on Thu, Jan 03, 2002 at 05:26:37PM -0500, dman ([EMAIL PROTECTED]) wrote: > > I just got this message. Looks like the scammers are getting smarter > -- sent directly to me with no trail in the Received: headers (all the > received headers are my school accounts forwarding to other school > accounts and eventually to my house). Just beware :-).
It's a spoofed origin packet. It appears to find a host on your network
and claim to be coming from it, when in fact it's not. In your case and
mine, the host is the primary MX server for the domain (mine came
through mx00.ix.netcom.com). I got the same spam.
> Funny, as I snipped out most of the noise, I noticed that james wants
> a "trust wordy" partner. Hehe.
>
> -D
>
> ----- Forwarded message from james langa <[EMAIL PROTECTED]> -----
>
> Received: from pony-express.cs.rit.edu ([129.21.30.24])
> by localhost with esmtp (Exim 3.33 #1 (Debian))
> id 16MGB3-0000i7-00
> for <[EMAIL PROTECTED]>; Thu, 03 Jan 2002 17:17:33 -0500
> Received: from vms4.rit.edu (vms4.isc.rit.edu [129.21.3.15])
> by pony-express.cs.rit.edu (8.9.3/8.9.3) with ESMTP id RAA03543
> for <[EMAIL PROTECTED]>; Thu, 3 Jan 2002 17:10:06 -0500 (EST)
> Received: from conversion.ritvax by ritvax.isc.rit.edu (PMDF V5.2-32 #40294)
> id <[EMAIL PROTECTED]> for [EMAIL PROTECTED]
> (ORCPT rfc822;[EMAIL PROTECTED]); Thu, 3 Jan 2002 17:10:06 EST
> Received: from ritvax.isc.rit.edu by ritvax.isc.rit.edu (PMDF V5.2-32 #41784)
> id <[EMAIL PROTECTED]> for [EMAIL PROTECTED]
> (ORCPT rfc822;[EMAIL PROTECTED]); Thu, 03 Jan 2002 17:10:05 -0500 (EST)
> Received: from conversion.ritvax by ritvax.isc.rit.edu (PMDF V5.2-32 #41784)
> id <[EMAIL PROTECTED]> for [EMAIL PROTECTED]
> (ORCPT rfc822;[EMAIL PROTECTED]); Thu, 03 Jan 2002 17:10:04 -0500 (EST)
> Received: from vmsmx.rit.edu ([64.110.64.19])
^^^^^^^^^^^^
That's not an rit.edu address.
Note that the "Received:" line host is whatever the remote MTA says it
wants to be. A well-tuned mailserver will do some fancy stuff like a
reverse lookup or auth to see if names match.
Here's your spammer, looks like this Nigeria spam's actually from
Nigeria:
$ host 64.110.64.19
Name: host-64-110-64-19.interpacket.net
Address: 64.110.64.19
InterPacket Group, Inc. (NETBLK-INTERPACKET4) INTERPACKET4
64.110.0.0 -
64.110.191.255
Bacom Communications Ltd. (NETBLK-IPG4-64-16-20000717) IPG4-64-16-20000717
64.110.64.16 -
64.110.64.31
To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.
$ whois \!NETBLK-IPG4-64-16-20000717
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
Bacom Communications Ltd. (NETBLK-IPG4-64-16-20000717)
11, Abagbon Close
Off Ologun - Agbaje St.
Victoria Island,
NG
Netname: IPG4-64-16-20000717
Netblock: 64.110.64.16 - 64.110.64.31
Coordinator:
Ogunsola, Saheed (SO139-ARIN) [EMAIL PROTECTED]
+2616 035
Record last updated on 18-Jul-2000.
Database last updated on 3-Jan-2002 19:56:04 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
> by ritvax.isc.rit.edu (PMDF V5.2-32 #41784)
> with SMTP id <[EMAIL PROTECTED]> for
> [EMAIL PROTECTED] (ORCPT rfc822;[EMAIL PROTECTED]); Thu,
> 03 Jan 2002 17:10:04 -0500 (EST)
> Date: Thu, 03 Jan 2002 23:02:27
> From: james langa <[EMAIL PROTECTED]>
> Subject: IMPORTANT
> To: [EMAIL PROTECTED]
> Message-id: <[EMAIL PROTECTED]>
> X-VMS-To: IN%"[EMAIL PROTECTED]"
> MIME-version: 1.0
> Content-type: text/plain; charset=iso-8859-1
> Content-transfer-encoding: 7BIT
>
> FROM: COL. JAMES LANGA.
> DEMOCRATIC REPUBLIC OF CONGO.
> [EMAIL PROTECTED]
> Dear Sir,
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What part of "Gestalt" don't you understand? Home of the brave
http://gestalt-system.sourceforge.net/ Land of the free
We freed Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire http://kmself.home.netcom.com/resume.html
pgphBsR8VjqLP.pgp
Description: PGP signature
