Results 1 to 5 of 5

Thread: is there anyway to track a spoofed email

  1. #1
    fem the retarded rabbit mccoffee's Avatar
    Join Date
    Nov 2001
    Location
    Cleveland, Ohio, United States
    Posts
    13,365

    is there anyway to track a spoofed email

    I got a virus zttacthment emai i was wonsing how to track it.

    X-Originating-IP: [74.202.25.43]
    Received: from 74-202-25-43.static.twtelecom.net (74-202-25-43.static.twtelecom.net [74.202.25.43] (may be forged))
    by flph262.prodigy.net (8.13.8 inb ipv6 jeff0203/8.13.8) wit
    Comptia a+ n+

  2. #2
    Elite Member TonyT's Avatar
    Join Date
    Jan 2000
    Location
    Fairfax, VA
    Posts
    10,338
    The sender ip address does indeed belong to a block of ips owned by telecom. However, it's unlikely that the message actually was sent from that ip address. More likely someone else has an infected computer with a virus that sends itself to email addresses found on the computer and randamly uses the different addresses in the From: field, masking where the message actually is sent from. The ip address is also likely randomized.

    Telecom thech could check if they have assigned that ip to a customer and then check if that customer has an infected comp, but that's not likely going to happen because there's no undisputable evidence the message was sent from a telecom user.

    The ip address does resolve though, to a computer running MS Internet Information Server: http://74.202.25.43 (under construction page)

    These are the services available at that server:

    Code:
    d830:~# nmap -P0 74.202.25.43
    
    Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-01 21:01 EDT
    Interesting ports on 74-202-25-43.static.twtelecom.net (74.202.25.43):
    Not shown: 992 filtered ports
    PORT     STATE  SERVICE
    80/tcp   open   http
    110/tcp  closed pop3
    113/tcp  closed auth
    443/tcp  closed https
    587/tcp  closed submission
    1723/tcp open   pptp
    3389/tcp open   ms-term-serv
    8080/tcp open   http-proxy
    
    Nmap done: 1 IP address (1 host up) scanned in 5.09 seconds
    http://74.202.25.43:8080/ resolves to a password protected root directory.

    http://74.202.25.43:1723/ establishes a connection to port 1723 but there's no further negotiations. (point to point tunnelling/vpn)

    The comp is probably using the submission port (587) for smtp (sending mail).

    More than likely this is a home user's computer who is running these services, knowingly or unknowingly. Probably knowingly.

    Thus it would pay to notify telecom abuse that you have been receiving malicious messages, include full email headers if you email them a report.
    Last edited by TonyT; 04-01-10 at 08:04 PM.
    No one has any right to force data on you
    and command you to believe it or else.
    If it is not true for you, it isn't true.

    LRH

  3. #3
    fem the retarded rabbit mccoffee's Avatar
    Join Date
    Nov 2001
    Location
    Cleveland, Ohio, United States
    Posts
    13,365
    thanks i was just wondering i got hit with that email eailer this year it's odd i do have someting that is being shipped to me but luckly windows defender saw it right away.

    That's the part i couldn't figure out how did the message still get sent to me even though it was for a different user and you explained why it did perfectly.

    I got to admit i have to go back to school and do some re reading it's amazing how much you forget when you don't apply it.
    Last edited by mccoffee; 04-01-10 at 08:12 PM.
    Comptia a+ n+

  4. #4
    Elite Member TonyT's Avatar
    Join Date
    Jan 2000
    Location
    Fairfax, VA
    Posts
    10,338
    bumped
    No one has any right to force data on you
    and command you to believe it or else.
    If it is not true for you, it isn't true.

    LRH

  5. #5
    fem the retarded rabbit mccoffee's Avatar
    Join Date
    Nov 2001
    Location
    Cleveland, Ohio, United States
    Posts
    13,365
    maybe this will help some what i should report it though.

    I had an old email account from yahoo that fowarded to wowway then to me that is why it threw me off

    You would think that two isps would have caught thst the message was sent to a different user but stlil somehow got to me.

    I think your right i'll write wow and att see what they think i guess alot of people have been getting hit by this one.
    Comptia a+ n+

Similar Threads

  1. Replies: 0
    Last Post: 03-10-10, 08:50 AM
  2. The Cheap Way to Keep Spoofed Email Out of Your Inbox
    By Tech Manager in forum Network Security
    Replies: 1
    Last Post: 07-19-09, 11:20 AM
  3. "The Obama Effect"... This gave me a differnt prespective
    By blacklab in forum General Discussion Board
    Replies: 0
    Last Post: 03-07-09, 02:45 PM
  4. Track Isp from email address?
    By tHE_0ne in forum General Discussion Board
    Replies: 4
    Last Post: 03-02-09, 05:10 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •