thr3ads.net - LARTC - Viral activitiy coming from an IP in your network. [Apr 2005]

If this information is useful, please help other people find it:
Share via:
Taylor, Grant
2005-Apr-21 20:50 UTC
Viral activitiy coming from an IP in your network.

Hi, my name is Grant Taylor.  I am a subscriber to the LARTC mail list
lartc@mailman.ds9a.nl.  The LARTC mail lists has been plagued with viral email
coming from changing IPs in your one of your subnets.  Based on the fact that
the WhoIs information below says that the subnet in question is a dial up pool
this would explain the changing IPs.  In less than 6 days the list has received
14 viral emails infected with Win32.Bagle.AE or Zip.Bagle (depending on the type
of attachment).  Would it be possible to contact the dial up user from the times
listed below (from the Received: headers in the emails) and ask them to make
sure that Bagle is not on their system or to clean it if it is infected? 
I''m not out to get any one in trouble, I would just like the viral
email to stop being sent to our mail list and to the world.  :)



Grant Taylor
Systems Administrator
Riverview Technologies Inc.
601 West Business Loop 70
Suite 109
Columbia MO  65203-2546
United States of America

Phone:  (USA) (573) 442-7151
  Fax:  (USA) (573) 442-3062
eMail:  gtaylor@riverviewtech.net
        postmaster@riverviewtech.net


Below are the pertinent headers out of each email message:
----------------------------------------------------------
Received: from jai.com (unknown [202.56.216.56])
	by outpost.ds9a.nl (Postfix) with SMTP id B9B363FDD
	for <LARTC@mailman.ds9a.nl>; Sat, 16 Apr 2005 10:46:35 +0200 (CEST)

Received: from jai.com (unknown [202.56.216.56])
	by outpost.ds9a.nl (Postfix) with SMTP id B9B363FDD
	for <LARTC@mailman.ds9a.nl>; Sat, 16 Apr 2005 10:46:35 +0200 (CEST)

Received: from jai.org (unknown [202.56.213.69])
	by outpost.ds9a.nl (Postfix) with SMTP id 094074089
	for <LARTC@mailman.ds9a.nl>; Sat, 16 Apr 2005 20:53:49 +0200 (CEST)

Received: from jai.org (unknown [202.56.213.69])
	by outpost.ds9a.nl (Postfix) with SMTP id 094074089
	for <LARTC@mailman.ds9a.nl>; Sat, 16 Apr 2005 20:53:49 +0200 (CEST)

Received: from jai.com (unknown [202.56.213.75])
	by outpost.ds9a.nl (Postfix) with SMTP id 107143FBB
	for <LARTC@mailman.ds9a.nl>; Mon, 18 Apr 2005 06:52:46 +0200 (CEST)

Received: from jai.com (unknown [202.56.213.75])
	by outpost.ds9a.nl (Postfix) with SMTP id 107143FBB
	for <LARTC@mailman.ds9a.nl>; Mon, 18 Apr 2005 06:52:46 +0200 (CEST)

Received: from jai.com (unknown [202.56.213.97])
	by outpost.ds9a.nl (Postfix) with SMTP id 08CDF4494
	for <LARTC@mailman.ds9a.nl>; Mon, 18 Apr 2005 18:15:25 +0200 (CEST)

Received: from jai.net (unknown [202.56.220.176])
	by outpost.ds9a.nl (Postfix) with SMTP id 262E2443A
	for <LARTC@mailman.ds9a.nl>; Mon, 18 Apr 2005 22:33:40 +0200 (CEST)

Received: from jai.org (unknown [202.56.216.31])
	by outpost.ds9a.nl (Postfix) with SMTP id 29D894013
	for <LARTC@mailman.ds9a.nl>; Tue, 19 Apr 2005 00:55:09 +0200 (CEST)

Received: from jai.org (unknown [202.56.216.31])
	by outpost.ds9a.nl (Postfix) with SMTP id 29D894013
	for <LARTC@mailman.ds9a.nl>; Tue, 19 Apr 2005 00:55:09 +0200 (CEST)

Received: from jai.com (unknown [202.56.216.47])
	by outpost.ds9a.nl (Postfix) with SMTP id 2418240EB
	for <LARTC@mailman.ds9a.nl>; Tue, 19 Apr 2005 20:47:00 +0200 (CEST)

Received: from jai.org (unknown [202.56.216.39])
	by outpost.ds9a.nl (Postfix) with SMTP id BA4C740F9
	for <LARTC@mailman.ds9a.nl>; Wed, 20 Apr 2005 09:41:21 +0200 (CEST)

Received: from jai.com (unknown [202.56.213.171])
	by outpost.ds9a.nl (Postfix) with SMTP id 02BC43FD6
	for <LARTC@mailman.ds9a.nl>; Wed, 20 Apr 2005 16:09:46 +0200 (CEST)

Received: from jai.com (unknown [202.56.220.3])
	by outpost.ds9a.nl (Postfix) with SMTP id B4D4840D3
	for <LARTC@mailman.ds9a.nl>; Thu, 21 Apr 2005 19:49:10 +0200 (CEST)


Below is WhoIs information on the subnet block that the IPs are in that send the
viral emails:
----------------------------------------------------------------------------------------------
inetnum:      202.56.216.0 - 202.56.216.128
netname:      BHARTI-IN
descr:        Infrastructer
descr:        Dail Up Pool for Touchnet Haryana
descr:        Bharti Infotel Ltd.
descr:        234 , Okhla Phase III
descr:        New Delhi
descr:        India
country:      IN
admin-c:      NA40-AP
tech-c:       NA40-AP
mnt-by:       MAINT-IN-BBIL
status:       ASSIGNED NON-PORTABLE
changed:      techsupport@bharti.com 20040206
source:       APNIC

route:        202.56.192.0/18
descr:        BHARTI-IN
descr:        BHARTI INFOTEL LTD.
descr:        Class A ISP in INDIA .
descr:        234 , OKHLA PHASE III ,
descr:        NEW DELHI
descr:        INDIA
country:      IN
origin:       AS9498
mnt-by:       MAINT-IN-BBIL
changed:      hm-changed@apnic.net 20050201
source:       APNIC

person:       Network Administrator
nic-hdl:      NA40-AP
e-mail:       techsupport@bharti.com
address:      Bharti Infotel Ltd.
address:      ISP Division - Long Distance - Telesonic
address:      234 ,
address:      Okhla Ind. Area,
address:      Phase III
address:      New Delhi,
address:      INDIA-110020
phone:        +91-11- 5171 0131
fax-no:       +91-11- 5171 1050
country:      IN
changed:      techsupport@bharti.com 20040911
mnt-by:       MAINT-IN-BBIL
source:       APNIC
Apparently Analagous Threads

Search for more seemingly similar threads
LARTC - Apr 2005 - Viral activitiy coming from an IP in your network.

Viral activitiy coming from an IP in your network.

Apparently Analagous Threads

Wisdom of the Ancients
