[lug] Reading e-mail headers.

D. Stimits stimits at attbi.com
Sat Aug 31 14:01:13 MDT 2002 

John Dollison wrote:
> I just got some spam on my Windows machine that had the Klez virus attached.
> Norton caught it immediately, so I'm safe, but I was wondering if someone
> could tell me how to break down the info in the mail header, so I can get an
> idea of where this really came from?  Here's what I've got:
> Thanx,
> John D.
> 
> =========================================
> Received: from smtp2.netservers.net ([64.45.27.102]) by
> mc4-f9.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
>   Sat, 31 Aug 2002 10:23:09 -0700
> Received: from Ixde (syr-24-92-253-164.twcny.rr.com [24.92.253.164])
>  by smtp2.netservers.net (8.11.0/8.11.0) with SMTP id g7VHMtc00805
>  for <johndollison at hotmail.com>; Sat, 31 Aug 2002 10:22:55 -0700
> Date: Sat, 31 Aug 2002 10:22:55 -0700
> Message-Id: <200208311722.g7VHMtc00805 at smtp2.netservers.net>
> From: iworks <iworks at vmadmin.com>
> To: johndollison at hotmail.com
> Subject: Ismap alt
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>  boundary=F5R01X5ZK2w447W
> Return-Path: chuck at pcscom.com
> X-OriginalArrivalTime: 31 Aug 2002 17:23:09.0015 (UTC)
> FILETIME=[1351C670:01C25113]
> =========================================

Are you sure this is the *full* header, and not a brief view or normal 
view? About all I could say from the above is that vmadmin.com has IP 
216.64.206.101, and that the named dotted decimal IP addresses do not 
have that value. Most of these virii lie about who sent it anyway, so 
iworks at vmadmin.com is probably just another email address the virus was 
aware of, and it used that in the reply-to field. The named addresses 
with dotted decimal format to the side of them seem to be valid, but 
those are just part of the route. pcscom.com is 64.77.28.139, which is 
closest to smtp2.netservers.net, but that doesn't mean much (FYI, 
chuck at pcscom.com is also registered as the admin contact for domain 
pcscom.com, you could probably email a full header to him and ask for 
help figuring it out, but this does not look like a full header...how 
did you obtain this header?).

D. Stimits, stimits AT attbi.com

More information about the LUG mailing list