Klez forged headers

Can someone tell me if Klez has the ability to forge the email headers? I have received dozens of them like many others here on the forum, but they all seem to be coming from the same IP address. The first lot of viruses where coming from sertel.it but the latest battering is coming from the optus network in Melbourne, (where I live). I know the suburb the IP address is in, and I know someone living there who is a total idiot when it comes to computers. I would not be suprised if it is this person, but I was just curious as to whether Klez could forge these headers or not.

 

http://www.windowsbbs.com/showthread.php?s=&threadid=6118&perpage=15&pagenumber=2

 

Yeah I already knew that. My question was regarding the actual email headers. You know, the bit that says it was from mail.sertel.it from 206.123.123.123 or whatever.

 

Covention dictates (but RFC's do not!) that the receiving SMTP server should record the source within the headers. The IP is therefore probably valid. But it's also possible that it forged.

 

While it's possible to forge header info, it's difficult enough to eliminate all the traces of one's identity that anyone clueless enough to allow a puter to be infected with a virus can't do it.

It's close to 100% certain that no Klez victim knows that emails HAVE headers.

 

Hello,
i'm also getting *fan mail* from klez (but w/ nn 4.77) and also wonder re: the full header IP's (the 4 numbers with the 3 dots)
i know that the regular header sender info is useless BUT since the origins are from A (ONE) valid IP address and there are no <unknown domain>'s, etc. as there are in SPAM, can one assume that the infected computer is at that domain?
THANKS!
PS if klez uses its own SMTP *routine* would this overRide the actual source?
(i.e. could it have chosen the legit origin and continue to use it ALL the time even though it is not actually coming from THAT source?)

 

Klez does forge the headers, some. I had received an email in my hotmail account 4 days ago infected with it as an attachment. Their supposed use of anti virus didn't pick it up. The sending address was supposedly from DAEMON mailer and the subject line stated it was from the DAEMON mailer but also said look at my girlfriend, yea right! The originating address appeared to be from me to an university. Nope, not from me. I did dig through it all and found an aol address as the real originator. I did send whoever a warning email, pasting the header into the body and highlighted how I knew it came from them, and advised an AV scan was in order. Probably was ignored as suspicious email.
On a lark, I forwarded the complete virus email to myself to my ISP account. I ended up with an email telling me my hotmail account just sent me a virus and the offending email was deleted by their AV software. They also sent a reply to my hotmail account warning of a virus being emailed from that account. I thought that was cool of them.

 

Hello,
i think that's klez.e (the subject was it : "look, my beautiful girl friend" ?) it's on symantec's site i get many of the subjects on symantec and AVP's sites (for klez.e) however it does *forget* the subject or use really stupid ones...
i also got a bounce from "NAV-SOMETHING @ B-REEL.COM with a faked everything...saying i had sent a klezInfected attachment to (?) with a subject i never wrote etc and the attachment was i guess the executable file...another came from the postmaster@myISP :a returned mail (no daemon) and no reason but "the attachment contains my initial email" <lol> (legit faked origin)
Aside from the bounce, they all come from the same legit ISP who's unReachAble...
since these legit ISPs are ALWAYS on the full header info (except from the ILLegit NAV bounce), i wonder whether klez could remember to use this if it is a forge (it does such a bad job w/ the subjects (most) and the senders <lol> i can't see it being so accurate on origin...guess i can't post (paste) 1 of these here?
sincerely
Tanya

 

Hi Tanya,

I would say, go ahead and paste the klez mail , just use XXX@ to hide the identity of the innocent.

 

Hi Alice,
Thanks for replying!
i don't see any identities (aside from me) just IP numbers and the faked senders...
so here is one...

Received:
from x11.quik.com ([216.176.28.111]) by prserv.net (in5) with ESMTP id
<2002080122450910500fn0iee>; Thu, 1 Aug 2002 22:45:09 +0000
Received:
from Hdeo (ip064.cascade.quik.com [216.176.9.64]) by x11.quik.com (8.12.5/8.12.5) with
SMTP id g71MidlI005553 for *<me@myISP.net>*; Thu, 1 Aug 2002 15:44:39 -0700
Date:
Thu, 1 Aug 2002 15:44:39 -0700
Message-ID:
<200208012244.g71MidlI005553@x11.quik.com>
From:
newsletter <newsletter@quickinspirations.com>
To:
*me@myISP.net*
Subject:
Me a Passport
MIME-Version:
1.0
Content-Type:
multipart/alternative; boundary=VG4w1M7sxI6c943mC46619r888rK1X90U9
X-Mozilla-Status:
8401
X-Mozilla-Status2:
00000000
X-UIDL:
2002080122451010506si29pe00080o

NOTE: the *me@myISP.net* is a substitute for my actual email address w/ch is written correctly...
What i canNOT figure out is whether there is a way to Id the actual sender...from the IP numbers?
For example when i log on i have an IP # and my isp has 1 too; these vary however if i send an email with myIP#@myISPsIP# (they have to be from the same session) it comes through (even 4 days later wOut a bounce...)
i cannot figure out what combo to enter as the sender and the domain even for spamCop or ARIS(?) since i guess it must be a combo also
So if anyOne has any ideas i'd really be interested to know how to proceeed as i don't think the sender is (or was) aware -- none from THAT domain for 1.5 days but unFortunately now another source (maybe related?)...
THANKS!
sincerely
Tanya

 

The e-mail originated from an IP leased by quik.net. To try and establish the identity of the sender, it would be necessary to enlist the help of the sys admin at quik.net to try to trace the user to who the (probably dynamic) IP was leased at the time the mail was sent. It's doubtful, however, that you'd receive very much help!

 

Hello,
Thanks very much for replying!
That's as far as i got (re: the domain only...)
BUT i have not received a klezMessage for 24 hours (any) and from quik.com for > 2 days!
so...i guess it's finished or at least it's taking a holiday
thank you again!
sincerely
Tanya