John Bartow
john at winhaven.net
Thu Aug 21 17:24:32 CDT 2003
RE: [dba-Tech] Norton FirewallI'll check the last group I got and lookup
them up as you did. If there is a pattern I'll notify the ISP.
Thanks a bunch!
John B.
-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com]On Behalf Of Drew Wutka
Sent: Thursday, August 21, 2003 4:51 PM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Lots of Virii attempts today
No, what it means is that a machine called DELLY, with an IP Address of
68.49.121.92 send you this email.
Here is the WhoIS info for that IP Address:
OrgName: Comcast Cable Communications, Inc.
OrgID: CMCS
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US
NetRange: 68.32.0.0 - 68.63.255.255
CIDR: 68.32.0.0/11
NetName: JUMPSTART-1
NetHandle: NET-68-32-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NS01.JDC01.PA.COMCAST.NET
NameServer: NS02.JDC01.PA.COMCAST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-11-29
Updated: 2002-06-12
TechHandle: IC161-ARIN
TechName: Comcast Cable Communications, Inc.
TechPhone: +1-856-317-7300
TechEmail: cips-ip-registration at cable.comcast.com
OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse at comcast.net
OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications, Inc.
OrgTechPhone: +1-856-317-7300
OrgTechEmail: cips-ip-registration at cable.comcast.com
CustName: Comcast Cable Communications, Inc.
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US
RegDate: 2003-03-19
Updated: 2003-03-19
NetRange: 68.48.0.0 - 68.49.255.255
CIDR: 68.48.0.0/15
NetName: DC-3
NetHandle: NET-68-48-0-0-1
Parent: NET-68-32-0-0-1
NetType: Reassigned
Comment: NONE
RegDate: 2003-03-19
Updated: 2003-03-19
TechHandle: IC161-ARIN
TechName: Comcast Cable Communications, Inc.
TechPhone: +1-856-317-7300
TechEmail: cips-ip-registration at cable.comcast.com
OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse at comcast.net
OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications, Inc.
OrgTechPhone: +1-856-317-7300
OrgTechEmail: cips-ip-registration at cable.comcast.com
# ARIN WHOIS database, last updated 2003-08-20 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
So it's someone that is using Comcast as their ISP. Sometimes the WhoIs
information narrows it down further, but this looks like a home user. (Most
businesses register their own information within the WhoIs servers.
You could try to contact Comcast with the numbers here, and tell them you
are receiving virus emails....they may be able to contact the actual
infected person, since they should know which one of their customers is
currently using that IP Address.
Drew
----- Original Message -----
From: John Bartow
To: Discussion of Hardware and Software issues
Sent: Thursday, August 21, 2003 4:36 PM
Subject: RE: [dba-Tech] Lots of Virii attempts today
I've been getting deluged by them too this week. Probably 20 a day since
I got back from vacation (Sunday).
I opened one of them (Outlook 2k) and choose View | Options and copied
this info:
Received: from DELLY [68.49.121.92] by mail.winhaven.net with ESMTP
(SMTPD32-8.01) id A9CB30F0378; Thu, 21 Aug 2003 09:40:11 -0500
From: <stuartcannon at mindspring.com>
To: <techasst at winhaven.net>
Subject: Re: Wicked screensaver
Does this mean that Stuart Cannon really is the person that sent this or
can this be masquraded somehow?
John B.
-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com]On Behalf Of Drew Wutka
Sent: Thursday, August 21, 2003 2:52 PM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Lots of Virii attempts today
Just a little FYI on this virus. It DOES NOT use the email address of
the infected machine to send out emails. It sends them out using random
email addresses found on the users machine. What does that mean in English?
If your anti-virus software sends a notice to the sender of a virus (like
yours did here Arthur), you are notifying the wrong person. We have gotten
tons of these notices, because our employee's email addresses are being
spoofed by this virus!
To actually determine what is sending out these emails, look at the
header info of the email. That will give you the machine name and IP
Address of the computer sending out the viruses. Get the WhoIS information
for that IP Address, and notify the Abuse or Tech person for that IP
Address. It may help them if you include a copy of the header information.
Drew
----- Original Message -----
From: Arthur Fuller
To: Discussion of Hardware and Software issues
Sent: Thursday, August 21, 2003 2:31 PM
Subject: [dba-Tech] Lots of Virii attempts today
I just got about the 20th notice today from the company's email
provider. A snip:
Recipient: afuller at etsys.com
Sender: ntbug at microsoft.com
Subject: Re: Approved
Virus name: W32.Sobig.F at mm
Attachment: details.pif
Status: Messaged deleted
Notified: recipient, administrator
Thank you for using our services
---
The Electric Mail Company
www.electricmail.com
My question is, how can people spoof an email address? Look where it
allegedly came from.
------------------------------------------------------------------------
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com
----------------------------------------------------------------------------
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://databaseadvisors.com/pipermail/dba-tech/attachments/20030821/89a56027/attachment.html>