Drew Wutka
dbatech at wolfwares.com
Thu Aug 21 16:51:03 CDT 2003
RE: [dba-Tech] Norton FirewallNo, what it means is that a machine called DELLY, with an IP Address of 68.49.121.92 send you this email. Here is the WhoIS info for that IP Address: OrgName: Comcast Cable Communications, Inc. OrgID: CMCS Address: 3 Executive Campus Address: 5th Floor City: Cherry Hill StateProv: NJ PostalCode: 08002 Country: US NetRange: 68.32.0.0 - 68.63.255.255 CIDR: 68.32.0.0/11 NetName: JUMPSTART-1 NetHandle: NET-68-32-0-0-1 Parent: NET-68-0-0-0-0 NetType: Direct Allocation NameServer: NS01.JDC01.PA.COMCAST.NET NameServer: NS02.JDC01.PA.COMCAST.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2001-11-29 Updated: 2002-06-12 TechHandle: IC161-ARIN TechName: Comcast Cable Communications, Inc. TechPhone: +1-856-317-7300 TechEmail: cips-ip-registration at cable.comcast.com OrgAbuseHandle: NAPO-ARIN OrgAbuseName: Network Abuse and Policy Observance OrgAbusePhone: +1-856-317-7272 OrgAbuseEmail: abuse at comcast.net OrgTechHandle: IC161-ARIN OrgTechName: Comcast Cable Communications, Inc. OrgTechPhone: +1-856-317-7300 OrgTechEmail: cips-ip-registration at cable.comcast.com CustName: Comcast Cable Communications, Inc. Address: 3 Executive Campus Address: 5th Floor City: Cherry Hill StateProv: NJ PostalCode: 08002 Country: US RegDate: 2003-03-19 Updated: 2003-03-19 NetRange: 68.48.0.0 - 68.49.255.255 CIDR: 68.48.0.0/15 NetName: DC-3 NetHandle: NET-68-48-0-0-1 Parent: NET-68-32-0-0-1 NetType: Reassigned Comment: NONE RegDate: 2003-03-19 Updated: 2003-03-19 TechHandle: IC161-ARIN TechName: Comcast Cable Communications, Inc. TechPhone: +1-856-317-7300 TechEmail: cips-ip-registration at cable.comcast.com OrgAbuseHandle: NAPO-ARIN OrgAbuseName: Network Abuse and Policy Observance OrgAbusePhone: +1-856-317-7272 OrgAbuseEmail: abuse at comcast.net OrgTechHandle: IC161-ARIN OrgTechName: Comcast Cable Communications, Inc. OrgTechPhone: +1-856-317-7300 OrgTechEmail: cips-ip-registration at cable.comcast.com # ARIN WHOIS database, last updated 2003-08-20 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. So it's someone that is using Comcast as their ISP. Sometimes the WhoIs information narrows it down further, but this looks like a home user. (Most businesses register their own information within the WhoIs servers. You could try to contact Comcast with the numbers here, and tell them you are receiving virus emails....they may be able to contact the actual infected person, since they should know which one of their customers is currently using that IP Address. Drew ----- Original Message ----- From: John Bartow To: Discussion of Hardware and Software issues Sent: Thursday, August 21, 2003 4:36 PM Subject: RE: [dba-Tech] Lots of Virii attempts today I've been getting deluged by them too this week. Probably 20 a day since I got back from vacation (Sunday). I opened one of them (Outlook 2k) and choose View | Options and copied this info: Received: from DELLY [68.49.121.92] by mail.winhaven.net with ESMTP (SMTPD32-8.01) id A9CB30F0378; Thu, 21 Aug 2003 09:40:11 -0500 From: <stuartcannon at mindspring.com> To: <techasst at winhaven.net> Subject: Re: Wicked screensaver Does this mean that Stuart Cannon really is the person that sent this or can this be masquraded somehow? John B. -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com]On Behalf Of Drew Wutka Sent: Thursday, August 21, 2003 2:52 PM To: Discussion of Hardware and Software issues Subject: Re: [dba-Tech] Lots of Virii attempts today Just a little FYI on this virus. It DOES NOT use the email address of the infected machine to send out emails. It sends them out using random email addresses found on the users machine. What does that mean in English? If your anti-virus software sends a notice to the sender of a virus (like yours did here Arthur), you are notifying the wrong person. We have gotten tons of these notices, because our employee's email addresses are being spoofed by this virus! To actually determine what is sending out these emails, look at the header info of the email. That will give you the machine name and IP Address of the computer sending out the viruses. Get the WhoIS information for that IP Address, and notify the Abuse or Tech person for that IP Address. It may help them if you include a copy of the header information. Drew ----- Original Message ----- From: Arthur Fuller To: Discussion of Hardware and Software issues Sent: Thursday, August 21, 2003 2:31 PM Subject: [dba-Tech] Lots of Virii attempts today I just got about the 20th notice today from the company's email provider. A snip: Recipient: afuller at etsys.com Sender: ntbug at microsoft.com Subject: Re: Approved Virus name: W32.Sobig.F at mm Attachment: details.pif Status: Messaged deleted Notified: recipient, administrator Thank you for using our services --- The Electric Mail Company www.electricmail.com My question is, how can people spoof an email address? Look where it allegedly came from. -------------------------------------------------------------------------- _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com ------------------------------------------------------------------------------ _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://databaseadvisors.com/pipermail/dba-tech/attachments/20030821/60fd3c4b/attachment.html>