An easy way for users to see their 'real' external NAT address is to point a browser to http://www.whatismyipaddress.com It's full of ads, but tells you the address you're coming from. William 'Skeeter' Murphy, CISSP On Thursday, October 16, 2003, at 04:21 PM, Craig.Schiller@private wrote: > > This is a re-post with a different subject line since those discussing > this > may not have since the original post > > This e-mail spoofs the sender so it only looks like it comes from > security.microsoft.com. The real originator from the last copy I > received > was a Verizon DSL user using an account in Everett, Washington. The > block > of Ip addresses is owned by Genuity but is apparently being > distributed by > Verizon. > The publicly visible address was 4.47.73.9 but the individual actual > address > may be natted. I say this on the possibility that the infected > machine is > one of our regular responders. You can check your PC by running > ipconfig > (Win2K and above) > from the dos line or winipcfg (win 9x) and looking at the gateway > address. > Your PC may be assigned a private address like 192.168.1.x but the DSL > modem/router translates that address into its publicly visible > address. If > your gateway address begins with 4.47.x.x then your PC may be the > actual > source of the Microsoft Patch now emails that have been hitting the > CRIME > mailing list. > > > Craig A Schiller, CISSP > Global Information Security Officer > RadiSys Corporation > craig.schiller@private > 503.615.1646 > > > This electronic message contains information which may be confidential, > privileged or otherwise protected from disclosure. The information is > intended to be used solely by the named recipient(s). If you are not a > named recipient, any review, disclosure, copying, distribution or use > of this transmission or its contents is prohibited. If you have > received > this transmission in error, please notify me immediately. > > > |---------+----------------------------> > | | "Todd Ellner" | > | | <tellner@cedarlak| > | | e.com> | > | | Sent by: | > | | owner-crime@private| > | | x.edu | > | | | > | | | > | | 10/16/2003 11:54| > | | AM | > | | | > |---------+----------------------------> >> ---------------------------------------------------------------------- >> ---------------------------------------------------------| > | > | > | To: <sarnold@private>, <crime@private> > | > | cc: > | > | Subject: Re: CRIME [VIRUS] Don't Use this patch immediately > ! | >> ---------------------------------------------------------------------- >> ---------------------------------------------------------| > > > > > [snip] > Check the headers: > Received: (from Majordomo@localhost) > by rigel.cs.pdx.edu (8.12.10/8.12.3/Submit) id h9G2fZt3027348 > for crime-outgoing; Wed, 15 Oct 2003 19:41:35 -0700 (PDT) > X-Authentication-Warning: rigel.cs.pdx.edu: Majordomo set sender to > owner-crime@private using -f > Received: from tuttle.oit.pdx.edu (tuttle.oit.pdx.edu > [131.252.120.29]) > by rigel.cs.pdx.edu (8.12.10/8.12.10) with ESMTP id > h9G2fOK1027326 > (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 > verify=NO) > for <crime@private>; Wed, 15 Oct 2003 19:41:25 -0700 (PDT) > Received: from localhost > (evrtwa1-ar4-4-47-073-009.evrtwa1.dsl-verizon.net > [4.47.73.9]) > by tuttle.oit.pdx.edu (8.12.10/8.12.10) with SMTP id > h9G2fMx8000787 > for <crime@private>; Wed, 15 Oct 2003 19:41:22 -0700 (PDT) > > Looks like 4.47.73.9 sent it. > > That netblock is owned by Genuity. Best of luck convincing them it is > worth their time to track down a single windows user who didn't care > enough to buy an antivirus tool. > > [snip] > > "We were wondering whom to send the bill from our IT consultant to. > The > virus we got from your machine looks like it will cost us umpty-ump > thousand dollars in lost data, emergency hourly work, and compromised > law > enforcement and anti terrorist computers. > > Just want to make sure the invoice ends up on the right desk. > > Ta ta, > Ima Bofh" > > > > > > > > > > > > > > > > >
This archive was generated by hypermail 2b30 : Fri Oct 17 2003 - 10:22:36 PDT