Virus origin

Discussion in 'Computer Security' started by srm, Nov 21, 2004.

  1. srm

    srm Guest

    I've installed Amavis/AntiVir on my Linux system and this seems to be doing
    a good job of intercepting nasties. But I have a question about the
    information supplied by these packages.

    I know that malware programs typically spoof the 'From' header, so I'm
    ignoring that. However, I'm intrigued by the 'Received:' headers. Amavis
    highlights the earliest 'Received:' header in the chain. Here's an example:

    According to the 'Received:' trace, the message originated at:
       host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
    helo=frenchentree.com)

    Now, that 'helo=frenchentree.com' interests me. That's a site for which my
    wife (to whom all these virus-bearing messages were addressed) has just
    started working. We've had a bunch of these and there are other indications
    that the guy she's working for might actually be the source of the malware.

    So, the question is, do malware programs also somehow spoof the HELO? Or is
    this actual proof that the malware originated from the frenchentree.com
    domain? I need to know before I give the guy a bollocking and tell him to
    sort out his system.

    --
    @+
     
    srm, Nov 21, 2004
    #1
    1. Advertising

  2. srm

    GreySoul Guest

    On Sun, 21 Nov 2004 13:49:34 +0100, srm <> wrote:

    >I've installed Amavis/AntiVir on my Linux system and this seems to be doing
    >a good job of intercepting nasties. But I have a question about the
    >information supplied by these packages.
    >
    >I know that malware programs typically spoof the 'From' header, so I'm
    >ignoring that. However, I'm intrigued by the 'Received:' headers. Amavis
    >highlights the earliest 'Received:' header in the chain. Here's an example:
    >
    >According to the 'Received:' trace, the message originated at:
    >   host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
    >helo=frenchentree.com)
    >
    >Now, that 'helo=frenchentree.com' interests me. That's a site for which my
    >wife (to whom all these virus-bearing messages were addressed) has just
    >started working. We've had a bunch of these and there are other indications
    >that the guy she's working for might actually be the source of the malware.
    >
    >So, the question is, do malware programs also somehow spoof the HELO? Or is
    >this actual proof that the malware originated from the frenchentree.com
    >domain? I need to know before I give the guy a bollocking and tell him to
    >sort out his system.



    Helo is easily spoofed. It doesn't mean anything. At work I
    regularly see spam being blocked in which the helo portion shows our
    domain name, even though it came from outside our mail server.
     
    GreySoul, Nov 21, 2004
    #2
    1. Advertising

  3. srm

    Jim Watt Guest

    On Sun, 21 Nov 2004 13:49:34 +0100, srm <> wrote:

    >So, the question is, do malware programs also somehow spoof the HELO? Or is
    >this actual proof that the malware originated from the frenchentree.com
    >domain? I need to know before I give the guy a bollocking and tell him to
    >sort out his system.


    tread cautiously, its very easy to spoof a SMTP server.

    Usually these days they record the IP of the originator, which is more
    reliable than a domain name supplied.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 21, 2004
    #3
  4. srm

    Jem Berkes Guest

    > So, the question is, do malware programs also somehow spoof the HELO?
    > Or is this actual proof that the malware originated from the
    > frenchentree.com domain? I need to know before I give the guy a
    > bollocking and tell him to sort out his system.


    I have seen several approaches used. Let's say the malware is on a computer
    with host name 'work1' wants to send to '', with fake from
    address ''. Possibilities:

    HELO work1
    HELO example.com <-- as in your wife's example
    HELO isp.com

    Of course, whatever the client says with HELO usually shows up in the
    Received headers. I would ignore that field, it can say anything really.

    --
    Jem Berkes
    http://www.sysdesign.ca/
     
    Jem Berkes, Nov 21, 2004
    #4
  5. srm

    Travis Casey Guest

    srm wrote:

    > I've installed Amavis/AntiVir on my Linux system and this seems to be
    > doing a good job of intercepting nasties. But I have a question about the
    > information supplied by these packages.
    >
    > I know that malware programs typically spoof the 'From' header, so I'm
    > ignoring that. However, I'm intrigued by the 'Received:' headers. Amavis
    > highlights the earliest 'Received:' header in the chain. Here's an
    > example:
    >
    > According to the 'Received:' trace, the message originated at:
    > host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
    > helo=frenchentree.com)


    "Received:" headers are faked by many spammers and viruses. I generally
    only trust the "Received:" headers from my own boxes, and there, only trust
    the IP given, not the "HELO" information.

    > Now, that 'helo=frenchentree.com' interests me. That's a site for which my
    > wife (to whom all these virus-bearing messages were addressed) has just
    > started working. We've had a bunch of these and there are other
    > indications that the guy she's working for might actually be the source of
    > the malware.


    The IP given is in the UK. You can look it up at www.ripe.net -- if you do,
    you'll get the name of the ISP it belongs to. If it's the same ISP that
    frenchentree.com gets their service from, then it's much more plausible.

    Doing a ping on www.frenchentree.com gives 217.199.167.27 as the IP. That
    doesn't appear to belong to the same ISP, but it's possible that they use a
    web hosting service, of course, so that's not conclusive.

    > So, the question is, do malware programs also somehow spoof the HELO? Or
    > is this actual proof that the malware originated from the frenchentree.com
    > domain? I need to know before I give the guy a bollocking and tell him to
    > sort out his system.


    This in itself isn't proof, but it still looks plausible.

    --
    ZZzz |\ _,,,---,,_ Travis S. Casey <>
    /,`.-'`' -. ;-;;,_ No one agrees with me. Not even me.
    |,4- ) )-,_..;\ ( `'-'
    '---''(_/--' `-'\_)
     
    Travis Casey, Nov 21, 2004
    #5
  6. srm

    Miguel Cruz Guest

    In article <>, srm <> wrote:
    > I know that malware programs typically spoof the 'From' header, so I'm
    > ignoring that. However, I'm intrigued by the 'Received:' headers. Amavis
    > highlights the earliest 'Received:' header in the chain.


    ....which could be fake.

    > Here's an example:
    >
    > According to the 'Received:' trace, the message originated at:
    >    host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
    > helo=frenchentree.com)
    >
    > Now, that 'helo=frenchentree.com' interests me. That's a site for which my
    > wife (to whom all these virus-bearing messages were addressed) has just
    > started working. We've had a bunch of these and there are other indications
    > that the guy she's working for might actually be the source of the malware.
    >
    > So, the question is, do malware programs also somehow spoof the HELO?


    Yes, all the time. Quite often they pick something that matches the target
    address's domain.

    miguel
    --
    Hit The Road! Photos from 32 countries on 5 continents: http://travel.u.nu
     
    Miguel Cruz, Nov 21, 2004
    #6
  7. srm

    srm Guest

    Miguel Cruz wrote:

    > Yes, all the time. Quite often they pick something that matches the target
    > address's domain.


    Okay - thanks to everyone for the replies. It may be coincidence, then.

    --
    @+
     
    srm, Nov 21, 2004
    #7
  8. srm

    donnie Guest

    On Sun, 21 Nov 2004 13:49:34 +0100, srm <> wrote:

    >According to the 'Received:' trace, the message originated at:
    >   host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
    >helo=frenchentree.com)

    ###########################
    It can be spoofed as others have said but don't forget about opened
    smtp relays. It seems that btcentralplus.com maybe opened although I
    didn't test it myself. I used the query below. .
    http://njabl.org/cgi-bin/lookup.cgi?query=217.42.163.55
    donnie.
     
    donnie, Nov 22, 2004
    #8
  9. srm wrote:

    > I know that malware programs typically spoof the 'From' header, so I'm
    > ignoring that. However, I'm intrigued by the 'Received:' headers. Amavis
    > highlights the earliest 'Received:' header in the chain. Here's an
    > example:
    >
    > According to the 'Received:' trace, the message originated at:
    > host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
    > helo=frenchentree.com)


    The sender can insert false "Received:" lines, but these will
    all appear *after* the valid "Received:" lines inserted by
    the legitimate mail transporters that subsequently handle the
    message. Work your way down the "Received:" lines until you
    come to a "by" that you don't trust. Ignore that and all
    subsequent "Received:" lines: they may be fake.

    Here's a sample "Received:" line from my last bit of spam:

    Received: from [218.81.169.233] (helo=xpectmore.com)
    by mx09.mrf.mail.rcn.net with smtp (Exim 3.35 #7)
    id 1CVjo9-0003ny-00; Sat, 20 Nov 2004 23:58:42 -0500

    Since the "by" gives a name at rcn.net, and since RCN is my ISP
    and therefore trusted, and since all the "Received:" lines preceding
    this line also had trusted "by"s, I believe that this message
    came from 218.81.169.233. (The "helo" is typically useless for
    diagnostics.) Since this is the last "Received:" line, that was
    the message's origin. You can use www.dnsstuff.com to learn
    a lot about 218.81.169.233.

    If the offending address turns out to be your friend,
    consider the possibility that your friend's machine has
    been recruited into some spammer's zombie army.

    --
    Peter Pearson
    To get my email address, substitute:
    nowhere -> spamcop, invalid -> net
     
    Peter Pearson, Nov 22, 2004
    #9
  10. srm

    srm Guest

    Peter Pearson wrote:

    > srm wrote:


    >> According to the 'Received:' trace, the message originated at:
    >> host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
    >> helo=frenchentree.com)

    >
    > The sender can insert false "Received:" lines, but these will
    > all appear *after* the valid "Received:" lines inserted by
    > the legitimate mail transporters that subsequently handle the
    > message. Work your way down the "Received:" lines until you
    > come to a "by" that you don't trust. Ignore that and all
    > subsequent "Received:" lines: they may be fake.


    The 'Received' header I quoted was the oldest (ie, the first) in the chain.
    Many of the virus mails we're receiving have the first Received header
    suggesting they've been mailed via a dial-up node near him on a system
    (Wanadoo) I know he uses. But I spoke to him today and here swears he's up
    to date with all AV scanners, firewall etc. It's just that I also know he's
    not brilliantly technical.

    It doesn't worry me too much - we're on Linux here and the Amavis/AntiVir
    system seems to be intercepting everything. It's just annoying having had
    to make space for around 250 virus emails in the past 5 days, not to
    mention the waste of bandwidth...

    --
    @+
     
    srm, Nov 22, 2004
    #10
  11. "srm" <> wrote in message news:eek:...
    > Miguel Cruz wrote:
    >
    > > Yes, all the time. Quite often they pick something that matches the

    target
    > > address's domain.

    >
    > Okay - thanks to everyone for the replies. It may be coincidence, then.


    If it's actually addressed to someone at that domain (i.e. your wife), then
    the behaviour is "typical", rather than "coincidental"..

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Nov 23, 2004
    #11
  12. "srm" <> wrote in message news:...
    > Peter Pearson wrote:
    >
    > > srm wrote:

    >
    > >> According to the 'Received:' trace, the message originated at:
    > >> host217-42-163-55.range217-42.btcentralplus.com ([217.42.163.55]
    > >> helo=frenchentree.com)

    > >
    > > The sender can insert false "Received:" lines, but these will
    > > all appear *after* the valid "Received:" lines inserted by
    > > the legitimate mail transporters that subsequently handle the
    > > message. Work your way down the "Received:" lines until you
    > > come to a "by" that you don't trust. Ignore that and all
    > > subsequent "Received:" lines: they may be fake.

    >
    > The 'Received' header I quoted was the oldest (ie, the first) in the

    chain.
    > Many of the virus mails we're receiving have the first Received header
    > suggesting they've been mailed via a dial-up node near him on a system
    > (Wanadoo) I know he uses. But I spoke to him today and here swears he's up
    > to date with all AV scanners, firewall etc. It's just that I also know

    he's
    > not brilliantly technical.


    The oldest cannot be relied upon, I'm afraid (this has already been said..)

    http://www.codecutters.org/spam/smtpheaders.html

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Nov 23, 2004
    #12
  13. srm

    srm Guest

    Hairy One Kenobi wrote:

    > "srm" <> wrote in message news:eek:...
    >> Miguel Cruz wrote:
    >>
    >> > Yes, all the time. Quite often they pick something that matches the

    > target
    >> > address's domain.

    >>
    >> Okay - thanks to everyone for the replies. It may be coincidence, then.

    >
    > If it's actually addressed to someone at that domain (i.e. your wife),
    > then the behaviour is "typical", rather than "coincidental"..


    No, her address isn't at that domain.

    --
    @+
     
    srm, Nov 23, 2004
    #13
  14. srm

    Steve Ackman Guest

    On Sun, 21 Nov 2004 13:49:34 +0100, srm <> wrote:

    > According to the 'Received:' trace, the message originated at:
    >    host217-42-163-55.range217-42.btcentralplus.com  ([217.42.163.55]
    > helo=frenchentree.com)


    Look at the IP address in brackets. That's more
    reliable than any helo comment. Do a host on
    217.42.163.55, and it does indeed point to
    host217-42-163-55.range217-42.btcentralplus.com
    as the Received line indicates.
     
    Steve Ackman, Nov 24, 2004
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Daniel Prince
    Replies:
    6
    Views:
    624
    Daniel Prince
    Dec 11, 2004
  2. jmarkotic

    route with EGP origin in BGP table

    jmarkotic, Dec 30, 2003, in forum: Cisco
    Replies:
    5
    Views:
    1,261
    Barry Margolin
    Jan 1, 2004
  3. Eli
    Replies:
    1
    Views:
    8,543
    JNCIP#0136
    Sep 9, 2004
  4. slumpy
    Replies:
    2
    Views:
    541
    slumpy
    Aug 21, 2003
  5. DVD Verdict
    Replies:
    2
    Views:
    434
    ML-78
    Aug 23, 2003
Loading...

Share This Page