Ok, this is not really Win2k issue, but You guys are so darn smart I wanted to throw his one out there. I have been receiving some strange returned messages on my home computer. One of which references a mail server called mail.danu.ie. If I ping this server name, it returns the local broadcast address, 127.0.0.1. So, I tried the same from a computer at work, and got the same results. I then got onto our router to the internet, and got the same thing, 127.0.0.1. So, my question is, does anyone have a clue what this is? Can anyone try to ping or tracert to mail.danu.ie and let me know what you get? Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Strange behavior
- Thread starter echoecho
- Start date
BradSQLGuy
MIS
That is extremely odd. I've never seen that before. The IP is a loopback address. That server name does not seem to be a valid one since it keeps going back to the same NIC. I've looked all over microsoft's site and couldn't find that command anywhere. A tracert always gives the exact same results a loopback will give hence that must be another way to test your loopback. Did an ISP give you that address as a mail server? -Brad
A+, MCSE NT4, MCDBA SQL7
-Best cartoon of all time :-D 'Spongebob Squarepants' :-D
A+, MCSE NT4, MCDBA SQL7
-Best cartoon of all time :-D 'Spongebob Squarepants' :-D
Well, using NSLOOKUP I queried my domain DNS server, and an external DNS server.
The internal DNS timed out, (just as well, I have never seen a reference to that domain in the DNS setup) but the external DNS server returned 127.0.0.1 immediately.
Obviously this isn't an error, maybe some RFC somewhere references it? I think maybe the .ie is a specially configured top level domain or similar?
If I find out more I'll let you know.
Tels
Mixed Linux/Win2000 Network Administrator
The internal DNS timed out, (just as well, I have never seen a reference to that domain in the DNS setup) but the external DNS server returned 127.0.0.1 immediately.
Obviously this isn't an error, maybe some RFC somewhere references it? I think maybe the .ie is a specially configured top level domain or similar?
If I find out more I'll let you know.
Tels
Mixed Linux/Win2000 Network Administrator
- Thread starter
- #4
Nope, never seen it before until I got the returned email. And that is now three different locations that it returns the 127.0.0.1 address, as well as three different ISP's and Three different DNS servers. is a valid website, do you think I should try contacting them to see if they have any ideas?
Oh yes, me and my son would have to agree with the Sponge Bob comment
Oh yes, me and my son would have to agree with the Sponge Bob comment
SimonDavis
Technical User
Some thoughts struggling out of my brain.
127.0.0.1 is a loopback IP - you're talking to yourself.
Now, why is that?
The strange thing is that it happens in all places, if it was just one machine I'd suspect the hosts file contains an entry specifying that IP address for that dns name.
The only reason I've ever seen it used like that is to stop a machine from accessing a particular website - when you try to connect to that site, you get the same result.
The other time I've seen something similar happening was when some spyware was installed on the machine - the software seemed to be using the loopback IP to interrogate the host, then presumably to send info onwards. Can't imagine any of this applies to a router though.
That didn't help, did it?
Last thing to check - when you say 'strange return messages' what exactly are these? I believe the Klez virus uses fake 'bounced email' messages to propagate - it's not that is it? Got your AV software up to date?
127.0.0.1 is a loopback IP - you're talking to yourself.
Now, why is that?
The strange thing is that it happens in all places, if it was just one machine I'd suspect the hosts file contains an entry specifying that IP address for that dns name.
The only reason I've ever seen it used like that is to stop a machine from accessing a particular website - when you try to connect to that site, you get the same result.
The other time I've seen something similar happening was when some spyware was installed on the machine - the software seemed to be using the loopback IP to interrogate the host, then presumably to send info onwards. Can't imagine any of this applies to a router though.
That didn't help, did it?
Last thing to check - when you say 'strange return messages' what exactly are these? I believe the Klez virus uses fake 'bounced email' messages to propagate - it's not that is it? Got your AV software up to date?
- Thread starter
- #6
Yes, Norton is up to date as of last night, and done on a daily basis. Did a full registry/hdd scan with adaware with the latest updates. The body of the email is as follows:
Failed to deliver to 'a53146@danu.ie'
SMTP module(domain danu.ie) reports:
DNS Loop: MX-record mail.danu.ie points back to us
The attached txt file is as follows:
Received: from [65.100.166.142] (HELO Ahp)
by mx05.cluster1.charter.net (CommuniGate Pro SMTP 3.5.9)
with SMTP id 21104007 for a53146@danu.ie; Wed, 10 Jul 2002 15:45:49 -0400
From: Hotwire <Hotwire@hotwire.m0.net>
To: a53146@danu.ie
Subject: Let's be friends
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=I5U7ts71268xg4PPiv8b5d8926K7
Date: Wed, 10 Jul 2002 15:45:49 -0400
Message-ID: <auto-000021104007@mx05.cluster1.charter.net>
Looking at the subject line, "lets be friends" I would venture to guess it is a virus, but how would it escape the AV scan? Also, in the notes above, nowhere is my email address listed, and none of these addresses are in my contact list.
Failed to deliver to 'a53146@danu.ie'
SMTP module(domain danu.ie) reports:
DNS Loop: MX-record mail.danu.ie points back to us
The attached txt file is as follows:
Received: from [65.100.166.142] (HELO Ahp)
by mx05.cluster1.charter.net (CommuniGate Pro SMTP 3.5.9)
with SMTP id 21104007 for a53146@danu.ie; Wed, 10 Jul 2002 15:45:49 -0400
From: Hotwire <Hotwire@hotwire.m0.net>
To: a53146@danu.ie
Subject: Let's be friends
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=I5U7ts71268xg4PPiv8b5d8926K7
Date: Wed, 10 Jul 2002 15:45:49 -0400
Message-ID: <auto-000021104007@mx05.cluster1.charter.net>
Looking at the subject line, "lets be friends" I would venture to guess it is a virus, but how would it escape the AV scan? Also, in the notes above, nowhere is my email address listed, and none of these addresses are in my contact list.
SimonDavis
Technical User
Certainly a virus.
How is your AV implemented. If you're scanning mail at the server, it should get picked up. If you're just on the station, it probably won't until you run any attachement (if there is one).
Let's be friends is a real old one. The bounced mail thing is definitely Klez behaviour, and that's going on right now.
Last thought - as it's an attached text file, are you sure it hasn't been picked up? Our EX5.5 server has Norton, and if it picks up a virus it converts it to a harmless text file and sends it to the recipient. The notification doesn't necessarily go with it.
How is your AV implemented. If you're scanning mail at the server, it should get picked up. If you're just on the station, it probably won't until you run any attachement (if there is one).
Let's be friends is a real old one. The bounced mail thing is definitely Klez behaviour, and that's going on right now.
Last thought - as it's an attached text file, are you sure it hasn't been picked up? Our EX5.5 server has Norton, and if it picks up a virus it converts it to a harmless text file and sends it to the recipient. The notification doesn't necessarily go with it.
- Thread starter
- #8
That's a bummer. This is my home computer, here at work we run norton both at the desktop and at exchange. At home I use Norton 2001 professional. So, should I get removal tools for the virus from Symantec? And if it is Klez, which I know hits our mail server here hundresds of times a day, how could it have gotten past all the scans I have done on my pc. I am very vigilante about taking care of my home computer and now wonder how effective Norton really is.
SimonDavis
Technical User
I wouldn't say you've neccessarily picked it up - sorry, I haven't really looked at how it works. Maybe you're getting a crippled version with no payload.
Suggest have a browse on Norton's site - as far as I can see NAV picks it up fine - my experience with Norton is good - I wouldn't change.
Suggest have a browse on Norton's site - as far as I can see NAV picks it up fine - my experience with Norton is good - I wouldn't change.
- Thread starter
- #10
I agree, Norton has always been effective here at work, I have not found anything on Norton's site yet, but will keep looking. Still, what about the mail.danu.ie pointing to the loopback address (sorry, I called it the broadcast address earlier.) That one still confuses me a little.
- Thread starter
- #11
Well, It is not Klez. I got the removal tool from Symantec and it said it was not on the computer. As a precation, I swapped out my BSD firewall with a router, just so I could double check everything on that. If there are anyother suggestions they would be appreciated.
- Status
Similar threads
- Locked
- Question
