Malicious email

bookworm · 2010/06/23

For the second time in less than a year someone has tried to damage the reputation of the Clan Donald Mid-East Region Commissioner by connecting him to a 20 year old criminal case against someone else with the same name. I don't recognize the name of the "whistleblower" and suspect that someone has forged the return email line in an attempt to hide the person's real identity.

How can I find the identity of the sender so that actions can be taken to stop future malicious attacks?

Here is the header information:
>From - Sun Jun 20 04:51:08 2010
X-Account-Key: account4
X-UIDL: 7372-1250628232
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <dhester12@cox.net>
Received: from fed1rmmtao103.cox.net ([unknown] [68.230.241.43])
by vms172055.mailsrvcs.net
(Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))
with ESMTP id <0L4A00FELNVX3NN0@vms172055.mailsrvcs.net> for
<removed-address>; Sat, 19 Jun 2010 22:47:58 -0500 (CDT)
Received: from fed1rmimpo03.cox.net ([70.169.32.75])
by fed1rmmtao103.cox.net (InterMail vM.8.00.01.00 201-2244-105-20090324)
with ESMTP id
<20100620034757.VZDH20088.fed1rmmtao103.cox.net@fed1rmimpo03.cox.net>; Sat,
19 Jun 2010 23:47:57 -0400
Received: from DesktopPC ([68.3.21.12]) by fed1rmimpo03.cox.net with bizsmtp id
Y3nw1e0040FeSak043nwQL; Sat, 19 Jun 2010 23:47:56 -0400
Date: Sat, 19 Jun 2010 20:46:57 -0700
From: "Douglas Hester" <dhester12@cox.net>

TonyT · 2010/06/24

According to WHOIS, the sender is using a COX IP address:

Received: from DesktopPC ([68.3.21.12]) by fed1rmimpo03.cox.net with bizsmtp id

Code:

Cox Communications Inc. COX-ATLANTA (NET-68-0-0-0-1) 
                                  68.0.0.0 - 68.15.255.255
Cox Communications Inc. NETBLK-PH-RDC-68-2-0-0 (NET-68-2-0-0-1) 
                                  68.2.0.0 - 68.3.255.255

# ARIN WHOIS database, last updated 2010-06-23 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
#
# Attention! Changes are coming to ARIN's Whois service on June 26.
# See https://www.arin.net/features/whois for details on the improvements.

But it's a forged header then no way to determine where it's really sent from.

The IP address is a legit address of a Windows server somewhere, with a Web site and Email system, but it's firewalled and access from the WWW is disallowed:

Code:

d830:~# nmap -v -P0 68.3.21.12

Starting Nmap 5.00 ( http://nmap.org ) at 2010-06-24 07:13 EDT
NSE: Loaded 0 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 07:13
Completed Parallel DNS resolution of 1 host. at 07:13, 0.07s elapsed
Initiating SYN Stealth Scan at 07:13
Scanning ip68-3-21-12.ph.ph.cox.net (68.3.21.12) [1000 ports]
Completed SYN Stealth Scan at 07:13, 7.19s elapsed (1000 total ports)
Host ip68-3-21-12.ph.ph.cox.net (68.3.21.12) is up (0.092s latency).
Interesting ports on ip68-3-21-12.ph.ph.cox.net (68.3.21.12):
Not shown: 994 closed ports
PORT     STATE    SERVICE
25/tcp   filtered smtp
80/tcp   filtered http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
1433/tcp filtered ms-sql-s

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.36 seconds
           Raw packets sent: 1032 (45.408KB) | Rcvd: 1014 (40.560KB)

You could try contacting COX and reporting abuse, they may or may not investigate.

You should edit youir original post and use this <removed-address> in place of the real email address: book dot worm6 at verizon.net.

Log in or Sign up

Malicious email

bookworm Inactive Thread Starter

TonyT SuperGeek Staff

Share This Page

Log in or Sign up

Malicious email

bookworm Inactive Thread Starter

TonyT SuperGeek Staff

Share This Page

Useful Searches