The From: address is easily faked, and the spammer doesn't care whether it's real or not, as long as (a) it looks plausible, and (b) *he* doesn't get the bounces.
Both messages came from a machine calling itself "mx.port.ru" -- but at different IP addresses. You could hunt down the ISPs that own those addresses and complain, but who knows how many other ISPs the spammer has accounts with. One of the messages *did* come through an open relay at mailin00.sul.t-online.de. Anent the recent thread on blocking entire /x blocks, I recall blocking all of t-online.de's blocks a year or so ago. The only traffic I ever got from them was scans for exploitable/anonymous FTP servers, and my complaints seemed only to elicit a form letter response.... David Gillett On 11 Jan 2002, at 10:26, Boryan Yotov wrote: > Hello all, > > I know this doesn't concern not the firewall neither the netfilter news group >but I don't know what to do at all. > Someone fakes his own E-Mail address with my own and use it to send spam letter >to a bunch of E-Mail adresses all over the world. It send from someone called Pedro >Lopaz (it's possible also the name to be faked anyway). > Please could someone point me what I have to do since I don't want this to >continue anymore. I track this behavior early today since there is a failed e-mails >delivery (which are returned to me). I don't know how much users sucessfuly received >such kind of letter from my E-Mail address. > Maybe it's some mismatch in the Yahoo mail delivery system .. but I think it's a >case of E-Mail faking. > Thank you in advance. > > Best regards, > > Boryan Yotov > > I attached two of the failed E-Mails if they could help you: > > #================================ > # This is the first one > #================================ > |------------------------- Failed addresses follow: ---------------------| > <[EMAIL PROTECTED]> ... unknown user / Teilnehmer existiert nicht > |------------------------- Message text follows: ------------------------| > Received: from mx.port.ru ([211.20.79.172]) by mailin00.sul.t-online.de > with smtp id 16Ooul-0bIKGGC; Fri, 11 Jan 2002 00:47:19 +0100 > Date: Tue, 18 Dec 2001 11:22:33 -0300 > From: Pedro Lopaz <[EMAIL PROTECTED]> > To: Ricci <[EMAIL PROTECTED]> > Subject: Re[37933]: > MIME-Version: 1.0 > Content-Type: text/plain; charset="us-ascii" > > http://www.freeteenhost.com/girlsnew/?37933 > > #================================================= > # And this is the second one - this one also contains attachments > #================================================= > The original message was received at Fri, 11 Jan 2002 00:46:59 +0100 (MET) > from [209.177.61.130] > > ----- The following addresses had permanent fatal errors ----- > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > > ----- Transcript of session follows ----- > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > 550 <[EMAIL PROTECTED]>... User unknown > > #================================================== > # There are two files attached to the last mail > #================================================== > > // ATT00073.dat > Reporting-MTA: dns; mailbox-6.caramail.com > > Received-From-MTA: DNS; newwww > > Arrival-Date: Fri, 11 Jan 2002 00:46:59 +0100 (MET) > > Final-Recipient: RFC822; [EMAIL PROTECTED] > > Action: failed > > Status: 5.1.1 > > Last-Attempt-Date: Fri, 11 Jan 2002 09:09:13 +0100 (MET) > > Final-Recipient: RFC822; [EMAIL PROTECTED] > > Action: failed > > Status: 5.1.1 > > Last-Attempt-Date: Fri, 11 Jan 2002 09:09:14 +0100 (MET) > > // RE(37922)_.eml > > Return-Path: <[EMAIL PROTECTED]> > Received: from mx.port.ru ([209.177.61.130]) > by mailbox-6.caramail.com (8.8.8/8.8.8) with SMTP id AAA09312; > Fri, 11 Jan 2002 00:46:59 +0100 (MET) > Posted-Date: Fri, 11 Jan 2002 00:46:59 +0100 (MET) > Received-Date: Fri, 11 Jan 2002 00:46:59 +0100 (MET) > Message-Id: <[EMAIL PROTECTED]> > Date: Tue, 18 Dec 2001 11:22:33 -0300 > From: Pedro Lopaz <[EMAIL PROTECTED]> > To: Ricci <[EMAIL PROTECTED]> > Subject: Re[37922]: > MIME-Version: 1.0 > Content-Type: text/plain; charset="us-ascii" > > http://www.freeteenhost.com/girlsnew/?37922 > > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
