I have received several emails from someone who is using other
people's email addresses to send me the Klez virus. The full headers
of all of them reveal that the person sending is the same in all
instances, even though each one appears to come from a different
source, all different from the sender.
Who is this person and where are they located? The last line of the
headers of all of them is X-Apparently-From: DSCChem@aol.com
Full headers:
X-Persona: <DSL Extreme>
X-Symantec-TimeoutProtection: 0
X-Symantec-TimeoutProtection: 1
X-Symantec-TimeoutProtection: 2
X-Symantec-TimeoutProtection: 3
Return-Path: <info@migrationwatchuk.org>
Delivered-To: radiocarol@dslextreme.com
Received: (qmail 32297 invoked from network); 19 Dec 2002 16:53:15
-0000
Received: from unknown (HELO va1.dslextreme.com) (66.218.48.12)
by 192.168.7.20 with SMTP; 19 Dec 2002 16:53:15 -0000
Received: from main12.ezpublishing.com (main12.ezpublishing.com
[216.121.224.192])
by va1.dslextreme.com (8.12.5/8.12.5) with ESMTP id gBJGu7Kn001015
for <radiocarol@dslextreme.com>; Thu, 19 Dec 2002 08:56:07 -0800
Received: (from bin@localhost)
by main12.ezpublishing.com (8.9.3/8.9.3) id JAA14310
for radiocarol@dslextreme.com; Thu, 19 Dec 2002 09:05:08 -0800
Received: from rly-ip05.mx.aol.com (rly-ip05.mx.aol.com [64.12.138.9])
by main12.ezpublishing.com (8.9.3/8.9.3) with ESMTP id IAA08223
for <webmaster4terry@theterryandersonshow.com>; Thu, 19 Dec 2002
08:59:33 -0800
Received: from logs-wk.proxy.aol.com (logs-wk.proxy.aol.com
[205.188.198.135]) by rly-ip05.mx.aol.com (v89.10) with ESMTP id
RELAYIN8-1219114621; Thu, 19 Dec 2002 11:46:21 1900
Received: from Qulzpuoxg (AC80B8DD.ipt.aol.com [172.128.184.221])
by logs-wk.proxy.aol.com (8.10.0/8.10.0) with SMTP id gBJGU29167315
for <webmaster4terry@theterryandersonshow.com>; Thu, 19 Dec 2002
11:30:02 -0500 (EST)
Date: Thu, 19 Dec 2002 11:30:02 -0500 (EST)
Message-Id: <200212191630.gBJGU29167315@logs-wk.proxy.aol.com>
From: info <info@migrationwatchuk.org>
To: webmaster4terry@theterryandersonshow.com
Subject: New Roman
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=N8SjA5Bs8C0Q78X676Tu
X-Apparently-From: DSCChem@aol.com
Content-Type: text/html;
Norton AntiVirus Deleted12.txt |
Request for Question Clarification by
tutuzdad-ga
on
19 Dec 2002 10:57 PST
The source of the version of klez you are receiving in your emails
cannot be determined with any degree of accuracy. I can tell you why,
if that will suffice as an answer?
tutuzdad-ga
|
Clarification of Question by
stopvirii-ga
on
19 Dec 2002 14:42 PST
Hi, thanks for doing my question. I don't care where the virus comes
from, I want to know who is attacking me! Since I put in the
question, I have received yet another copy of the virus with a forged
sender email, but with the same last line, DSCChem@aol.com.
|
Clarification of Question by
stopvirii-ga
on
19 Dec 2002 14:44 PST
What I want is someone who can read the headers to tell me where it
came from, how they forged the alleged "sender" email, the path of how
it got to me.
|
Request for Question Clarification by
tutuzdad-ga
on
19 Dec 2002 16:58 PST
That is not possible. As I mentioned, I can explain WHY it cannot be
done, if that will suffice as an answer. There is a valid explanation.
Otherwise, simply accepting the fact that this is not possible may be
sufficient for you.
tutuzdad-ga
|
Clarification of Question by
stopvirii-ga
on
19 Dec 2002 20:10 PST
Then you will need to put the question back so someone else can
answer.
Initially I had made it very clear that I wanted the identity of the
SENDER, and you started talking about the origin of the Klez virus!
Now you say you can't "do that" (find out who sent it). However, the
reason I came here to Google in the first place is that someone else
had the same situation and GOT HIS ANSWER HERE -- in only about two
hours, I might add. The answer even included the sender's telephone
number! He has done this about 4 times, gotten answers.
So, 10 hours later, I have no answer, and no hope of one from you, so
please put the question back for someone else to answer.
|
Clarification of Question by
stopvirii-ga
on
19 Dec 2002 20:18 PST
As to my computer being infected, it is not. Norton caught the virus
coming in each time, and deleted it automatically. I also went to
Symantec's website, downloaded and ran the Klez removal tool, which
reported, after scanning my entire computer, that I did not have the
virus - nothing to remove. :)
The "From" address in the infected email would be from the sender's
computer, not mine.
This is clearly a case of an attack, not an accident. (If perchance
it is an accident, then the sender should be notified that he has a
virus!)
I tried sending an email to the "Probably" address at the bottom of
the header, notifying of the virus, and it did NOT bounce back, so I
can assume it is a legit address. But still the virus keeps coming.
|
Request for Question Clarification by
missy-ga
on
20 Dec 2002 10:01 PST
Stopvirii,
Google Answers Researchers are not permitted to divulge personal
contact details for anyone - that means no addresses, no phone
numbers. We'd be happy to double check your friend's answers for you
if you'll tell us your friend's user name.
I strongly advise you to read the links about Klez provided by feilong
and tar-heel-v:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
http://www.wired.com/news/technology/0,1282,52055,00.html
Additionally, I've run your headers through SpamCop to determine the
source. The X-Apparently-From line is indeed a legitimate address -
but it ultimately means nothing. Klez harvests e-mail addresses and
uses them at random, as has been explained several times. This person
is not deliberately attacking you, s/he probably has no idea that s/he
either has a Klez infection or knows someone who does (if you open
Klez, it sends itself to everyone in your address book, and everyone
in theirs if they open it, and so on.)
The best you can do is send the headers and a note to abuse@aol.com ,
and ask them to inform their user that they or someone they have given
their e-mail address to has Klez.
I'm sorry that this isn't what you want to hear, but it's the only
correct answer there is.
Your question has only been handled in the Clarifications section. It
is still open for answering, you have not been charged for any of the
advice you've been given.
--Missy
|
Klez uses "spoofing"; the email address that shows in the "From" line
is very unlikely to be an address of the culprit. For information on
this feature of Klez, see
http://www.sarc.com/avcenter/venc/data/w32.klez.h@mm.html
That page reads in part, "The subject line, message bodies, and
attachment file names are random. The From address is randomly-chosen
from email addresses that the worm finds on the infected computer."
This information may help you, though. Though the "From" email address
you are seeing is almost certainly not an address of the culprit, it
may be an address of someone the culprit knows. (This worked for me
once in deducing the source of Klez viruses coming to me.) But it may
just be an address the worm found on a stored email message on the
culprit's computer, where the message was forwarded dozens of times,
and each time more email addresses were added to the "cc:" list.
It may be possible to analyze the headers to determine the SMTP mail
server through which the mail messages are reaching the Internet, but
that will not help you very much. The techies responsible for that
server may sympathize with you, but it really isn't their problem.
To do the analysis, you might try SpamCop, at
http://spamcop.net/
Submit the entire email message to SpamCop, including full headers, as
if it were spam email. SpamCop will come back with an analysis that
includes the email source. From there, cancel out; the message really
isn't spam, and using SpamCop to report it would not be appropriate. |
