Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > Is there any danger in opening spam?

Reply
Thread Tools

Is there any danger in opening spam?

 
 
Enkidu
Guest
Posts: n/a
 
      11-06-2010
On 06/11/10 16:16, Matty F wrote:
> On Nov 6, 2:40 pm, Enkidu<(E-Mail Removed)> wrote:
>
>> No, it is Xtra's mail server (or at least one of them). The Received
>> header just says that the mail server sent some mail on to another mail
>> server. The last Received header should show the originating host. Why
>> not post the whole set of headers?

>
> So, X-Originating-IP doesn't actually mean originating IP?
> I would take it to mean the IP address that initially sent the email.
> How come that is Xtra's mail server? Does that mean that the chain of
> computers that the email has been through is not included in the
> header or has been altered or lost or deleted?
>
> Here's the header:
>
> Saturday, 6 November, 2010 8:27 AM
> From National Bank of New Zealand Fri Nov 5 19:27:39 2010
> X-Apparently-To: http://www.velocityreviews.com/forums/(E-Mail Removed) via 124.108.96.103; Thu, 04 Nov
> 2010 12:39:18 -0700
> Return-Path: <(E-Mail Removed)>
> Received-SPF: none (mta1000.tnz.mail.aue.yahoo.com: domain of
> (E-Mail Removed) does not designate permitted sender hosts)
> X-YMailISG: zl5_ErscZAr.qEy9xco2ExTIbVnvfO3byVHr94DjG8LtkEKW
> hhOAAh1dAqPof6glpr9A_kcDBPdY8w2F8VJdTuC78.Q1FqAWDQ rsxNwt2hKy
> 6X49IRsUjlXnCjR4omHUPfGftGPmwK2TYZx2zKg0mfgVspmWyr 8tGW2iHssA
> ey9M9kpKbYgEVJA.EbAsi3GbH64010FNIxe_9GDIP3s5nc1Izs ug.zNTWVKZ
> KzsYNMBjrfXFZZlcRg8suL7.N8iDD10E.s24LKeIa54u3CTiY8 y8Wy8QQjAK
> 14BF64tWezzTtCLQyNQGdyp1HwQoODOHHpzOYDVevZ.UutuExc VbA7pXSfvd
> y_tKO2fl5.GwuBU.OfDMXls1Q3Vs0oPh3xc_UCP6RiHUYvIYRp xNNmCCsTu.
> 2P8fy.G5NeB46zRblvOU.bNFBimnGZ0HQxcM0Ie1Ri_WbdByCx aDyURH9IBZ
> Beh58jvFiuXhORGJAXn4CWvWksmnOipq_pFI7uZ_PNyFJUkESl lxtwcsBhza
> stF4qF2DnhBKtjKiCXUGEX64P6VtpYkykQf8ugAdbwzDdT6Pa4 5eJSIQSQYr
> 4.s5IFR1eQ--
> X-Originating-IP: [210.54.141.252]
> Authentication-Results: mta1000.tnz.mail.aue.yahoo.com
> from=secure.com; domainkeys=neutral (no sig); from=secure.com;
> dkim=neutral (no sig)
> Received: from 210.54.141.252 (EHLO mta03.xtra.co.nz)
> (210.54.141.252) by mta1000.tnz.mail.aue.yahoo.com with SMTP; Thu, 04
> Nov 2010 12:39:17 -0700

-------------------------
> Received: from Usasfasb4 ([210.86.29.182]) by mta03.xtra.co.nz with
> SMTP id<20101104193916.TDUB11283.mta03.xtra.co.nz@Usasf asb4>; Fri, 5
> Nov 2010 08:39:16 +1300

-------------------------
> Reply-To: (E-Mail Removed)
> From:
> National Bank of New Zealand<(E-Mail Removed)>
> Add sender to Contacts
> Subject: Your internet banking access has been suspended !
> Date: Sat, 6 Nov 2010 08:27:39 +1300
> MIME-Version: 1.0
> Content-Type: text/html; charset="shift_jis"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> Message-Id: <20101104193916.TDUB11283.mta03.xtra.co.nz@Usasfas b4>
> Content-Length: 183
>

The originating IP address *appears* to be 210.86.29.182 which reverse
resolves to 210-86-29-182.adsl.xtra.co.nz. See the Received header
between '-----------' above.

So, apparently an ADSL user at Xtra.

Cheers,

Cliff

--

The ends justifies the means - Niccolò di Bernardo dei Machiavelli.

The end excuses any evil - Sophocles
 
Reply With Quote
 
 
 
 
Enkidu
Guest
Posts: n/a
 
      11-06-2010
On 06/11/10 16:48, Enkidu wrote:
> On 06/11/10 16:16, Matty F wrote:
>> On Nov 6, 2:40 pm, Enkidu<(E-Mail Removed)> wrote:
>>
>>> No, it is Xtra's mail server (or at least one of them). The Received
>>> header just says that the mail server sent some mail on to another mail
>>> server. The last Received header should show the originating host. Why
>>> not post the whole set of headers?

>>
>> So, X-Originating-IP doesn't actually mean originating IP?
>> I would take it to mean the IP address that initially sent the email.
>> How come that is Xtra's mail server? Does that mean that the chain of
>> computers that the email has been through is not included in the
>> header or has been altered or lost or deleted?
>>
>> Here's the header:
>>
>> Saturday, 6 November, 2010 8:27 AM
>> From National Bank of New Zealand Fri Nov 5 19:27:39 2010
>> X-Apparently-To: (E-Mail Removed) via 124.108.96.103; Thu, 04 Nov
>> 2010 12:39:18 -0700
>> Return-Path: <(E-Mail Removed)>
>> Received-SPF: none (mta1000.tnz.mail.aue.yahoo.com: domain of
>> (E-Mail Removed) does not designate permitted sender hosts)
>> X-YMailISG: zl5_ErscZAr.qEy9xco2ExTIbVnvfO3byVHr94DjG8LtkEKW
>> hhOAAh1dAqPof6glpr9A_kcDBPdY8w2F8VJdTuC78.Q1FqAWDQ rsxNwt2hKy
>> 6X49IRsUjlXnCjR4omHUPfGftGPmwK2TYZx2zKg0mfgVspmWyr 8tGW2iHssA
>> ey9M9kpKbYgEVJA.EbAsi3GbH64010FNIxe_9GDIP3s5nc1Izs ug.zNTWVKZ
>> KzsYNMBjrfXFZZlcRg8suL7.N8iDD10E.s24LKeIa54u3CTiY8 y8Wy8QQjAK
>> 14BF64tWezzTtCLQyNQGdyp1HwQoODOHHpzOYDVevZ.UutuExc VbA7pXSfvd
>> y_tKO2fl5.GwuBU.OfDMXls1Q3Vs0oPh3xc_UCP6RiHUYvIYRp xNNmCCsTu.
>> 2P8fy.G5NeB46zRblvOU.bNFBimnGZ0HQxcM0Ie1Ri_WbdByCx aDyURH9IBZ
>> Beh58jvFiuXhORGJAXn4CWvWksmnOipq_pFI7uZ_PNyFJUkESl lxtwcsBhza
>> stF4qF2DnhBKtjKiCXUGEX64P6VtpYkykQf8ugAdbwzDdT6Pa4 5eJSIQSQYr
>> 4.s5IFR1eQ--
>> X-Originating-IP: [210.54.141.252]
>> Authentication-Results: mta1000.tnz.mail.aue.yahoo.com
>> from=secure.com; domainkeys=neutral (no sig); from=secure.com;
>> dkim=neutral (no sig)
>> Received: from 210.54.141.252 (EHLO mta03.xtra.co.nz)
>> (210.54.141.252) by mta1000.tnz.mail.aue.yahoo.com with SMTP; Thu, 04
>> Nov 2010 12:39:17 -0700

> -------------------------
>> Received: from Usasfasb4 ([210.86.29.182]) by mta03.xtra.co.nz with
>> SMTP id<20101104193916.TDUB11283.mta03.xtra.co.nz@Usasf asb4>; Fri, 5
>> Nov 2010 08:39:16 +1300

> -------------------------
>> Reply-To: (E-Mail Removed)
>> From:
>> National Bank of New Zealand<(E-Mail Removed)>
>> Add sender to Contacts
>> Subject: Your internet banking access has been suspended !
>> Date: Sat, 6 Nov 2010 08:27:39 +1300
>> MIME-Version: 1.0
>> Content-Type: text/html; charset="shift_jis"
>> Content-Transfer-Encoding: 7bit
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
>> Message-Id: <20101104193916.TDUB11283.mta03.xtra.co.nz@Usasfas b4>
>> Content-Length: 183
> >

> The originating IP address *appears* to be 210.86.29.182 which reverse
> resolves to 210-86-29-182.adsl.xtra.co.nz. See the Received header
> between '-----------' above.
>
> So, apparently an ADSL user at Xtra.
>

Incidentally, I doubt that they keep a record of who connected using a
particular IP at a particular time.

Cheers,

Cliff

--

The ends justifies the means - Niccolò di Bernardo dei Machiavelli.

The end excuses any evil - Sophocles
 
Reply With Quote
 
 
 
 
Matty F
Guest
Posts: n/a
 
      11-06-2010
On Nov 6, 6:08 pm, EMB <(E-Mail Removed)> wrote:
> On 6/11/2010 4:48 p.m., Enkidu wrote:


> > So, apparently an ADSL user at Xtra.

>
> And in fact is most likely a malware infected zombie PC on an Xtra DSL
> connection sending these messages without any involvement of the owner.


I have assumed from the very beginning that that was the case.
So why is it not possible for Xtra to find out which PC that is?
I have received a similar email every day for weeks.
Some of them even escape Yahoo's spam check.
 
Reply With Quote
 
Enkidu
Guest
Posts: n/a
 
      11-06-2010
On 06/11/10 19:30, Matty F wrote:
> On Nov 6, 6:08 pm, EMB<(E-Mail Removed)> wrote:
>> On 6/11/2010 4:48 p.m., Enkidu wrote:

>
>>> So, apparently an ADSL user at Xtra.

>>
>> And in fact is most likely a malware infected zombie PC on an Xtra DSL
>> connection sending these messages without any involvement of the owner.

>
> I have assumed from the very beginning that that was the case.
> So why is it not possible for Xtra to find out which PC that is?
> I have received a similar email every day for weeks.
> Some of them even escape Yahoo's spam check.
>

The IP is not the end of the line. An ADSL uses a PPPoA connection which
cannot be easily traced I believe. (I could be wrong here, I've never
really understood PPP. Never had to). Essentially there's another
network hop after the last network device to an ADSL modem which is
transparent to TCP/IP. (Again, I could be wrong. That's how it appears
to me from a network tracing position).

Cheers,

Cliff

--

The ends justifies the means - Niccolò di Bernardo dei Machiavelli.

The end excuses any evil - Sophocles
 
Reply With Quote
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      11-07-2010
In message
<(E-Mail Removed)>, Matty F
wrote:

> X-Originating-IP: [210.54.141.252]


This is meaningless by itself, but the address does match the most recent
(topmost) Received line:

> Received: from 210.54.141.252 (EHLO

mta03.xtra.co.nz)
> (210.54.141.252) by mta1000.tnz.mail.aue.yahoo.com with SMTP; Thu, 04
> Nov 2010 12:39:17 -0700
> Received: from Usasfasb4 ([210.86.29.182]) by

mta03.xtra.co.nz with
> SMTP id <20101104193916.TDUB11283.mta03.xtra.co.nz@Usasfas b4>; Fri, 5
> Nov 2010 08:39:16 +1300


The fact that you saw the same address in the header from several dozen
different people simply means their messages all went through this same MTA.
I think that 210.86.29.182 in the earlier Received line is likely to be the
user’s actual IP address.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DANGER DANGER THIRD DAY CPU FAN FAILURE DANGER DANGER Skybuck Flying Windows 64bit 9 04-01-2010 10:33 PM
Danger Danger Will Robinson Vista SP1 Lloyd Sheen ASP .Net 2 03-19-2008 05:58 PM
501 PIX "deny any any" "allow any any" Any Anybody? Networking Student Cisco 4 11-16-2006 10:40 PM
Is there a danger opening WMV files in XP? Andy Computer Security 167 05-30-2006 04:55 AM
C++ danger to break due to its weight, fragmentation danger - C++0x Ioannis Vranos C++ 14 04-21-2004 12:19 AM



Advertisments