[extropy-chat] Virus Detection 101 [was: application]

Adrian Tymes wingcat at pacbell.net
Mon Apr 26 16:40:33 UTC 2004


--- "Robert J. Bradbury" <bradbury at aeiveos.com> wrote:
> Look at the last "Received:" line in the message
> source.
> It was received from what looks like a DSL or
> dial-up line at ...pooles.rima-tde.net
> which translates to 81.33.36.216.
> 
> Then on a unix/linix system run a traceroute to
> 81.33.36.216.
> (Under DOS shells you can usually use TRACERT).
> 
> It ends up getting routed to Virginia then the
> response times jump
> and it looks like it is going overseas.  From the
> U.S. it gets
> routed through ...red.telefonica-wholesale.net and
> then to
> ...pooles.rima-tde.net.  Given the jump in the
> response times
> and the names involved my suspicion would be a user
> in perhaps
> Spain or Italy (though Mexico isn't out of the
> question) [1].

> 1. We need a utility that links IP addresses to
> countries -- I've
> seen suggestions that there are Perl libraries
> and/or web sites
> that provide this capability but I don't know
> what/where they are.

It's not always possible to link IP address to
geographical location, but there are applications that
will succeed most of the time.  I googled on
"geographical IP", and while some of the first links
either were irrelevant or couldn't find 81.33.36.216,
http://www.ip2location.com/free.asp traced it to
Spain.

There are several operations* that, essentially,
provide a database lookup of IP address to country.
They vary mainly on quality and extensiveness.  Almost
all of 'em will get any address in the US, especially
ones that have been around for years.  The real test
is not-well-known IP addresses elsewhere; spammers'
IPs can be a good test.  (Not to mention non-US AOL;
there is the perception that a sizeable fraction of
all users worldwide go through AOL.  This might have
been true some years ago, but I'm not sure how true it
remains today.)

* Some of them offer free trials, but don't even try
abusing them.  A few queries to test their quality (or
do one-off lookups on a given spammer every now and
then, as in this case) is one thing, but it's trivial
to detect someone submitting a lot of queries (say,
20+ queries a day).  For those kinds of loads, they
sell commercial packages.



More information about the extropy-chat mailing list