Subject: Re: Please scan your computers for viruses
From: "Robi" <r_buecheler@remove.yahoo.com>
Date: 27/09/2003, 02:34
Newsgroups: alt.sci.seti

Of course this thread is very off topic here in the A.S.S NG,
but I'm adding the info for others to see.
I think the correct newsgroup would be NANAE (news:news.admin.net-abuse.email)


Dave Trapnell wrote:

Robi wrote:

Dave Trapnell wrote:

Here's a typical sequence...
Return-Path: <jpick@charter.net>
Received: from remt19.cluster1.charter.net ([209.225.8.29])
by sparrow (EarthLink SMTP Server) with ESMTP id
1a2If06CF3NZFjV0 for <dtresearch@earthlink.net>; 
Thu, 25 Sep 2003 19:21:53 -0700 (PDT)
Received: from [24.197.101.170] (HELO ovfr)
 by remt19.cluster1.charter.net (CommuniGate Pro SMTP 4.0.6)
with SMTP id 3264321; Thu, 25 Sep 2003 22:21:42 -0400


Here the received lines match and the entry point was (or is)
the PC on IP 24.197.101.170 (cpe-24-197-101-170.spa.sc.charter.com)


Hopefully, you meant charter.NET? 
If not I'll be very confused.


Hello "very confused". May I call you that from now on? ;o)

BTW charter.net = charter.com

Domain Name: CHARTER.COM
   Charter Communications Holding Company, LLC (CHARTER25-DOM)
   12405 Powerscourt Drive
   St. Louis, MO 63131
   US

Domain Name: CHARTER.NET
   Charter Communications Holding Company (CHARTER6-DOM)
   12405 Powerscourt Drive
   St. Louis, MO 63131
   US


The best would be to alert abuse@charter.com about the virus providing
the email of the virus (with a partially stripped virus load).
Charter can verify who had that IP address at the time and alert
the owner of the PC.


That's the goal. I want to fix the originating machines and
get them on board with anti-virus software. Changing my
address or installing mailwash to delete the virus-laden
email is just putting a band-aid on the problem. 

How much need be sent to the ISP? Would not the just header
be sufficient, or do we need to include enough of the virus
to show that it is not just a bogus virus report? I suppose
I would have to actually TURN OFF Symantec email scanning to
get an intact copy of the virus, as the viruses are
intercepted before reaching any of my email clients.


I don't know exactly what they need. I usually send the headers,
the body including the first few lines of the attachment.
The attachment is usually sent in base64 so you can easily
copy the first 3 or 4 lines from the message source.
(I use OE and with [ctrl]-[F3] I get the source of the message)


Here's another example...

 

Return-Path: <alecandmarylillie@tesco.net>
Received: from mta4-svc.business.ntl.com ([62.253.164.44])
by vulture (EarthLink SMTP Server) with ESMTP id
1a2BOI2Xj3NZFl50
Thu, 25 Sep 2003 12:30:20 -0700 (PDT)
Received: from mvlnsms ([62.252.177.51]) by
mta4-svc.business.ntl.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) 
with SMTP id
<20030925192453.IOQD8268.mta4-svc.business.ntl.com@mvlnsms>;
Thu, 25 Sep 2003 20:24:53 +0100 

 

Here the host 62.252.177.51 is m307-mp3.cvx2-a.lng.dial.ntli.net



inetnum: 62.252.160.0 - 62.252.191.255
netname: NTL
descr: NTL Internet
trouble: For abuse notifications please -
trouble: email : abuse@ntlworld.com
trouble: telephone : +44 2920 305142



so here abuse@ntlworld.com would be the place to alert informing about
the virus and they should contact the user who was on that IP address
at that time.


How did you derive the above information from all the
gobbelty-gook in the header? I see ntl.com but I don't see
ntlworld anywhere.

Thanks again for the additional detailed information.


I'll do it backwards:
                 ======= from =======                               ======= to =======

Received: from mta4-svc.business.ntl.com ([62.253.164.44])[2*] by vulture[1*]
Received: from mvlnsms ([62.252.177.51])[3*]                   by mta4-svc.business.ntl.com[3*]


[1*]   to vulture                                   (where you get the email)
[2*]  via mta4-svc.business.ntl.com [62.253.164.44] (the NTL Mail eXchange)
[3*] from mvlnsms                   [62.252.177.51] (the originating address [IP])

doing a rDNS lookup for the last IP address [62.252.177.51] I get
m307-mp3.cvx2-a.lng.dial.ntli.net (instead of mvlnsms)
NTLi is the internet provider for NTL in the UK

if I run a WHOIS on the address I get:
inetnum:      62.252.160.0 - 62.252.191.255
netname:      NTL
descr:        NTL Internet
descr:        Langley site
country:      GB
[...]
role:         NTLI Network Management Centre
address:      NTL Internet
address:      Crawley Court
address:      Winchester
address:      Hampshire
address:      SO21 2QA
trouble:      ----------------------------------------------
trouble:      For abuse notifications please -
trouble:      email : abuse@ntlworld.com
trouble:      telephone : +44 2920 305142

and there is the abuse@ntlworld.com

I can also do a whois lookup on abuse.net:
http://abuse.net/lookup.phtml?DOMAIN=m307-mp3.cvx2-a.lng.dial.ntli.net
Look up an address in the abuse.net contact database
abuse@ntlworld.com (for ntli.net)

In the abuse.net database, the owner of the domain enters the abuse address
where he/she wishes complaints to be sent.


BTW, if anyone has an undying need to look 
at my seti stats, here is the URL:
http://setiathome.ssl.berkeley.edu/fcgi-bin/fcgi?email=thedave@pacbell.net&cmd=user_stats_new

My understanding is that since the above email address was
turned off, there will never be any way to transfer my SETI
account to the new one. Is this correct?


If you are still sending results to that address, and don't have a SETI@home
account with the new address, I would ask pacbell to reinstate the old address
for 2 or 3 days, get the password and change the email address in the S@h
account area. 



Diatribe follows:
Not to get off the subject, but yes, it does waste
electricity. Try running the computer off an invertor and a
battery and you will see how quickly a desktop tower sucks
that battery dry.


I do have 2 small APC power supplies for my wife's and my PCs
I've been very happy when we had our power outages ;o)
Especially when I was in the middle of some program and hadn't
saved the changes, but I always shut the PC down when this happens.
After saving that is ;o)


However, my energy-guzzling
air-conditioner (which I consider essential to my survival)
uses more electricity in an afternoon than the computer uses
in a whole year, and turning the computer on and off two
dozen times a day stresses the components with all the
thermal cycling and wastes my time waiting for the thing to
boot up. At least it's doing something potentially useful
and/or interesting with some of its wasted energy.
End of Diatribe.
Dave.