Hi all, Now I admit that I don't regularly read all the headers of spam that I receive, but this one intrigued me. Take a look at its Received headers:
> Received: from tele-punt-22.mail.demon.net (tele-punt-22.mail.demon.net > [194.217.242.7]) > by zamenhof.demon.co.uk (8.9.3/8.9.3) with SMTP id WAA02238 > for <[EMAIL PROTECTED]>; Mon, 30 Jun 2003 22:19:20 +0100 > Received: from punt-2.mail.demon.net by mailstore > for [EMAIL PROTECTED] id 1057007496:20:09354:8; > Mon, 30 Jun 2003 21:11:36 GMT > Received: from [61.153.213.130] ([61.153.213.130]) by punt-2.mail.demon.net > id aa2111511; 30 Jun 2003 21:11 GMT > Received: from [202.79.123.71] by 194.217.242.6 with ESMTP id 0FFDFD45CF0; Tue, 01 > Jul 2003 02:05:32 +0400 What's interesting is that the header at the bottom is clearly forged - 194.217.242.6 *is* punt-2.mail.demon.net, which is one of the two MX records for my domain zamenhof.demon.co.uk. The genuine Received header is the one above. Is this a new spammer trick - to forge a Received header that refers to the recipient's legitimate MX? Presumably the intention is to try to mislead anyone (or anything) which is trying to trace the spammer - or at least throw them off course. Is this common? Martin -- Martin Radford | "Only wimps use tape backup: _real_ [EMAIL PROTECTED] | men just upload their important stuff -o) Registered Linux user #9257 | on ftp and let the rest of the world /\\ - see http://counter.li.org | mirror it ;)" - Linus Torvalds _\_V ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk