Look carefully at the headers again. I have seen a few like this running around. The IP listed is not actually an IP, but marked as a supposed FQDN. The ones I have seen appear to originate out of brazil for the most part. I do not have a sample handy at the moment, but if someone wants it (for whatever reason), just let me know.
Matt On Mon, 16 Jun 2003, Richard D G Cox wrote: > > On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" <[EMAIL PROTECTED]> wrote: > > | Getting SPAM from 118.189.136.119 relayed by rr.com ? > | > | this network is not allocated, nor announced. I have been looking everywhere > | to find if it has been announced (historical bgp update databases, like RIS > | RIPE / CIDR REPORT / etc..)... I didnt found anything.... this probably mean > | rr.com is routing that network internaly. > > This is very likely to be a known exploit I have been tracking. In all the > cases which we have so far confirmed, the spam was not relayed, but proxied > by a trojan executable which is able to mimic a "previous" header with such > a degree of accuracy that it is indistinguishable from the genuine article! > > | If there is any rr.com guy around. Could you please check this? > > Our advice would be that the server-that-connected-to-you needs to be taken > offline by the security people at its site (which you say is RoadRunner) and > they should have ALL its disk(s) imaged for forensic analysis purposes. > > Our experience is that sites hit by this exploit will do basic checks on > the server and claim it is uncompromised and "cannot possibly be sending > that spam". Such a claim would be entirely incorrect. You would need to > persuade them that something is wrong, which is difficult at the best of > times. RoadRunner being involved in this case suggests this may *not* be > the "best of times". > > -- > Richard Cox >