headers from NETSKY_P email

R

Rob

the following is the headers from another two emails i got within seconds of
each other, described by my AV software as an HTML_NETSKY_P and a
WORM_NETSKY_P.
After advice i received on here.. many thanks folks, am i right in assuming
they both came from someone using a BT Openworld account?? Other than that
thats all i can work out,so if anyone can shed any more light on it then
please tell me more!! the headers are below:
many thanks
rob

Return-Path: <[email protected]>
Received: from bb-md2.onetel.net.uk (bb-md2.onetel.net.uk [212.67.120.194])
by bb-ms1.onetel.net.uk (MOS 3.4.5-GR)
with ESMTP id BDN06331;
Sat, 17 Apr 2004 14:08:04 +0100 (BST)
Received: from onetel.net (host81-130-244-184.in-addr.btopenworld.com
[81.130.244.184])
by bb-md2.onetel.net.uk (Mirapoint Messaging Server MOS 3.3.6-GR)
with ESMTP id AZR99898;
Sat, 17 Apr 2004 14:07:59 +0100 (BST)
Message-Id: <[email protected]>
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Re: Message
Date: Sat, 17 Apr 2004 14:08:43 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal

------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

Important message, do not show this anyone!


------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: application/octet-stream;
name="attach.zip"
Content-Disposition: attachment;
filename="attach.zip"
Content-Transfer-Encoding: base64

UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==
------=_NextPart_000_0016----=_NextPart_000_0016--

and the html_netsky_p one is:

Return-Path: <[email protected]>
Received: from bb-md2.onetel.net.uk (bb-md2.onetel.net.uk [212.67.120.194])
by bb-ms1.onetel.net.uk (MOS 3.4.5-GR)
with ESMTP id BDN06246;
Sat, 17 Apr 2004 14:07:37 +0100 (BST)
Received: from onetel.net (host81-130-244-184.in-addr.btopenworld.com
[81.130.244.184])
by bb-md2.onetel.net.uk (Mirapoint Messaging Server MOS 3.3.6-GR)
with ESMTP id AZR99834;
Sat, 17 Apr 2004 14:07:33 +0100 (BST)
Message-Id: <[email protected]>
From: (e-mail address removed)
To: (e-mail address removed)
Subject: Mail Delivery (failure (e-mail address removed))
Date: Sat, 17 Apr 2004 14:08:17 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal

------=_NextPart_000_001B_01C0CA80.6B015D10
Content-Type: text/plain;charset="us-ascii"

A message filter removed the following attachment(s) from this message:
message.scr

------=_NextPart_000_001B_01C0CA80.6B015D10
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_001C_01C0CA80.6B015D10"

------=_NextPart_001_001C_01C0CA80.6B015D10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_001_001C_01C0CA80.6B015D10
Content-Type: text/plain
Content-Transfer-Encoding: 7bit


Trend Micro POP3 Mail Scan detected a virus and deleted the attached
infected file.

------=_NextPart_001_001C_01C0CA80.6B015D10--

------=_NextPart_000_001B_01C0CA80.6B015D10--
 
D

David W. Hodgins

the following is the headers from another two emails i got within seconds of
After advice i received on here.. many thanks folks, am i right in assuming
they both came from someone using a BT Openworld account?? Other than that
Click to expand...

Correct. Forward the complete headers (delete the attachment) to
abuse @ btopenworld.com (without the spaces around the @ said:
Received: from bb-md2.onetel.net.uk (bb-md2.onetel.net.uk [212.67.120.194])
by bb-ms1.onetel.net.uk (MOS 3.4.5-GR)
Click to expand...

The above received header was generated by your isp, as it passed the message
from their receiving server, to the server you use to retrieve messages. I expect
you have a similar header, on all email you receive.
Received: from onetel.net (host81-130-244-184.in-addr.btopenworld.com
[81.130.244.184])
by bb-md2.onetel.net.uk (Mirapoint Messaging Server MOS 3.3.6-GR)
Click to expand...

The above received was generated by your isp, when it received the message
from the ip 81.130.244.184. The name between the ( and the [ is the name
that 81.130.244.184 claimed to be, and in this case, is correct. Don't assume
it will always be correct, the only part you should assume is correct, is
the ip number in the last set of square brackets before the round bracket.
Spammers often put a fake ip in square brackects, as the fake name, to
try to confuse people. All info after this comes from the source of the email,
and can be anything the sender wants.

Regards, Dave Hodgins
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

What is source of this virus spam? 2
unreadable email 13
unreadable email 3
Subject: some emails html and attachments displayed as ASCII 7
ANN: New Dumaru variant in Germany 12
Some Internet Headers stripped, even when fwd as attachment in OL2 2
Email headers shwoing in between email message text 1
SPAM Filter still spams a safe sender 1

Top