>Who can tell me from the following log which mail server/e-mail address
>started relaying?
>thanks,
>
>Sezgin
pop.uenal.com <= cpimssmtpe09.msn.com <= sunfw. <= 63.10.55.177
it looks like 63.10.55.177 is spoofing "MAIL FROM: [EMAIL PROTECTED]" so
when msn bounces it, it bounces to [EMAIL PROTECTED]
Forensics:
SamSpade.org MAPSomatic
Resolve reverse DNS
Checking RBL, RSS, DUL (not resolving reverse DNS)
63.10.55.177 listed in DUL(127.0.0.3) (Scan 63.10.55.0/24)
DUL: See <http://mail-abuse.org/dul/>
so, 63.10.55.177 is DUL = ip of a Dial Up Line.
Now the "sunfw" ip (fw = forward?? vbg)
SamSpade.org MAPSomatic
Resolve reverse DNS
Checking RBL, RSS, DUL
202.106.128.253 listed in RSS(127.0.0.2) (Scan 202.106.128.0/24)
so, 202.106.128.253 is in the MAPS open-relays.
That's the sunfw as open-relay, spewing spam from a DUL, who is
spoofing "MAIL FROM:".
Note, spam forensics not always so traceable, and maybe I'm
completely wrong. vbg
Conclusion:
pop.uenal.com <= cpimssmtpe09.msn.com <= sunfw. <= 63.10.55.177
spam bounce victim <= spam victim <= open-relay <= DUL
spoofing header
I had one of my IMGate fans yesterday thinking that IMGate was an
open relay, but no, it was .cn china spoofing his header and spamming
bellatlantic. When BA bounced it, it sailed through IMGate because
it was addressed correctly to a relayable (but spoofed) domain. Just
like above. @ssholes.
Len
http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5 installable binary for NT4
http://IMGate.MEIway.com: Build free, hi-perf, anti-spam mail gateways
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Glowing Praise...... mailto:[EMAIL PROTECTED]
Searchable List Archive.... http://www.mail-archive.com/[email protected]
To Manage your Subscription......... http://humankindsystems.com/lists
