john@ntlworld.com

Anyone else get a whole bunch of emails from john@ntlworld.com sent to their ntlworld email account?

My anti virus software went made when these were coming down the wire.

[Sociable]

Nope but it's not uncommon for the "Ghost" sender's name to be something that sounds "OK" like "John" as it increases the chance of those who do get mail from a real "John" to be tempted to open with less thought.

[Jon M]

same as sociable said, plus..

as a general rule the sender address is worthless when tracing spam or virii, it's the IP address in the header that gives you the actual source

i got a load more tonight. The ip address is 80.0.208.185.

[Dooby]

that resolves to
public2-pete1-3-cust185.lond.broadband.ntl.com

so it looks like an ntl ip.

I would say that it would also be possible to spoof the IP address of the sender too, more difficult, but possible

so basically your saying its not possible to trace this email back ot the originator?

[danielf]

Quote:

Originally Posted by gary_580

so basically your saying its not possible to trace this email back ot the originator?

If you post the full headers (removing your email address), it is possible to trace the origin, but it may well turn out to be an open relay somewhere in China.

[Sociable]

Quote:

Originally Posted by gary_580

so basically your saying its not possible to trace this email back ot the originator?

Not with any degree of certainty no.

It is possible to spoof the originating IP and even if it did originate from that IP it may well not have been the person on that IP that initiated it. If that person has a trojan sitting on their system it would be relatively simple to bounce mails through them without them ever being aware of it.

Going back a few years Cabletel (Pre NTL) were blacklisted by many sites because their mail servers were so insecure they were a popular target for this type of "Bounce" being used to hide the true origins of attacks. Up-dates to the security allowed them to get off the blacklist but it shows just how easy it can be to fool the system even when it is being controlled by a large organisation in the internet provison field let alone an individual subscriber.

Got some more today. This is the complete header

Return-Path: <john@ntlworld.com>
Received: from localhost ([80.0.208.185]) by mta07-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
id <20031212072431.BIQ2588.mta07-svc.ntlworld.com@localhost>
for <****.*****@ntlworld.com>; Fri, 12 Dec 2003 07:24:31 +0000
From: john@ntlworld.com
To: ****.***** <****.*****@ntlworld.com>
Reply-To: john@ntlworld.com
X-Priority: 1 (High)
Subject: don't be late! aeaagmeg
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------D5017952000A9B8"
Message-Id: <20031212072431.BIQ2588.mta07-svc.ntlworld.com@localhost>
Date: Fri, 12 Dec 2003 07:24:36 +0000

[hoss]

Try forwarding a couple of headers to abuse@ntlworld.com, I would have thought that they should be able to tell him to stop spamming you (assuming the header hasnt been spoofed) or to protect himself from trojans

[Indians]

I got a boatload of these in a BTINTERNET email account last week, from a 'john@btinternet' same subject line as yours 'don't be late!' followed by a series of letters that were different on each email. Body of message was something about 'see you on wednesday' etc 'details in attached file' , which was a .zip file containing a .scr file. D
I deleted them all but would have been interested to find out what the script did.