Read and understand RFC 821 and 822, and their successors 2821 and 2822, and you'll understand a lot about how spammers ply their trade.
Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Hackney Sent: Thursday, November 06, 2003 5:15 AM To: Exchange Discussions Subject: strange headers Hi, our organisation received an email yesterday and I don't quite know why it appeared the way it did. Basically, someone sent an email from a Hotmail address yet the 'from' field did not display the hotmail address, but an address that looked as tho it was from our network. Now I know that it is possible to spoof addresses and so on but I didn't think this was possible thru hotmail tho having looked on their site, it appears you can do POP and the line below 'mail pickup service seems to indicate that. I don't use hotmail so I don't know whether POP could have been used. Would someone be able to look at the headers below and tell me what happened? I believe that someone did use a POP thru hotmail and spoofed the address but would like confirmation or correction I have also included the original mail but deleted some parts. (incidentally, what is the best practice for posting headers? should I block our sensitive stuff or is it easy enough to get hold of that it is not worth the bother?) Much obliged Rob Microsoft Mail Internet Headers Version 2.0 Received: from gateway.mydomain.xxx.net ([xxx.xxx.xx.x]) by servername.mydomain.co.uk with Microsoft SMTPSVC(5.0.2195.6713); Sat, 1 Nov 2003 16:55:11 +0000 Received: from server.isp.net ([xxx.xxx.xxx.xxx]) by gateway.mydomain.xxx.net (x.xx.x/x.xx.x) with ESMTP id hA1Gt79Q098836 for <[EMAIL PROTECTED]>; Sat, 1 Nov 2003 16:55:07 GMT x-previous-hop: 64.4.18.193 Received: from hotmail.com (law12-oe58.law12.hotmail.com [64.4.18.193]) by server.isp.net (x.xx.x/x.xx.x) with ESMTP id hA1Gt84r029294 for <[EMAIL PROTECTED]>; Sat, 1 Nov 2003 16:55:09 GMT Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 1 Nov 2003 08:55:06 -0800 Received: from xx.xxx.xx.xxx by law12-oe58.law12.hotmail.com with DAV; Sat, 01 Nov 2003 16:55:06 +0000 X-Originating-IP: [xx.xxx.xx.xxx] X-Originating-Email: [EMAIL PROTECTED] From: "The one" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: getting sponsored Date: Sat, 1 Nov 2003 16:54:57 -0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C3A098.E1BED900" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: <[EMAIL PROTECTED]> X-OriginalArrivalTime: 01 Nov 2003 16:55:06.0977 (UTC) FILETIME=[E7226510:01C3A098] X-Virus-Checked: 61885 X-Skip-Virus-Check: yes X-Sender-IP: 212.50.178.147 X-INT-DeliveryDone: hA1Gt79Q098836 Return-Path: [EMAIL PROTECTED] ------=_NextPart_000_0005_01C3A098.E1BED900 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_0005_01C3A098.E1BED900 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_0005_01C3A098.E1BED900-- -----Original Message----- From: The one [mailto:[EMAIL PROTECTED] Sent: 01 November 2003 16:55 To: Mailbox Subject: send back on [EMAIL PROTECTED] This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. It should not be deemed to constitute a binding contract between TKC Group and the recipient(s) unless a purchase order number is quoted. Any views or opinions presented are solely those of the author and do not necessarily represent those of TKC Group Ltd. If you are not the intended recipient(s), please do not copy or disclose its contents. Please return it to: [EMAIL PROTECTED] then delete the email. intY has scanned this email for all known viruses (www.inty.com) _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]