On Fri, Jan 04, 2002 at 12:50:58AM -0800, Karsten M. Self wrote: | on Thu, Jan 03, 2002 at 05:26:37PM -0500, dman ([EMAIL PROTECTED]) wrote: | > | > I just got this message. Looks like the scammers are getting smarter | > -- sent directly to me with no trail in the Received: headers (all the | > received headers are my school accounts forwarding to other school | > accounts and eventually to my house). Just beware :-). | | It's a spoofed origin packet. It appears to find a host on your network | and claim to be coming from it, when in fact it's not. In your case and | mine, the host is the primary MX server for the domain (mine came | through mx00.ix.netcom.com). I got the same spam. | > ----- Forwarded message from james langa <[EMAIL PROTECTED]> ----- | > | > Received: from pony-express.cs.rit.edu ([129.21.30.24]) | > by localhost with esmtp (Exim 3.33 #1 (Debian)) | > id 16MGB3-0000i7-00 | > for <[EMAIL PROTECTED]>; Thu, 03 Jan 2002 17:17:33 -0500 | > Received: from vms4.rit.edu (vms4.isc.rit.edu [129.21.3.15]) | > by pony-express.cs.rit.edu (8.9.3/8.9.3) with ESMTP id RAA03543 | > for <[EMAIL PROTECTED]>; Thu, 3 Jan 2002 17:10:06 -0500 (EST) | > Received: from conversion.ritvax by ritvax.isc.rit.edu (PMDF V5.2-32 #40294) | > id <[EMAIL PROTECTED]> for [EMAIL PROTECTED] | > (ORCPT rfc822;[EMAIL PROTECTED]); Thu, 3 Jan 2002 17:10:06 EST | > Received: from ritvax.isc.rit.edu by ritvax.isc.rit.edu (PMDF V5.2-32 #41784) | > id <[EMAIL PROTECTED]> for [EMAIL PROTECTED] | > (ORCPT rfc822;[EMAIL PROTECTED]); Thu, 03 Jan 2002 17:10:05 -0500 (EST) | > Received: from conversion.ritvax by ritvax.isc.rit.edu (PMDF V5.2-32 #41784) | > id <[EMAIL PROTECTED]> for [EMAIL PROTECTED] | > (ORCPT rfc822;[EMAIL PROTECTED]); Thu, 03 Jan 2002 17:10:04 -0500 (EST) | > Received: from vmsmx.rit.edu ([64.110.64.19]) | ^^^^^^^^^^^^ | That's not an rit.edu address.
Good catch. I didn't even look at the address. My mail does get shoved around a couple different servers before it is delivered so I didn't even notice it. | Note that the "Received:" line host is whatever the remote MTA says it | wants to be. Yeah. | A well-tuned mailserver will do some fancy stuff like a reverse | lookup or auth to see if names match. | | Here's your spammer, looks like this Nigeria spam's actually from | Nigeria: Interesting. So perhaps we shouldn't blacklist that yahoo address? -D -- A)bort, R)etry, D)o it right this time
