I'm sure I read somewhere about some explot/vuln that involved DAV (which I noticed in the headers) - maybe that has something to do with it?
regards, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:[EMAIL PROTECTED] > -----Original Message----- > From: Rob Hackney [mailto:[EMAIL PROTECTED] > Sent: 06 November 2003 13:15 > To: Exchange Discussions > Subject: strange headers > > > > > Hi, our organisation received an email yesterday and I don't > quite know > why it appeared the way it did. > Basically, someone sent an email from a Hotmail address yet the 'from' > field did not display the hotmail address, but an address > that looked as > tho it was from our network. Now I know that it is possible to spoof > addresses and so on but I didn't think this was possible thru hotmail > tho having looked on their site, it appears you can do POP > and the line > below 'mail pickup service seems to indicate that. I don't > use hotmail > so I don't know whether POP could have been used. > Would someone be able to look at the headers below and tell me what > happened? I believe that someone did use a POP thru hotmail and > spoofed the address but would like confirmation or correction > I have also included the original mail but deleted some parts. > (incidentally, what is the best practice for posting headers? > should I > block our sensitive stuff or is it easy enough to get hold of > that it is > not worth the bother?) > Much obliged > Rob > > Microsoft Mail Internet Headers Version 2.0 > Received: from gateway.mydomain.xxx.net ([xxx.xxx.xx.x]) by > servername.mydomain.co.uk with Microsoft SMTPSVC(5.0.2195.6713); > Sat, 1 Nov 2003 16:55:11 +0000 > Received: from server.isp.net ([xxx.xxx.xxx.xxx]) > by gateway.mydomain.xxx.net (x.xx.x/x.xx.x) with ESMTP id > hA1Gt79Q098836 > for <[EMAIL PROTECTED]>; Sat, 1 Nov 2003 16:55:07 GMT > x-previous-hop: 64.4.18.193 > Received: from hotmail.com (law12-oe58.law12.hotmail.com > [64.4.18.193]) > by server.isp.net (x.xx.x/x.xx.x) with ESMTP id hA1Gt84r029294 > for <[EMAIL PROTECTED]>; Sat, 1 Nov 2003 16:55:09 GMT > Received: from mail pickup service by hotmail.com with Microsoft > SMTPSVC; > Sat, 1 Nov 2003 08:55:06 -0800 > Received: from xx.xxx.xx.xxx by law12-oe58.law12.hotmail.com with DAV; > Sat, 01 Nov 2003 16:55:06 +0000 > X-Originating-IP: [xx.xxx.xx.xxx] > X-Originating-Email: [EMAIL PROTECTED] > From: "The one" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: getting sponsored > Date: Sat, 1 Nov 2003 16:54:57 -0000 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0005_01C3A098.E1BED900" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > Message-ID: <[EMAIL PROTECTED]> > X-OriginalArrivalTime: 01 Nov 2003 16:55:06.0977 (UTC) > FILETIME=[E7226510:01C3A098] > X-Virus-Checked: 61885 > X-Skip-Virus-Check: yes > X-Sender-IP: 212.50.178.147 > X-INT-DeliveryDone: hA1Gt79Q098836 > Return-Path: [EMAIL PROTECTED] > > ------=_NextPart_000_0005_01C3A098.E1BED900 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > ------=_NextPart_000_0005_01C3A098.E1BED900 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > > ------=_NextPart_000_0005_01C3A098.E1BED900-- > > -----Original Message----- > From: The one [mailto:[EMAIL PROTECTED] > Sent: 01 November 2003 16:55 > To: Mailbox > Subject: > > > send back on [EMAIL PROTECTED] > > This email is confidential and intended solely for the use of > the individual(s) to whom it is addressed. It should not be > deemed to constitute a binding contract between TKC Group and > the recipient(s) unless a purchase order number is quoted. > Any views or opinions presented are solely those of the > author and do not necessarily represent those of TKC Group > Ltd. If you are not the intended recipient(s), please do not > copy or disclose its contents. Please return it to: > [EMAIL PROTECTED] then delete the email. > > intY has scanned this email for all known viruses (www.inty.com) > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]