Good show, Dean! -----Original Message----- From: Dean Cunningham [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 01, 2005 8:06 PM To: Exchange Discussions Subject: RE: Spoofing the exchange discussions list server
The list server re-mangles the internet headers and only shows it as the source. If you look at the internet headers of this email you will see the list server as the source , even tho it originated from nrc86.nrc.govt.nz via our firewall relay. The list server does keep the x-message-ID , which will have a local reference (to the users domain) to the originating server. E.G. X-Message-Id: <[EMAIL PROTECTED]> At the end of the day the list server will have a full copy of the spoofed messages sent, so if you feel aggrieved, email [EMAIL PROTECTED] and they can deal to the spammer/childthing -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Thursday, 2 June 2005 9:46 a.m. To: Exchange Discussions Subject: RE: Spoofing the exchange discussions list server The spoofed messages came from intm-dl.sparklist.com [64.62.197.83], which is the legit list server. While I agree that SMTP (RFC2821) and Message Format (RFC2822) both leave a lot to be desired, this does not appear to be a simple SMTP header spoof. I even went back and scoured my firewall logs to see what MX was connected to my MX at the time the message was sent. The message did actually come from the Exchange Discussions list server. <insert twilight zone music here> Eric -----Original Message----- From: Chris Scharff [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 01, 2005 3:06 PM To: Exchange Discussions Subject: RE: Spoofing the exchange discussions list server They read RFC2821 and RFC2822? > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Eric Fretz > Posted At: Wednesday, June 01, 2005 2:49 PM > Posted To: swynk > Conversation: Spoofing the exchange discussions list server > Subject: Spoofing the exchange discussions list server > > > Has anyone figured out how the perp spoofed e-mail messages to the > list and impersonated Ed Crowley and others? I've got some mail > enhancement products (The pun was intended) and low mortage rates I'd > like to offer the list. > > Seriously, has anyone figured out how it happened? > > --Eric > > Eric Fretz > Network Administrator > L3 Communications / ComCept Division > O: 972.772.7505 x5260 > F: 972.772.7510 > C: 214.794.9288 > [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. ********************************************************************** Have you clicked on yet? www.nrc.govt.nz ********************************************************************** NORTHLAND REGIONAL COUNCIL This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] ********************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
