3 Replies Latest reply on Feb 4, 2011 7:46 PM by spc3rd

    REVERSE "spoofing" emails received?

    spc3rd

      I'm not really sure this is the correct place to mention an email issue (related to some of the other "spoofing" postings here), but here goes.

       

      I've experienced a reverse situation.  By this, I mean I have had a number of occasions where I've received emails in my Yahoo email account which in the From line, it had my ISP's name and beside my ISP's name, there was a specific email address which had my ISP's name after the "@" symbol.  (e.g., sample101@ isp.net)After opening the email, there was a line of some 25 consecutive alphanumeric/special symbol characters shown.  (It was not displayed like an underlined link that you can click on and it takes you to some website)[Needless to say, I did NOT click on it for obvious security reasons].  A short message said I had infected folders and needed to remedy the problem.  It was "signed" (fraudulently of course) as the "Support Dept" of my ISP.

       

      One odd thing is that the personal email address (shown like the example above) happened to be someone in my own Yahoo address book, though I do not really have any idea how I might know this person (much less have their email contact info in my Yahoo address book).

       

      After expanding the headers and looking at the Received lines, the IP addresses shown all began with the number 10(e.g. 10.xxx.xxx.xxx).  Upon entering the IP addresses into the ARIN WHOIS database, each of these addresses were listed as something referred to as "Blacklist or Blackband" range of IP address numbers (or something similar) in the IANA registry.  There was a comment section which said the IP numbers could be used by anyone without any need to do anything/coordinate/register with IANA (or something similar).  This seems to me to be some sort of wierd set-up where somehow individuals can get ahold of, and use any of the IP address numbers within the range shown without having to identify themselves, etc.  Is there some way to get IANA (or whoever has some regulatory authority out there) to ascertain WHO is using these specific "Blacklist/Blackband" IP address numbers (or whatever it was they were called), and put a stop to this sort of thing?

       

      I did a full scan with McAfee and subsequently, a scan with the Malwarebytes, Anti-Malware program.  Neither indicated any problems.  I did forward the suspicious email to my own ISP's email spam-reporting center...for whatever good it might do.

       

      Thanks very much for your time and any ideas or suggestions!

        • 1. Re: REVERSE "spoofing" emails received?

          This sounds quiet complicated, I would suggest you to click on the Useful Links on top of this page and contact our technical support team for further assistance.

          1 of 1 people found this helpful
          • 2. Re: REVERSE "spoofing" emails received?

            Are you talking about the Blackhole-1 Blackhole-2 server IANA ??I had a problem a while back with something similiar.Although this was not through an e-mail.Some kind of bootstrap protocal.I still recieve inbound attempts from these ip`s.Strange

            • 3. Re: REVERSE "spoofing" emails received?
              spc3rd

              This clarification posting (with a pdf file attached showing the printout I made of the ARIN WHOIS database results for the 3 IP addresses shown at the top of the first page) is for both Aldrin and Newjack for your review and comments.  The first two IP addresses shown were found within the <Received> lines of the expanded headers of an email I received in my Yahoo account which was made to appear as if it originated with my ISP's "Support Department." and advising me I had infected files.  (My original posting provides more specifics).  The THIRD IP address (10.5.100.1) is one which is repeatedly showing up in my McAfee Inbound Events Log as making attempts to always access UDP port 68.  The time intervals between the unauthorized access attempts are frequently shown as being only 1 or two minutes apart.  (It appears the McAfee firewall is blocking the 3rd IP address shown in the printout).  The 3rd IP address mentioned only shows up in the McAfee log with the IP address, there is no other information given as to any person or organizational entity associated with the address.  I'm a little more concerned with the first two IP addresses which were in the email headers that managed to get through to my Yahoo email Inbox.

               

              Thanks very much to both of you for your insights and any additional suggestions!

               

               

              Message was edited by: spc3rd on 2/4/11 9:46:20 PM AST