Roger Diggle <[EMAIL PROTECTED]> wrote:
Spammers like to forge trusted addresses. They're hoping you'll trust the contents of the message if you believe the message actually originated from a trustworthy person.I received a piece of spam disguised as campaign literature. The odd thing was that the email claims to have originated at CNN.
I'm still figuring out how to parse headers, but it looks to me as if this post bounced through a couple of open relays and originated at Brisol-Meyers Squib.Can anyone tell me if I'm reading this correctly?
Not quite, but it was a good effort.
How does someone direct email through multiple open relays?
You can't. An open relay would never send email through another open relay.
Thanks in advance... Here's the header: Return-Path: <[EMAIL PROTECTED]>
This header is easily forged. Don't trust it.
Received: from bm4.mail.tds.net ([216.170.230.74]) by bm6.mail.tds.net
with ESMTP id <[EMAIL PROTECTED]>
for <[EMAIL PROTECTED]>; Fri, 25 Oct 2002 20:27:28 -0500
Your ISP's SMTP server claims that it received the message from something claiming to be "bigfoot.com". Your SMTP server determined that the IP address of the sender was "64.15.239.142" and looked up the official name of this address in its DNS records. The official name in the DNS records was "mail.bigfoot.com", so the sender identified itself honestly. Trust this header.Received: from bigfoot.com (mail.bigfoot.com [64.15.239.142]) by bm4.mail.tds.net (8.12.3/8.12.2) with SMTP id g9Q1ROtS013350 for <[EMAIL PROTECTED]>; Fri, 25 Oct 2002 20:27:24 -0500 (CDT)
Bigfoot's SMTP server claims that it received the message from something claiming to be "cnn.com". Your SMTP server determined that the IP address of the sender was "200.13.230.243", but either didn't look up the address in its DNS records or *did* look it up but didn't find any matching records. Since you regularly receive forwarded email from BIGFOOT.COM, you'll have to determine for yourself whether BIGFOOT does or does not typically perform reverse-DNS lookups.Received: from cnn.com ([200.13.230.243]) by BFLITEMAIL1A.bigfoot.com (LiteMail v3.02(BFLITEMAIL1A)) with SMTP id 25Oct2002_BFLITEMAIL1A_53019_5225563; Fri, 25 Oct 2002 21:27:22 -0400 EST
Performing a traceroute to IP address "200.13.230.243" shows that the message originated from within the ".CO" domain, which is the national abbreviation for Colombia. (See <http://www.norid.no/domenenavnbaser/domreg.html> for other national domain abbreviations.) Apparently, someone either relayed the message through an unsecured computer in that country, or the spammer is Colombian. I'd bet it was the former.
This "Received:" header is completely inconsistent with the "Received:" header above it, so it must be a forgery. Don't trust it -- or any "Received:" headers below it -- since they appear to be forgeries added by the spammer to throw you off his trail.Received: from unknown (HELO smtp-server.tampabayr.com) (95.223.62.90) by asy100.as122.sol-superunderline.com with NNFMP; Fri, 25 Oct 2002 12:26:46 +1200
The remaining headers are either forgeries or do not contain any information that would lead us back to the spammer.Received: from mta21.bigpong.com ([60.10.155.194]) by m10.grp.snv.yahui.com with NNFMP; Sat, 26 Oct 2002 00:24:53 -0100 Received: from unknown (140.176.180.81) by smtp4.cyberecschange.com with smtp; 25 Oct 2002 23:23:00 +0200 Reply-To: <[EMAIL PROTECTED]> Message-ID: <034e64e12b2b$2461a1a1$4ea83cb2@cygyyr> From: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: VOTE EARLY!!!! Date: Fri, 25 Oct 2002 20:18:29 +0500 MiME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: eGroups Message Poster Importance: Normal
___________________________________________________________________________
To unsubscribe send a mail message with a SUBJECT line of "unsubscribe" to
<[EMAIL PROTECTED]> or <[EMAIL PROTECTED]>
