Neither phish nor spam... so...

[MrLinus]

I don't think it's a phish or a spam. Perhaps a worm gone wrong?

From - Sun Jan 30 14:49:45 2005
X-Account-Key: account2
X-UIDL: 2f5c45a2c6ba3d55f1d7a6193e3ce03b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Apparently-To:xxx@xxx.com via xx.yy.bb.aa; Sun, 30 Jan 2005 11:37:11 -0800
Authentication-Results: xx.yahoo.com
from=yahoo.com; domainkeys=neutral (no sig)
X-Originating-IP: [xx.yy.bb.aa]
Return-Path: <drwwcelco@yahoo.com>
Received: from xx.yy.bb.aa (EHLO xxx.net) (xx.yy.aa.bb)
by xx.yahoo.com with SMTP; Sun, 30 Jan 2005 11:37:11 -0800
Received: from wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net (wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net [4.26.133.216])
by xxxxxx (Postfix) with SMTP id D251E2B6E31
for <msmittens@msmittens.com>; Sun, 30 Jan 2005 14:37:00 -0500 (EST)
Received: from 184.70.206.179 by 4.26.133.216; Mon, 31 Jan 2005 00:39:29 +0500
Message-ID: <NUIVUVKQIMACBMCIEWEJECBE@yahoo.com>
From: "Summer Fair" <drwwcelco@yahoo.com>
Reply-To: "Summer Fair" <drwwcelco@yahoo.com>
To: msmittens@msmittens.com
Subject: Message subject
Date: Sun, 30 Jan 2005 14:36:29 -0500
X-Mailer: Microsoft Outlook, Build 10.0.2627
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--25678612284291696"
X-Priority: 3
X-MSMail-Priority: Normal

----25678612284291696
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

%CHILL
%DICK

%CONTACT http://%URL/d/1.php

%BYE
%******* t

----25678612284291696--

[Donkey Punch]

Hmm, looks like wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net has a web site:

http://wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net/

Perhaps you can ask what the email was for?

mmm, fish and spam sounds good for lunch

[Tiger Shark]

To be frank.... It looks like someone might be a little pissed with Ms. M.

Funny, two people really pissed someone off just a few days ago... And Ms. M. is much easier to find than I am..... Ms. M. I would consider making your IDS your best friend if you know what I mean.... It looks like someone already found themselves a way into one box... The one they used to send this email......

The again, this could just be the paranoid me overthinking.....

[MrLinus]

I have an IDS but it's a rather lame attempt if they are pissed. Rather ineffectual when you look at it (and that's the email source, BTW). Definately someone found their way into the box. The files date back to 1997 although the install occurred, it looks like with some minor poking, in 2003. I'm thinking a honeypot of some type or some luser who left a box running and hasn't really updated it.

[Donkey Punch]

also, as you pointed out in IRC:

MsMittens: that's why I'm thinking perhaps a worm?
Joaquin: Received: from 184.70.206.179 by 4.26.133.216;
Joaquin: what does that mean?
Joaquin: does that mean the mail came from Received: from 184.70.206.179 to 4.26.133.216 ?
MsMittens: well, 184.70.206.179 resolved to an IANA reserved address (e.g., private addressing!?)
MsMittens: I'm thinking internal or original source addy (spoofed perhaps) and then relayed off/out of 4.26.133.216 through the webserver (a script somewhere)

I doubt it is an email conspiracy.

[MrLinus]

.. And again..

From - Sun Jan 30 16:16:16 2005
X-Account-Key: account2
X-UIDL: a4d8331a676f036534be27b5adf863db
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Apparently-To:xxx via xx.yy.bb.aa; Sun, 30 Jan 2005 13:15:50 -0800
Authentication-Results: xx.yy.bb.aa.yahoo.com
from=yahoo.com; domainkeys=neutral (no sig)
X-Originating-IP: [xx.yy.bb.aa]
Return-Path: &lt;vubsuzomytfr@yahoo.com&gt;
Received: from xx.yy.bb.aa (EHLO xx.yy.bb.aa) (xx.yy.bb.aa)
by xx.yy.bb.aa.yahoo.com with SMTP; Sun, 30 Jan 2005 13:15:50 -0800
Received: from pool-141-150-161-74.atc.east.verizon.net (pool-141-150-161-74.atc.east.verizon.net [141.150.161.74])
by mailhub.korax.net (Postfix) with SMTP id B692A2B69D8
for &lt;msmittens@msmittens.com&gt;; Sun, 30 Jan 2005 16:15:40 -0500 (EST)
Received: from 4.36.226.179 by 141.150.161.74; Mon, 31 Jan 2005 09:11:11 -0400
Message-ID: &lt;FPYIHPUEVCJDJGMFKLSU@yahoo.com&gt;
From: "Dorothea Hurd" &lt;vubsuzomytfr@yahoo.com&gt;
Reply-To: "Dorothea Hurd" &lt;vubsuzomytfr@yahoo.com&gt;
To: msmittens@msmittens.com
Subject: Message subject
Date: Mon, 31 Jan 2005 15:09:11 +0200
X-Mailer: AOL 7.0 for Windows US sub 118
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--2734773885062454982"
X-Priority: 3
X-MSMail-Priority: Normal

----2734773885062454982
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

%CHILL
%DICK

%CONTACT http://%URL/d/1.php

%BYE
%******* b

----2734773885062454982--

[Tiger Shark]

Don't contact the perpertrator unless you at least single proxy it safely and have tested the proxy unless you do it from work.... 'cos I think that your "friend" already knows where you work.... If he doesn't he's dumber than dumb..... Oh... and don't forget he's probably watching this...

[Donkey Punch]

Looks like an infection, because look at the email this time: vubsuzomytfr@yahoo.com looks to me like a dead email from the yahoo domain.

Another thing: Why are all the machines from the Verizon domain? Is Verizon customers being affected right now? Let's see if this person has a web site...

[MrLinus]

I'm still leaning towards an infection but I'm curious if anyone else has seen emails like this.

[Tiger Shark]

Ms. M: That message is not a messed up spam like I see a lot.... It is, however, that is typical of a message from someone with an issue.... If it were a screwed up spam what are the chances that you would get two in fairly quick succession from two different IP's? Low! I see screwed up spammers every day.... This doesn't seem like on of them. Do me a favor.... PM me the url... This IP address will have changed by tomorrow and it's quite well protected.

As to a dead email..... Unless Ms. M. is using SPF you can send an email purporting to be from any domain so the email address is irrelevant.... as is the IP since it is quite possible that any skiddie in the world could have scanned a verizon netblock for machines they have an exploit for and have exploited a few.

When you are talking about security _everything_ is possible.... When you are talking about personal security you write _nothing_ off until _proven_ irrelevant/benign.....