[GTER] Investigação de E-Mails.
"Edison (Júnior)"
edison at coslinux.com.br
Tue Aug 10 16:17:26 -03 2004
Pessoal,
Um dos nossos clientes recebeu 2 mensagens de e-mail gravíssimas. Eis
abaixo as informações importantes do header das mensagens:
primeira:
Return-Path: <valeriasilfer at hotmail.com>
Received: from [200.154.55.227] by laranjal.terra.com.br (LMTP); Thu, 24
Jun 2004 16:34:52 -0300 (BRT)
Received: from mx2.terraempresas.com.br (mx2.terraempresas.com.br
[200.154.117.68])
by itapoa.terra.com.br (Postfix) with ESMTP id D451BDD41EF
for <adm.tas at terra.com.br>; Thu, 24 Jun 2004 16:34:52 -0300 (BRT)
Received: from hotmail.com (bay14-dav15.bay14.hotmail.com [64.4.48.119])
by mx2.terraempresas.com.br (Postfix) with ESMTP id BDE0433E79
for <adm at empresa_do_meu_cliente.com.br>; Thu, 24 Jun 2004
16:34:51 -0300 (BRT)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Thu, 24 Jun 2004 12:34:33 -0700
Received: from 200.158.110.42 by bay14-dav15.bay14.hotmail.com with DAV;
Thu, 24 Jun 2004 19:34:33 +0000
X-Originating-IP: [200.158.110.42]
X-Originating-Email: [valeriasilfer at hotmail.com]
X-Sender: valeriasilfer at hotmail.com
From: =?iso-8859-1?Q?Val=E9ria?= <valeriasilfer at hotmail.com>
To: <adm at empresa_do_meu_cliente.com.br>
Subject: urgente
Date: Thu, 24 Jun 2004 16:34:12 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0005_01C45A09.14D70D60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID: <BAY14-DAV15NzscE8Np000002f9 at hotmail.com>
X-OriginalArrivalTime: 24 Jun 2004 19:34:33.0319 (UTC)
FILETIME=[469B5770:01C45A22]
segunda:
Return-Path: <tia11116 at hotmail.com>
Received: from [200.154.55.227] by corinto.terra.com.br (LMTP); Wed, 14
Jul 2004 18:36:36 -0300 (BRT)
Received: from mx5.terraempresas.com.br (mx5.terraempresas.com.br
[200.154.117.71])
by itapoa.terra.com.br (Postfix) with ESMTP id C48ECDD4081
for <adm.tas at terra.com.br>; Wed, 14 Jul 2004 18:36:36 -0300 (BRT)
Received: from hotmail.com (bay14-f26.bay14.hotmail.com [64.4.49.26])
by mx5.terraempresas.com.br (Postfix) with ESMTP id 075A833F9A
for <adm at empresa_do_meu_cliente.com.br>; Wed, 14 Jul 2004
18:36:36 -0300 (BRT)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 14 Jul 2004 14:36:34 -0700
Received: from 200.207.50.91 by by14fd.bay14.hotmail.msn.com with HTTP;
Wed, 14 Jul 2004 21:36:34 GMT
X-Originating-IP: [200.207.50.91]
X-Originating-Email: [tia11116 at hotmail.com]
X-Sender: tia11116 at hotmail.com
From: "lucas abrel" <tia11116 at hotmail.com>
To: adm at empresa_do_meu_cliente.com.br
Subject: urgente marilene
Date: Wed, 14 Jul 2004 21:36:34 +0000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <BAY14-F264aJ6pkNzPZ0000cac0 at hotmail.com>
X-OriginalArrivalTime: 14 Jul 2004 21:36:34.0457 (UTC)
FILETIME=[A29B5890:01C469EA]
Pelo que constatei a primeira mensagem foi enviada apartir de um Outlook
e uma conta do hotmail. A segunda deve ter sido enviada diretamente pelo
hotmail (webmail). Pelo que parece o Hotmail grava o username e ip
utilizados para o envio da mensagem, que são respectivamente:
X-Originating-IP: [200.158.110.42]
X-Originating-Email: [valeriasilfer at hotmail.com]
e
X-Originating-IP: [200.207.50.91]
X-Originating-Email: [tia11116 at hotmail.com]
É possível saber qual usuário do speedy, usado na autenticação, estava
conectado com esses IP's na hora do envio das mensagens ? Ambos ips
fazem parte da rede adsl da Telefônica.
Alguma luz ?
[ ]'s
Edison Bortolin
More information about the gter
mailing list