Help decode header

[I'm_A_Victim]

Got email w/ virus attached. I want to find out who is sending me this crap.
I receive 1 - 3 such email a day.
+++++
to me via 66.218.93.41; Sat, 01 Jan 2005 12:09:28 -0800
X-YahooFilteredBulk: 217.235.114.170
Authentication-Results: mta152.mail.scd.yahoo.com
from=resolutionmedia.tv; domainkeys=neutral (no sig)
X-Originating-IP: [217.235.114.170]
Return-Path: <[email protected]>
Received: from 217.235.114.170 (HELO xsuqdrh.tv) (217.235.114.170) by
mta152.mail.scd.yahoo.com with SMTP; Sat, 01 Jan 2005 12:09:25 -0800
From: (e-mail address removed) Add to Address Book
To: (e-mail address removed)
Date: Sat, 01 Jan 2005 20:02:54 GMT
Subject: FwD: Details
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====cea05ad92.2c5bfb6418d"
Content-Transfer-Encoding: 7bit
This is a multi-part message in MIME format.
Content-Length: 58056

 

[Chiron Paixos]

Received: from 217.235.114.170 (HELO xsuqdrh.tv) (217.235.114.170) by
mta152.mail.scd.yahoo.com with SMTP; Sat, 01 Jan 2005 12:09:25 -0800

From the supplied information I guess that the Yahoo-server is the
last trusted link in the chain. It received the mail from IP-address
217.235.114.170

Just paste this address into the form at
http://www.iks-jena.de/cgi-bin/whois
and your questions should be answered.

HTH,
Chiron

 

[Yddap]

In

Got email w/ virus attached. I want to find out who is sending me
this crap. I receive 1 - 3 such email a day.
+++++
to me via 66.218.93.41; Sat, 01 Jan 2005 12:09:28 -0800
X-YahooFilteredBulk: 217.235.114.170
Authentication-Results: mta152.mail.scd.yahoo.com
from=resolutionmedia.tv; domainkeys=neutral (no sig)
X-Originating-IP: [217.235.114.170]
Return-Path: <[email protected]>
Received: from 217.235.114.170 (HELO xsuqdrh.tv)
(217.235.114.170) by mta152.mail.scd.yahoo.com with SMTP; Sat, 01 Jan
2005 12:09:25 -0800 From: (e-mail address removed) Add to
Address Book To: (e-mail address removed)
Date: Sat, 01 Jan 2005 20:02:54 GMT
Subject: FwD: Details
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=====cea05ad92.2c5bfb6418d" Content-Transfer-Encoding:
7bit This is a multi-part message in MIME format.
Content-Length: 58056

01/01/05 23:00:23 whois 217.235.114.170 @whois.geektools.com

whois -h whois.geektools.com 217.235.114.170 ...
GeekTools Whois Proxy v5.0.4 Ready.

Checking access for ... ok.

Final results obtained from whois.ripe.net.

Results:
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 217.224.0.0 - 217.237.161.47
netname: DTAG-DIAL15
descr: Deutsche Telekom AG
country: DE
admin-c: DTIP
tech-c: DTST
status: ASSIGNED PA
remarks:
******************************************************************
remarks: * Abuse Contact: http://www.t-com.de/ip-abuse in case of Spam,
*
remarks: * Hack Attacks, Illegal Activity, Violation, Scans, Probes,
etc. *
remarks:
******************************************************************
mnt-by: DTAG-NIC
mnt-domains: DTAG-NIC
mnt-domains: DTAG-RR
changed: (e-mail address removed) 20010404
changed: (e-mail address removed) 20030211
changed: (e-mail address removed) 20040923
source: RIPE

route: 217.224.0.0/11
descr: Deutsche Telekom AG, Internet service provider
origin: AS3320
member-of: AS3320:RS-PA-TELEKOM
mnt-by: DTAG-RR
changed: (e-mail address removed) 20010405
source: RIPE
changed: (e-mail address removed)-COM.XX 20040615

person: DTAG Global IP-Addressing
address: Deutsche Telekom AG
address: D-90492 Nuernberg
address: Germany
phone: +49 180 5334332
fax-no: +49 180 5334252
e-mail: (e-mail address removed)
nic-hdl: DTIP
mnt-by: DTAG-NIC
changed: (e-mail address removed) 20031013
source: RIPE

person: Security Team
address: Deutsche Telekom AG
address: Germany
phone: +49 180 5334332
fax-no: +49 180 5334252
e-mail: (e-mail address removed)
nic-hdl: DTST
mnt-by: DTAG-NIC
changed: (e-mail address removed) 20030210
source: RIPE



Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host ( has visited 3 times today.

 

[I'm_A_Victim]

Thanks,
I thought I traced correctly to Deutsche Telekom AG but when I visit the
site specified
That site refuses to accept 217.235.114.170 as valid so I was not able to
complete the complaint to their abuse department.

 

[Gabriele Neukam]

On that special day, I'm_A_Victim, ([email protected]) said...

X-Originating-IP: [217.235.114.170]

That is the *only* important information. Enter the number into the web
site of a Whois server, or use a whois querying program, like the Cyber
Kit of Luc Neijens.

In this case, the number belongs to the German Telekom (largest provider
in Germany)

Process query: '217.235.114.170'
Query recognized as IP.
Querying whois.ripe.net:43 with whois.

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 217.224.0.0 - 217.237.161.47
netname: DTAG-DIAL15
descr: Deutsche Telekom AG
country: DE
admin-c: DTIP
tech-c: DTST
status: ASSIGNED PA
remarks:
******************************************************************
remarks: * Abuse Contact: http://www.t-com.de/ip-abuse in case of
Spam, *
remarks: * Hack Attacks, Illegal Activity, Violation, Scans,
Probes, etc. *
remarks:
******************************************************************
mnt-by: DTAG-NIC
mnt-domains: DTAG-NIC
mnt-domains: DTAG-RR
changed: (e-mail address removed) 20010404
changed: (e-mail address removed) 20030211
changed: (e-mail address removed) 20040923
source: RIPE

route: 217.224.0.0/11
descr: Deutsche Telekom AG, Internet service provider
origin: AS3320
member-of: AS3320:RS-PA-TELEKOM
mnt-by: DTAG-RR
changed: (e-mail address removed) 20010405
source: RIPE
changed: (e-mail address removed)-COM.XX 20040615

person: DTAG Global IP-Addressing
address: Deutsche Telekom AG
address: D-90492 Nuernberg
address: Germany
phone: +49 180 5334332
fax-no: +49 180 5334252
e-mail: (e-mail address removed)
nic-hdl: DTIP
mnt-by: DTAG-NIC
changed: (e-mail address removed) 20031013
source: RIPE

person: Security Team
address: Deutsche Telekom AG
address: Germany
phone: +49 180 5334332
fax-no: +49 180 5334252
e-mail: (e-mail address removed)
nic-hdl: DTST
mnt-by: DTAG-NIC
changed: (e-mail address removed) 20030210
source: RIPE



Use the web address given in the two lines between the asterisks. This
works faster than writing to abuse at t-com dot de. After all, many of
the customers are attached by an intermediate ISP access, like
oneandone; and t-com would have to forward your complaint to the
respective ISP.

You can't write directly to eg oneandone, though, as the t-com does
redistribute the IP numbers every now and then amongst the
redistributors, so that you always will have to contact the mother
company in such cases. But they do something about it, albeit a bit
slow.

Good luck, and a Happy New Year,


Gabriele Neukam

(e-mail address removed)

 

[I'm_A_Victim]

Thanks but see my 9:33 post.

On that special day, I'm_A_Victim, ([email protected]) said...

X-Originating-IP: [217.235.114.170]

That is the *only* important information. Enter the number into the web
site of a Whois server, or use a whois querying program, like the Cyber
Kit of Luc Neijens.
snip

 

[Gabriele Neukam]

On that special day, I'm_A_Victim, ([email protected]) said...

Thanks but see my 9:33 post.

That is a problem that has caused other difficulties, too. Regular
customers who were assigned an IP from the 217 range (dynamically, they
won't give fixed IP numbers except to business customers), would drop
off the net, cannot fetch their mail, and so on. If they re-dial and get
an IP different from 217something, the line is fine, which excludes
technical problems on the client side. I thought this was fixed, but
obviously that was wrong.

Try abuse AT t-com DOT de
It is read.


Gabriele Neukam

(e-mail address removed)

 

[Anonymous]

Got email w/ virus attached. I want to find out who is sending me this crap.
I receive 1 - 3 such email a day.

The chances of finding the true source are not good. Most of the viruses
come from other PCs that are also infected. The headers are usually forged
to prevent the virus writer from being prosecuted. The idiot that wrote the
virus is long gone before you get the email. So you are chasing your own
tail.

If your AV program detects the virus, delete any files associated with the
infected attachment and clear your cache, temporary memory, and recycle
bin. Spend the time you save doing something nice for someone.