) everything was backed up ready for an immediate format and re-install in needed.

But having used her anti-virus "F-Prot" since the DOS version I had full confidence in it, and thankfully it did not let me down.
N/A

Puzzled

No offence, but I wonder how many people now nolonger with us have said something along the lines of 'oh this will be safe, its never let me down before....' before shuffling off this mortal coil Wink

(I've got an old battered PC I occasionally infect to see what a given virus will do - I've got a ghost image of it which I restore once done and it has no network connection)
N/A

Puzzled

Just had a wander over to the F-Prot website........ and was somewhat shocked to see the number of virus etc that are targeted at mobile phones.

I find them interesting things to read about, and it is quite a frightnimg world out there computer wise this one is a particulary interesting in a nasty sort of way "Bagle.BO" the list of files it disables makes your hair stand on end especially as one of them is "zonealarm.exe" if you would like to have a look check here

http://www.f-secure.com/v-descs/bagle_bo.shtml

I do agree with your " oh this will be safe" comment and would not recommend this as a good method of checking ones anti-virus, but my list of precautions was simplistic I had checked what it was, removal procedures and disconnected the computer from the router before hand.

Funny thing about anti-virus software unless you use the Eicar test virus suite there is really no way to test them until you actually get a virus and then if the software is'nt up to the task then it's too late.So I was able to test F-Prot for Windows against a recent virus/worm namely "W32/Sober.gen@MM" successfully, and for what it is worth my Mac anti-virus.

It was a risk but at the end of the day I know my wifes computer is relatively secure