Can virii enter via dynamic IP ?

I got this email (below), and I can't see how it got to my mail box,
unless perhaps some of the 4-hex-char IPs mentioned corresponded
to my URL.

Does the mail-box have an IP ?

Thanks for ideas/answers,
== Chris Glur.



X-Auth-No:
Return-Path: <(E-Mail Removed)>
Received: from infomail.es not authenticated [195.235.39.5]
by absamail.co.za with NetMail SMTP Agent $Revision: 3.14 $ on Novell NetWare;
Tue, 30 Sep 2003 18:28:34 +0200
Received: from ccjhuky ([213.96.247.154]) by infomail.es
(Tid InfoMail Exchanger v2.20) with SMTP id #1064938553.121170001;
Tue, 30 Sep 2003 18:15:53 +0200
FROM: "Postmaster" <(E-Mail Removed)>
TO: "Internet Receiver" <(E-Mail Removed)>
SUBJECT: Letter
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="pgznuxqaw"
X-Infomail-Spawn: (E-Mail Removed) a 67 destinos
X-Infomail-Id: 1064938553.2F55010A81106E.58553

--pgznuxqaw
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:uzjvefp" height=3D0 width=3D0></iframe>
<BR>This is the qmail program<BR>
<BR><BR><BR>Undelivered to <B>(E-Mail Removed)</B>
</BODY></HTML>

--pgznuxqaw
Content-Type: audio/x-wav; name="cpymmti.exe"
Content-Transfer-Encoding: base64
Content-Id: <uzjvefp>



--pgznuxqaw--

On Tue, 30 Sep 2003 20:31:37 +0000, top-pos wrote:

> I got this email (below), and I can't see how it got to my mail box,
> unless perhaps some of the 4-hex-char IPs mentioned corresponded to my
> URL.
>
> Does the mail-box have an IP ?
>
> Thanks for ideas/answers,
> == Chris Glur.
>
>
>
> X-Auth-No:
> Return-Path: <(E-Mail Removed)> Received: from
> infomail.es not authenticated [195.235.39.5]
> by absamail.co.za with NetMail SMTP Agent $Revision: 3.14 $ on
> Novell NetWare; Tue, 30 Sep 2003 18:28:34 +0200
> Received: from ccjhuky ([213.96.247.154]) by infomail.es
> (Tid InfoMail Exchanger v2.20) with SMTP id
> #1064938553.121170001; Tue, 30 Sep 2003 18:15:53 +0200
> FROM: "Postmaster" <(E-Mail Removed)> TO: "Internet Receiver"
> <(E-Mail Removed)> SUBJECT: Letter
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="pgznuxqaw"
> X-Infomail-Spawn: (E-Mail Removed) a 67 destinos
> X-Infomail-Id: 1064938553.2F55010A81106E.58553
>
> --pgznuxqaw
> Content-Type: text/html
> Content-Transfer-Encoding: quoted-printable
>
> <HTML>
> <HEAD></HEAD>
> <BODY>
> <iframe src=3D"cid:uzjvefp" height=3D0 width=3D0></iframe> <BR>This is
> the qmail program<BR>
> <BR><BR><BR>Undelivered to <B>(E-Mail Removed)</B> </BODY></HTML>
>
> --pgznuxqaw
> Content-Type: audio/x-wav; name="cpymmti.exe" Content-Transfer-Encoding:
> base64
> Content-Id: <uzjvefp>
>
>
>
> --pgznuxqaw--


According to the smtp rfc, there is a command that you use to tell the
mail server that the mail is from a particular person. You cannot send
mail without doing that first. Next, there is another command for setting
the recepient, which identifies the mailbox the message should go to. This
information is considered part of the envelope of the message and is not
given to the recepient. When you see that some mail is from a certain
person, and it is to someone else, it is thanks to extra data (inserted by
the sending program ) that says so.

<top-post@not> wrote in message news:3f79e829$0$(E-Mail Removed)...
> I got this email (below), and I can't see how it got to my mail box,

Well the evidence is presented to you, what you have done is failed to
understand it.



> unless perhaps some of the 4-hex-char IPs mentioned corresponded to my
URL.

URL's do not receive email.

SMTP servers receive email.

The email appears to be spam sent to someone which falsely included your
email address as the return address.
This sort of thing is very common and there isnt anything you can do about
it.


>
> Does the mail-box have an IP ?

yes, but its not "unique" - many mail boxes share the same ip address.


>
> Thanks for ideas/answers,
> == Chris Glur.
>
>
>
> X-Auth-No:
> Return-Path: <(E-Mail Removed)>
> Received: from infomail.es not authenticated [195.235.39.5]
> by absamail.co.za with NetMail SMTP Agent $Revision: 3.14 $ on Novell
NetWare;
> Tue, 30 Sep 2003 18:28:34 +0200
> Received: from ccjhuky ([213.96.247.154]) by infomail.es
> (Tid InfoMail Exchanger v2.20) with SMTP id
#1064938553.121170001;
> Tue, 30 Sep 2003 18:15:53 +0200
> FROM: "Postmaster" <(E-Mail Removed)>
> TO: "Internet Receiver" <(E-Mail Removed)>
> SUBJECT: Letter
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="pgznuxqaw"
> X-Infomail-Spawn: (E-Mail Removed) a 67 destinos
> X-Infomail-Id: 1064938553.2F55010A81106E.58553
>
> --pgznuxqaw
> Content-Type: text/html
> Content-Transfer-Encoding: quoted-printable
>
> <HTML>
> <HEAD></HEAD>
> <BODY>
> <iframe src=3D"cid:uzjvefp" height=3D0 width=3D0></iframe>
> <BR>This is the qmail program<BR>
> <BR><BR><BR>Undelivered to <B>(E-Mail Removed)</B>
> </BODY></HTML>
>
> --pgznuxqaw
> Content-Type: audio/x-wav; name="cpymmti.exe"
> Content-Transfer-Encoding: base64
> Content-Id: <uzjvefp>
>
>
>
> --pgznuxqaw--
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.521 / Virus Database: 319 - Release Date: 23/09/2003

joseph philip wrote:

> The "FROM" and "TO" fields you see are not the ones used for getting the
> mail to you. Those ( and the subject ) are inserted as the "data" portion
> of the message.

> According to the smtp rfc, there is a command that you use to tell the
> mail server that the mail is from a particular person. You cannot send
> mail without doing that first. Next, there is another command for setting
> the recepient, which identifies the mailbox the message should go to. This
> information is considered part of the envelope of the message and is not
> given to the recepient. When you see that some mail is from a certain
> person, and it is to someone else, it is thanks to extra data that says
> so.

That seems to explain the crap I've received without any "To" field, at all.
The spammer has sent the destination address in the envelope (as I do, when
I send legit email to Aunt Sally), and there's apparently no requirement that
the email itself even *have* a "To" header. Right?

Would you happen to have a handy link to a layman's explanation of this
envelope concept and what else it entails? At any rate, if I read it
correctly, the above explanation will save me the headscratching that I
always do when I get the pink stuff without any To address on it.
Thanks!

--
Blinky Linux RU 4892F
http://linuxnotjustforgeeks.org
http://blinkynet.net
http://blinkynet.net/spag/w2000src.html - Win Source Code Leak

On Thu, 01 Apr 2004 03:19:15 +0000, Blinky the Shark wrote:

> Would you happen to have a handy link to a layman's explanation of this
> envelope concept and what else it entails? At any rate, if I read it
> correctly, the above explanation will save me the headscratching that I
> always do when I get the pink stuff without any To address on it.

I'm not joseph, and I don't have one handy, but I can produce an example
right quick. The following is a short example transcript with an SMTP
server (mine, as it happens):

server>220 machinae.lionsanctuary.net ESMTP Welcome to
mail.lionsanctuary.net

A welcome banner accepting the new connection with an OK code (2xx) and
advertising the presence of ESMTP as well as vanilla SMTP

client>EHLO eidolon.lionsanctuary.net

eidolon.lionsanctuary.net is the client's hostname, not the server's. EHLO
instead of HELO activates ESMTP; either greeting tells the mail server who
it's talking to.

server>250-machinae.lionsanctuary.net
server>250-PIPELINING
server>250-SIZE 10240000
server>250-VRFY
server>250-ETRN
server>250-XVERP
server>250 8BITMIME

250 is the OK response to EHLO; each line is a single capability on the
server.

client>MAIL FROM: (E-Mail Removed)
server>250 Ok

This is the envelope FROM address. It may bear no relation to the
message's headers, later.

client>RCPT TO: (E-Mail Removed)
server>250 Ok

This is the envelope TO address -- the recipient the message is intended
for.

client>DATA
server>354 End data with <CR><LF>.<CR><LF>

Now we've told the server to expect the actual mail message.

client>To: (E-Mail Removed)
client>Subject: foo bar baz
client>

The mail headers...

client>This is the message body
client>.
server>250 Ok: queued as 11AD02A2B3E

....and the message body, terminated with a . on a line of its own. The
mail server I use provides the queue ID as a courtesy feature, as well
(postfix). Notably the "To:" header in the mail message bears utterly no
resemblance to the envelope TO.

In my case the queue was very short and the message actually arrived
before I typed the next line.

client>QUIT
server>221 Bye
Connection closed.

You can duplicate this sort of exchange yourself by using any plain-text
tool (like telnet; I use netcat) to connect to your SMTP server on port 25.

--
Some say the Wired doesn't have political borders like the real world,
but there are far too many nonsense-spouting anarchists or idiots who
think that pranks are a revolution.

Owen Jacobson wrote:

> On Thu, 01 Apr 2004 03:19:15 +0000, Blinky the Shark wrote:

>> Would you happen to have a handy link to a layman's explanation of this
>> envelope concept and what else it entails? At any rate, if I read it
>> correctly, the above explanation will save me the headscratching that I
>> always do when I get the pink stuff without any To address on it.

> I'm not joseph, and I don't have one handy, but I can produce an example
> right quick. The following is a short example transcript with an SMTP
> server (mine, as it happens):

<snip log>

Thank you, Owen -- very informative, and exactly what I was looking for.

--
Blinky Linux RU 4892F
http://linuxnotjustforgeeks.org
http://blinkynet.net
http://blinkynet.net/spag/w2000src.html - Win Source Code Leak

Blinky the Shark wrote:

> That seems to explain the crap I've received without any "To" field, at all.
> The spammer has sent the destination address in the envelope (as I do, when
> I send legit email to Aunt Sally), and there's apparently no requirement that
> the email itself even *have* a "To" header. Right?
>
> Would you happen to have a handy link to a layman's explanation of this
> envelope concept and what else it entails? At any rate, if I read it
> correctly, the above explanation will save me the headscratching that I
> always do when I get the pink stuff without any To address on it.

You may want to read RFC821, SMTP. - Plus, read some "plain" source text
from messages You got and from ones that Your MUA crated. It's fun...


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

jack wrote:

>> Would you happen to have a handy link to a layman's explanation of this
>> envelope concept and what else it entails? At any rate, if I read it
>> correctly, the above explanation will save me the headscratching that I
>> always do when I get the pink stuff without any To address on it.

> You may want to read RFC821, SMTP. - Plus, read some "plain" source text
> from messages You got and from ones that Your MUA crated. It's fun...

Thanks, Jack.

--
Blinky Linux RU 4892F
http://linuxnotjustforgeeks.org
http://blinkynet.net
http://blinkynet.net/spag/w2000src.html - Win Source Code Leak