[svlug] maicious spoofing

Jeff Walter jeff at jeffs-place.org
Fri Oct 18 22:15:20 PDT 2002


Ron Hinchley wrote:
> Is there some way to lean anything about this header? It was sent to a
> militant Arab list.
>
> Received: (qmail 63847 invoked from network); 18 Oct 2002 18:29:21 -0000
> Received: from unknown (66.218.66.217)
>   by m5.grp.scd.yahoo.com with QMQP; 18 Oct 2002 18:29:21 -0000
> Received: from unknown (HELO localhost) (4.46.71.58)
>   by mta2.grp.scd.yahoo.com with SMTP; 18 Oct 2002 18:29:21 -0000
> To: GNAA-SC at yahoogroups.com
> From: ronh at best.com
> Date: Fri, 18 Oct 2002 11:28:48 -0700
> Received: from unknown  (130.126.84.16) by 4.46.74.120 with HTTP; Fri, 18
> Oct 2002 09:19:34 -0500
> Message-ID: <9KADC6652AB645BC025F2372A86BB206D7EP92 at mail.law.uiuc.edu>
> MIME-Version: 1.0 (produced by the IP*Works! MIME Component -
> www.nsoftware.com)
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit

Ron,
    From what I see here, I can conclude that the email originated from a
computer with the IP address of 4.46.74.120.  That's about it, other than
the originating server is 130.126.84.16 I believe.

    Quick little nslookup from my Windows box on those two addresses shows
the following:

C:\>nslookup 130.126.84.16
Server:  ns2.attbi.com
Address:  216.148.227.68

Name:    mail.law.uiuc.edu
Address:  130.126.84.16


C:\>nslookup 4.46.74.120
Server:  ns5.attbi.com
Address:  204.127.202.4

Name:    lsanca1-ar19-4-46-074-120.lsanca1.dsl-verizon.net
Address:  4.46.74.120

    Hope that helps.




More information about the svlug mailing list