ATTN: jvaguy

**silencio** · June 11th, 2002, 05:22 PM

Hey man, is this you?

[email protected]

**DANIMAL** · June 11th, 2002, 06:16 PM

yeah thats him from the site in my Sig line

**DocPC** · June 11th, 2002, 07:11 PM

<blockquote>quote:<hr />Originally posted by DANIMAL:
yeah thats him from the site in my Sig line<hr /></blockquote>Who asked ya?????

**DANIMAL** · June 11th, 2002, 07:22 PM

<blockquote>quote:<hr />Originally posted by DocPC:
 <blockquote>quote:<hr />Originally posted by DANIMAL:
yeah thats him from the site in my Sig line<hr /></blockquote>Who asked ya?????

<hr /></blockquote>JVA doesnt frequent here very often so I answered him is there a problem?

**SubZero** · June 11th, 2002, 07:22 PM

1. This topic doesn't belong in Security Forum.
2. Be civil when someone answers correctly.
3. He could have sent a PM to JvaGuy to confirm the information.

**silencio** · June 12th, 2002, 01:47 AM

It belongs in security. Here's why.

Someone is spamming viruses in his name and he may be interested in that fact because he may have a virus. I've two emails from this location. One of the emails was sent to an email address that less than 12 people know about. There is no way to send an email to that address without being on that short 12 person list. The email address has only existed for 3 weeks. Follow my logic there?

Here's some info on the virus and email.

Microsoft Mail Internet Headers Version 2.0
Received: from server.net ([172.16.10.201]) by my.frontend.server.lab with Microsoft SMTPSVC(5.0.2195.2966);
Tue, 11 Jun 2002 14:26:09 -0400
Received: from cordoba.com.ar ([200.61.160.134] RDNS failed) by my.frontendserver.net with Microsoft SMTPSVC(5.0.2195.4905);
Tue, 11 Jun 2002 14:17:50 -0400
Received: from Obscecx [12.248.197.242] by cordoba.com.ar
(SMTPD32-6.06) id ADCC98400C2; Tue, 11 Jun 2002 14:05:16 -0300
From: jvaguy ([email protected])
To: deleted to protect the innocent
Subject: Meeting notice
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q5d0zrJgcyn5196r8
Message-Id: <200206111405281.SM00174@Obscecx>
Date: Tue, 11 Jun 2002 15:15:11 -0300
Return-Path: [email protected]
X-OriginalArrivalTime: 11 Jun 2002 18:17:51.0097 (UTC) FILETIME=[4C21FE90:01C21174]

--Q5d0zrJgcyn5196r8
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

--Q5d0zrJgcyn5196r8
Content-Type: audio/x-wav;
name=c45929c22c1fd6c110.inv.bat
Content-Transfer-Encoding: base64
Content-ID: <VG504586D4B27>

--Q5d0zrJgcyn5196r8
--Q5d0zrJgcyn5196r8
Content-Type: application/octet-stream;
name=c45929c22c1fd6c110.inv.bak
Content-Transfer-Encoding: base64
Content-ID: <VG504586D4B27>

--Q5d0zrJgcyn5196r8--

Need an email campaign consultant? Software developer?
Need an abuse desk consultant? Run an abuse desk and need tools?

dns 12.248.197.242

12.248.197.242 has valid reverse DNS of 12-248-197-242.client.attbi.com

whois -h magic 12.248.197.242
Trying whois -h whois.arin.net 12.248.197.242
AT&T ITS (NET-ATT)
200 Laurel Avenue South
Middletown, NJ 07748
US

Netname: ATT
Netblock: 12.0.0.0 - 12.255.255.255
Maintainer: ATTW

Coordinator:
Kostick, Deirdre (DK71-ARIN) [email protected]
1-919-319-8249

Domain System inverse mapping provided by:

DBRU.BR.NS.ELS-GMS.ATT.NET 199.191.128.106
DMTU.MT.NS.ELS-GMS.ATT.NET 12.127.16.70
CBRU.BR.NS.ELS-GMS.ATT.NET 199.191.128.105
CMTU.MT.NS.ELS-GMS.ATT.NET 12.127.16.69

For abuse issues contact [email protected]

Record last updated on 06-Nov-2000.
Database last updated on 10-Jun-2002 20:01:34 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

Trying whois -h whois.arin.net 12.248.197.242
AT&T ITS (NET-ATT)
200 Laurel Avenue South
Middletown, NJ 07748
US

Netname: ATT
Netblock: 12.0.0.0 - 12.255.255.255
Maintainer: ATTW

Coordinator:
Kostick, Deirdre (DK71-ARIN) [email protected]
1-919-319-8249

Domain System inverse mapping provided by:

DBRU.BR.NS.ELS-GMS.ATT.NET 199.191.128.106
DMTU.MT.NS.ELS-GMS.ATT.NET 12.127.16.70
CBRU.BR.NS.ELS-GMS.ATT.NET 199.191.128.105
CMTU.MT.NS.ELS-GMS.ATT.NET 12.127.16.69

For abuse issues contact [email protected]

Record last updated on 06-Nov-2000.
Database last updated on 10-Jun-2002 20:01:34 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

traceroute 12.248.197.242

3 130.152.180.21 6.618 ms DNS error [AS226] Los Nettos origin AS
4 4.24.4.249 8.796 ms gigabitethernet5-0.lsanca1-cr3.bbnplanet.net [AS1] GTE Internetworking
5 4.24.4.2 9.449 ms p6-0.lsanca1-cr6.bbnplanet.net [AS1] GTE Internetworking
6 4.24.5.49 8.323 ms p6-0.lsanca2-br1.bbnplanet.net [AS1] GTE Internetworking
7 4.24.5.46 9.924 ms p15-0.lsanca2-br2.bbnplanet.net [AS1] GTE Internetworking
8 4.25.111.1 7.060 ms p1-0.lsanca2-cr1.bbnplanet.net [AS1] GTE Internetworking
9 4.25.111.10 6.574 ms p5-1.xlsanca26-att.bbnplanet.net [AS1] GTE Internetworking
10 12.122.11.221 9.987 ms tbr2-p012402.la2ca.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
11 12.122.10.46 58.310 ms tbr2-p012301.sl9mo.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
12 12.122.11.209 64.901 ms tbr2-p012702.cgcil.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
13 12.122.11.50 58.407 ms gbr1-p40.cgcil.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
14 12.123.5.73 64.591 ms gar1-p360.cgcil.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
15 12.244.72.225 57.412 ms DNS error [AS7018] AT&T WorldNet Service Backbone
16 12.244.106.5 59.987 ms DNS error [AS7018] AT&T WorldNet Service Backbone
17 12.248.197.242 72.336 ms 12-248-197-242.client.attbi.com [AS7018] AT&T WorldNet Service Backbone

Sam Spade Home © Contact Change Skin Search

The "from" part is easy to spoof but I find it odd that it's in both emails. The tracert shows both emails coming from dialups on attbi which is easy enough to track via dialup logon records from the ISP if I want to contact the ISP. I've dealt with ISPs regarding this same thing with klez, and the new sql worm and all it takes to get the ball rolling is a few phone calls and the right logs.

I'm not accusing jvaguy. I'm saying that someone is spoofing him from a server named Obscecx on the attbi dialup/dsl network. He should know.

Mustang · June 12th, 2002, 06:11 AM

Actually those arent dialup ip's

attbi is att's broadband service.

and since jvaguy lives in texas and doesnt use any att internet services it cannot be him.

also the ip address for the mail server on that email is not the correct mail server address for his email service.

so it looks like someone is trying to make you believe that he is sending out viri when he is actually not.

i will look into the origins of this and respond to you in pm.

**SubZero** · June 12th, 2002, 06:43 AM

Forward a copy of your info to [email protected]. This is something I will need to contact my webhost about, and possibly ATT Broadband.

**kingtbone** · June 12th, 2002, 07:47 AM

Doesnt Klez spoof the "from" portion of your email based on another contact in your Outlook book? Maybe I just maybe that up though...

**Mayet** · June 12th, 2002, 08:01 AM

<blockquote>quote:<hr />Originally posted by iateyourcat:
Hey man, is this you?

[email protected]<hr /></blockquote>not its not me ..but JVA is not the type of person to do this ...

hey Iateyourcat

Your a fellow student of the thelemic Abbey I see

**DANIMAL** · June 12th, 2002, 08:40 AM

LOL at the idiot that did that?
leaving his freaking IP addy.
MUUHHAHAHHAHAHAHA

**Matt_29** · June 12th, 2002, 11:57 AM

thanx guys sorry i only am on at nite 90% of the time .. heres the story

ok i have norton Antivirus 2002 (constantly updated), and eudora 5.1 so check the headers of the email and see what program is being used also i dont open attachments in emails cut and dry i havent for yrs and dont plan on it now .. and also I dont have a address book so even if i did have this virus there would be no way to send out emails since i have then on a text log. (i learned when I love you virus first came out and my company was hit all cept my computer)

now for the next best thing while ATT&T is the cable provider here i use uu.net dialup .. thanks for trying to clear things up but something else is going on .. however i can show as of late ive been getting emails from

Delivered-To: jvaguy@1
From: matridom <[email protected]>
To: [email protected]
Subject:
Date: Tue, 11 Jun 2002 14:07:49 -0300

Content-Type: text/html;

I have a dozen in my list from this email showing a virus was in a .pif file which was destroyed before i could get to it

also heres screen shot of showing my antivirus .. which also reflects my formatting things going from windows xp to win2k on the first and i do a complete scan of things every 2 weeks which next one is in 2 days

<img src="http://jvaguy.thegeeksinc.com/shirt/nav.gif" alt=" - " />

**MacGyver** · June 12th, 2002, 12:54 PM

Poor JvaGuy, why does this crap happen to you?

**Matt_29** · June 12th, 2002, 03:34 PM

not sure why its me but ohh well .. im glad i take precations for things like this heres some more info i decided to just do the scan today as well and here it is ..

<img src="http://jvaguy.thegeeksinc.com/shirt/nav2.gif" alt=" - " />

the reason im making a deal about this is cause my email addy is being used, also i want people to know im extremly careful about this stuff .. and also im trying to help whoever is the one who has this and get it removed .. now it goes back to this email

Delivered-To: jvaguy@1
From: matridom <[email protected]>
To: [email protected]
Subject:
Date: Tue, 11 Jun 2002 14:07:49 -0300

someone has my email in thier address book .. that has AT&T .. so we need to keep tracing who has this .. again im not accusing anyone but I would like this solved as well as anyone .. so lets this solved ..

**silencio** · June 12th, 2002, 04:13 PM

<blockquote>quote:<hr />Originally posted by JvaGuy:
someone has my email in thier address book .. that has AT&T .. so we need to keep tracing who has this .. <hr /></blockquote>Exactly. With PPPOE on DSL and with regular dialup you can trace a user back to an IP for a given time and date. I wonder if it would do any good to forward this to ATT? I don't know how their authentication works or if thier logs are capable of tracing a DHCP request to a user via the MAC but it might be worth a shot.

Thread: ATTN: jvaguy

Thread Tools

Display

ATTN: jvaguy

Bookmarks

Bookmarks

Posting Permissions