I got it too, also noticed that the headers were suspicious - couldn't find any record of a Sarah Pricer at UCB via their directory. The email I received didn't include a GIF. These are the headers I got - Received: from home.netbox.com ([64.124.87.11] verified) by mailsys01.intnet.net (CommuniGate Pro SMTP 3.3.2) with ESMTP id 8222789 for gbroilesat_private; Wed, 16 May 2001 02:01:44 -0400 Received: (from gbroiles@localhost) by home.netbox.com (8.8.8/8.8.7) id XAA44683 for gbroilesat_private; Tue, 15 May 2001 23:02:35 -0700 (PDT) (envelope-from gbroiles) Received: from localhost.localdomain (root@s211-33-122-158.thrunet.ne.kr [211.33.122.158]) by home.netbox.com (8.8.8/8.8.7) with ESMTP id XAA44675 for <gbroilesat_private>; Tue, 15 May 2001 23:02:34 -0700 (PDT) (envelope-from linuxoneat_private) Received: (from linuxone@localhost) by localhost.localdomain (8.10.1/8.10.1) id f4GE3Q214200 for gbroilesat_private; Wed, 16 May 2001 23:03:26 +0900 Date: Wed, 16 May 2001 23:03:26 +0900 Message-Id: <200105161403.f4GE3Q214200at_private> From: Sarah Pricer <sarah_pricerat_private> Sender: Sarah.Pricerat_private Subject: Regarding ip block 199.165.136.0 - 199.165.136.255 Content-Type: text/html At 07:55 PM 5/15/2001 -0400, you wrote: >Real-To: "Jason Lewis" <jlewisat_private> > >I received this email today. The headers show it being sent from a machine >in Korea. Everything in the headers is forged, but I just can't figure out >what the motive is behind it. Also, at the end of the email, there was a >gif and I included the embedded html link. Has anyone else seen this? I >have munged the IP's. > > > >Hi my name is Sarah Pricer, a CS graduate student at UC Berkeley. I >obtained your email address from www.arin.net when searching for the IP >block(192.168.64.0 - 192.168.64.255 ) that you coordinate. > >I'm currently writing a thesis on the network topology and would very much >appreciate your cooperation. I am trying to draw out a map of how the IPs >are distributed geographically. I realize that the IP registration data >often times have country/state/city information that are different from the >actual physical location of where the IPs are used. > >Arin data currently shows that 192.168.64.0 - 192.168.64.255 is registered >to: > >Country: US >State: VA >City: MCLEAN > >Can you please tell me if this is the actual physical location of the IPs? >If not, can you please tell me the actual location? Again, thank you for >your cooperation. > >warm regards, >Sarah P. > ><http://211.33.122.158/icons/1/cal_1506.gif> > > > > >Jason Lewis >http://www.packetnexus.com >"All you can do is manage the risks. There is no security." -- Greg Broiles gbroilesat_private
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 12:34:17 PDT