Re: Giving up

Discussion in 'Computer Security' started by David H. Lipman, Aug 22, 2004.

  1. What is this crap ?

    This post plus the below....

    "Behgjet Frisch" <> wrote in message
    news:...
    | New comer to this newsgroup.
    |
    | Good luck
    | Behgjet Frisch
    | Tel. +1 802 560 9860
    |
    |

    From: Bahadir-Cem Bourdo <>
    Newsgroups: comp.protocols.tcp-ip.ibmpc
    X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
    Subject: Giving up
    Mime-Version: 1.0
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
    Message-ID: <>
    Date: 21 Aug 2004 03:27:05 -0500
    X-Trace: news01.argolink.net 1093076825 64.180.111.134 (21 Aug 2004 03:27:05 -0500)
    Lines: 7
    Path:
    nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.gnilink.net!cyclone1.gnilink.net!gnilink.ne
    t!peer01.cox.net!cox.net!newshosting.com!nx02.iad01.newshosting.com!newsfeeds.sol.net!newspu
    mp.sol.net!64.8.96.12.MISMATCH!news01.argolink.net!not-for-mail
    Xref: cyclone1.gnilink.net comp.protocols.tcp-ip.ibmpc:1603
    X-Received-Date: Sat, 21 Aug 2004 04:31:54 EDT (nwrdny03.gnilink.net)

    Interesting newsgroup!


    Bahadir-Cem Bourdo
    Tel. +1 746 933 8112



    ~~~~~~~~~~~~~~~~~~~~~~~
    From: Badaridasa Mushawick <>
    Newsgroups: comp.dcom.modems.cable
    X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
    Subject: Giving up
    Mime-Version: 1.0
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
    Message-ID: <>
    Date: 21 Aug 2004 05:13:32 -0500
    X-Trace: news01.argolink.net 1093083212 64.180.111.134 (21 Aug 2004 05:13:32 -0500)
    Lines: 7
    Path:
    nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.gnilink.net!cyclone1.gnilink.net!gnilink.ne
    t!bigfeed2.bellsouth.net!news.bellsouth.net!elnk-atl-nf1!newsfeed.earthlink.net!newshosting.
    com!nx02.iad01.newshosting.com!newsfeeds.sol.net!newspump.sol.net!64.8.96.12.MISMATCH!news01
    ..argolink.net!not-for-mail
    Xref: cyclone1.gnilink.net comp.dcom.modems.cable:59008
    X-Received-Date: Sat, 21 Aug 2004 06:12:58 EDT (nwrdny03.gnilink.net)

    Can't help you there?!


    Badaridasa Mushawick
    Tel. +1 832 730 8195



    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    From: Balakrishanan Truckmann <>
    Newsgroups: alt.photography
    X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
    Subject: New comer
    Mime-Version: 1.0
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
    Message-ID: <>
    Date: 22 Aug 2004 08:24:46 -0500
    X-Trace: news01.argolink.net 1093181086 64.180.111.134 (22 Aug 2004 08:24:46 -0500)
    Lines: 7
    Path:
    nwrdny01.gnilink.net!cycny02.gnilink.net!cycny01.gnilink.net!cyclone1.gnilink.net!gnilink.ne
    t!in.100proofnews.com!in.100proofnews.com!news-out.visi.com!news-out.octanews.net!petbe.visi
    ..com!newsfeeds.sol.net!64.8.96.12.MISMATCH!news01.argolink.net!not-for-mail
    Xref: cyclone1.gnilink.net alt.photography:31137
    X-Received-Date: Sun, 22 Aug 2004 09:24:08 EDT (nwrdny01.gnilink.net)

    Interesting newsgroup!


    Balakrishanan Truckmann
    Tel. +1 984 958 1390



    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    From: Babel Sagalov <>
    Newsgroups: alt.comp.virus
    X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
    Subject: New comer
    Mime-Version: 1.0
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
    Message-ID: <4128a372$>
    Date: 22 Aug 2004 08:45:22 -0500
    X-Trace: news01.argolink.net 1093182322 64.180.111.134 (22 Aug 2004 08:45:22 -0500)
    Lines: 7
    Path:
    nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.gnilink.net!cyclone1.gnilink.net!gnilink.ne
    t!peer01.cox.net!cox.net!newsfeeds.sol.net!64.8.96.12.MISMATCH!news01.argolink.net!not-for-m
    ail
    Xref: cyclone1.gnilink.net alt.comp.virus:101814
    X-Received-Date: Sun, 22 Aug 2004 09:44:46 EDT (nwrdny03.gnilink.net)

    Interesting newsgroup!


    Babel Sagalov
    Tel. +1 628 274 6662

     
    David H. Lipman, Aug 22, 2004
    #1
    1. Advertising

  2. Blind Carbon Copy (BCC)

    It won't show for privacy issues. That's why its sued. Like when you send a message to a
    coworker but also send a BCC to his boss. This way the coworker has no way of knowing his
    boss knows.

    I may be mistaken but, it may have originated from a AT&T node.

    Dave




    "Kleeb" <> wrote in message
    news:...
    | On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
    | <DLipman~nospam~@Verizon.Net> schrieb:
    |
    | >What is this crap ?
    |
    | I wonder if you could shed some light on the following headers from a mail
    | I've just received. I'm finding it difficult with my current knowledge (not
    | much) to understand just exactly how this mail made it to my ISP's mailbox.
    |
    | Nowhere is there any mention of my email address, or even my routers' IP
    | address. How is this acheivable ?
    |
    | <begin headers>
    |
    | Return-Path: <>
    | Received: from localhost (localhost.localdomain [127.0.0.1])
    | by localhost.localdomain (8.12.8/8.12.8) with ESMTP id
    | i7MGRYhc010915
    | for <me@localhost>; Sun, 22 Aug 2004 17:27:35 +0100
    | Received: from pop.ntlworld.com [62.253.162.50]
    | by localhost with POP3 (fetchmail-6.2.0)
    | for me@localhost (single-drop); Sun, 22 Aug 2004 17:27:35 +0100
    | (BST)
    | Received: from h000c6e55013e.ne.client2.attbi.com ([24.91.167.49])
    | by mta04-svc.ntlworld.com
    | (InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
    | id
    | <2.attbi.com>;
    | Sun, 22 Aug 2004 17:20:51 +0100
    | X-Message-Info: TJHN+ap52+ewf+E+81/433818234603741
    | Received: (qmail 44595 invoked by uid 910); Sun, 22 Aug 2004 22:14:15 +0500
    | Date: Sun, 22 Aug 2004 23:22:15 +0600
    | Message-Id: <686876125.50504@>
    | From: Tanya Klinko <>
    | To: "Wt.thomas77" <>
    | Subject: New Dating Site
    | MIME-Version: 1.0 (produced by ameslandictum 3.7)
    | Content-Type: multipart/alternative;
    | boundary="--467192766424474342"
    | X-Spam-Status: No, hits=4.1 required=5.0
    | tests=INVALID_MSGID,PORN_4,RCVD_IN_ORBS,SPAM_PHRASE_00_01,
    | TO_LOCALPART_EQ_REAL
    | version=2.44
    | X-Spam-Level: ****
    | Status:
    |
    | <end headers>
    |
    | From what I've read on the subject, the 'Received:' that is the lowest down
    | the headers is most likely the sender. And any more than 3 or 4 'Received:'
    | lines means the mail has definitely been forged. Does this sound right ?
    |
    | Thanks for any info you might have.
    |
    | Cordially,
    |
    | Kleeb.
    |
     
    David H. Lipman, Aug 22, 2004
    #2
    1. Advertising

  3. David H. Lipman

    Bit Twister Guest

    On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
    > What is this crap ?


    An infected machine withthe Hackarmy Trojan horse controlled
    by a zombie master. Now the machine is up for renting ads spammed into
    Usenet groups.

    report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to
    with brief reason followed the full headers and at least one full post
    of message.

    If everyone does it, the abuse dept will shut them down just to keep
    their inbox from filling up.
     
    Bit Twister, Aug 22, 2004
    #3
  4. David H. Lipman

    Kleeb Guest

    On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> schrieb:

    >What is this crap ?


    I wonder if you could shed some light on the following headers from a mail
    I've just received. I'm finding it difficult with my current knowledge (not
    much) to understand just exactly how this mail made it to my ISP's mailbox.

    Nowhere is there any mention of my email address, or even my routers' IP
    address. How is this acheivable ?

    <begin headers>

    Return-Path: <>
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by localhost.localdomain (8.12.8/8.12.8) with ESMTP id
    i7MGRYhc010915
    for <me@localhost>; Sun, 22 Aug 2004 17:27:35 +0100
    Received: from pop.ntlworld.com [62.253.162.50]
    by localhost with POP3 (fetchmail-6.2.0)
    for me@localhost (single-drop); Sun, 22 Aug 2004 17:27:35 +0100
    (BST)
    Received: from h000c6e55013e.ne.client2.attbi.com ([24.91.167.49])
    by mta04-svc.ntlworld.com
    (InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
    id
    <2.attbi.com>;
    Sun, 22 Aug 2004 17:20:51 +0100
    X-Message-Info: TJHN+ap52+ewf+E+81/433818234603741
    Received: (qmail 44595 invoked by uid 910); Sun, 22 Aug 2004 22:14:15 +0500
    Date: Sun, 22 Aug 2004 23:22:15 +0600
    Message-Id: <686876125.50504@>
    From: Tanya Klinko <>
    To: "Wt.thomas77" <>
    Subject: New Dating Site
    MIME-Version: 1.0 (produced by ameslandictum 3.7)
    Content-Type: multipart/alternative;
    boundary="--467192766424474342"
    X-Spam-Status: No, hits=4.1 required=5.0
    tests=INVALID_MSGID,PORN_4,RCVD_IN_ORBS,SPAM_PHRASE_00_01,
    TO_LOCALPART_EQ_REAL
    version=2.44
    X-Spam-Level: ****
    Status:

    <end headers>

    From what I've read on the subject, the 'Received:' that is the lowest down
    the headers is most likely the sender. And any more than 3 or 4 'Received:'
    lines means the mail has definitely been forged. Does this sound right ?

    Thanks for any info you might have.

    Cordially,

    Kleeb.
     
    Kleeb, Aug 22, 2004
    #4
  5. I was beginning to think it was a NNTP spam zombie.

    So what do you think the purpose is ?

    Are the phone numbers high cost toll numbers ?

    Dave



    "Bit Twister" <> wrote in message
    news:...
    | On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
    | > What is this crap ?
    |
    | An infected machine withthe Hackarmy Trojan horse controlled
    | by a zombie master. Now the machine is up for renting ads spammed into
    | Usenet groups.
    |
    | report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to
    | with brief reason followed the full headers and at least one full post
    | of message.
    |
    | If everyone does it, the abuse dept will shut them down just to keep
    | their inbox from filling up.
     
    David H. Lipman, Aug 22, 2004
    #5
  6. David H. Lipman

    Bit Twister Guest

    On Sun, 22 Aug 2004 18:41:16 GMT, David H. Lipman wrote:
    > I was beginning to think it was a NNTP spam zombie.
    >
    > So what do you think the purpose is ?
    >
    > Are the phone numbers high cost toll numbers ?


    No idea. You could try the web page and phone number for us. :)

    Could be a page to expooit your Microsoft Outlook Express
    6.00.2800.1437 browser, Snarf email address from browser, bump his ad
    counter for more money, ...

    Does not matter to me, I never visit a spam post, do not use a browser
    to read a text news group, and have fake email addy in my browser, and
    use a serate login account for browsing and reading mail.

    Browser account deletes all files and loads pristine copy on logout.
     
    Bit Twister, Aug 22, 2004
    #6
  7. David H. Lipman

    Kleeb Guest

    On Sun, 22 Aug 2004 17:20:10 GMT, David H. Lipman <DLipman~nospam~@Verizon.Net> schrieb :
    > Blind Carbon Copy (BCC)
    >
    > It won't show for privacy issues. That's why its sued. Like when you send a message to a
    > coworker but also send a BCC to his boss. This way the coworker has no way of knowing his
    > boss knows.
    >
    > I may be mistaken but, it may have originated from a AT&T node.
    >
    > Dave


    Thanks Dave. I was looking for a complicated answer, and didn't think of
    that.

    Cordially,

    Kleeb.
     
    Kleeb, Aug 22, 2004
    #7
  8. "Kleeb" <> wrote in message
    news:...
    > On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
    > <DLipman~nospam~@Verizon.Net> schrieb:
    >
    > >What is this crap ?

    >
    > I wonder if you could shed some light on the following headers from a mail
    > I've just received. I'm finding it difficult with my current knowledge

    (not
    > much) to understand just exactly how this mail made it to my ISP's

    mailbox.

    Further to David's answer.. in SMTP (the thing that is used to send email),
    there is no hard link between the message addressee and the content - SMTP
    is a fairly trusting protocol.

    (i.e. it doesn't take a Rocket Scientist to tell the server "RCPT TO:
    lid", but with a different addressee in the message
    headers. (Which, incidentally, are fairly easy to read:
    http://www.codecutters.org/spam/smtpheaders.html for details)

    BCC is simply a human-friendly way of doing this automatically.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Aug 23, 2004
    #8
  9. David H. Lipman

    Kleeb Guest

    On 2004-08-23, Hairy One Kenobi <abuse@[> schrieb :

    > (i.e. it doesn't take a Rocket Scientist to tell the server "RCPT TO:
    > lid", but with a different addressee in the message
    > headers. (Which, incidentally, are fairly easy to read:
    > http://www.codecutters.org/spam/smtpheaders.html for details)
    >
    > BCC is simply a human-friendly way of doing this automatically.


    Thanks for the link. Seems a bit clearer now. I think actually I've read
    something like this before, but having had a second look, I understand the
    parts about the invalid 'Received:' lines now.

    Cordially,

    Kleeb.
     
    Kleeb, Aug 23, 2004
    #9
  10. David H. Lipman

    Karen in MN Guest

    "Bit Twister" <> wrote in message
    news:...
    > On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
    > > What is this crap ?

    >
    > An infected machine withthe Hackarmy Trojan horse controlled
    > by a zombie master. Now the machine is up for renting ads spammed into
    > Usenet groups.
    >
    > report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to


    > with brief reason followed the full headers and at least one full post
    > of message.
    >
    > If everyone does it, the abuse dept will shut them down just to keep
    > their inbox from filling up.


    Doesn't seem to be working - but then telus doesn't seem to have too good a
    reputation when it comes to dealing with spam. All the spams, with all the
    different email addresses, all point to the same company / address in
    Vancouver, British Columbia. My guess is we'll see a huge spam run from
    them soon with the addresses they collect from people complaining.
     
    Karen in MN, Aug 25, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Albert Wiersch
    Replies:
    0
    Views:
    509
    Albert Wiersch
    May 14, 2004
  2. John Smith
    Replies:
    2
    Views:
    543
  3. AM
    Replies:
    3
    Views:
    3,268
    Walter Roberson
    Jan 4, 2005
  4. GS
    Replies:
    3
    Views:
    1,035
    David H. Lipman
    Oct 1, 2005
  5. Mukesh Kumar Jha

    giving examination

    Mukesh Kumar Jha, Jun 18, 2004, in forum: MCSE
    Replies:
    57
    Views:
    1,880
Loading...

Share This Page