Hi all,

Now I admit that I don't regularly read all the headers of spam that I
receive, but this one intrigued me.  Take a look at its Received
headers: 

> Received: from tele-punt-22.mail.demon.net (tele-punt-22.mail.demon.net 
> [194.217.242.7])
>       by zamenhof.demon.co.uk (8.9.3/8.9.3) with SMTP id WAA02238
>       for <[EMAIL PROTECTED]>; Mon, 30 Jun 2003 22:19:20 +0100
> Received: from punt-2.mail.demon.net by mailstore
>           for [EMAIL PROTECTED] id 1057007496:20:09354:8;
>           Mon, 30 Jun 2003 21:11:36 GMT
> Received: from [61.153.213.130] ([61.153.213.130]) by punt-2.mail.demon.net
>            id aa2111511; 30 Jun 2003 21:11 GMT
> Received: from [202.79.123.71] by 194.217.242.6 with ESMTP id 0FFDFD45CF0; Tue, 01 
> Jul 2003 02:05:32 +0400


What's interesting is that the header at the bottom is clearly forged - 
194.217.242.6 *is* punt-2.mail.demon.net, which is one of the two MX
records for my domain zamenhof.demon.co.uk.  The genuine Received
header is the one above.

Is this a new spammer trick - to forge a Received header that refers
to the recipient's legitimate MX?  Presumably the intention is to try
to mislead anyone (or anything) which is trying to trace the spammer -
or at least throw them off course.

Is this common?

Martin
-- 
Martin Radford              |   "Only wimps use tape backup: _real_ 
[EMAIL PROTECTED] | men just upload their important stuff  -o)
Registered Linux user #9257 |  on ftp and let the rest of the world  /\\
- see http://counter.li.org |       mirror it ;)"  - Linus Torvalds _\_V


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to