RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please
Many thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, March 16, 2007 11:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please You're safe, Robert. I've seen this part in spam sent to my domain for about a year: > Received: from 208.100.26.91 (HELO smtp.igive.com) > by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) > id JLM3A5-)G'4.A-M/ The gibberish in the received block is a definite "spam signature" and is entirely fake. The army isn't going to be breaking down your door and making you eat this spam. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Robert Grosshandler > Sent: Friday, March 16, 2007 7:39 AM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Bounce / Spoof Analysis Help Please > > Hi > > We're seeing bounce messages similar to the following. I > don't think our server has been compromised, but I want to be > sure. We legitimately send mail from 208.100.26.91, but I > think (hope) its appearance in the following is spoofed. > > > > --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil > The-original-message-was-received-at-Fri,-16-Mar-2007-08: > 55:31 -0400 (EDT) > >- The following addresses had permanent fatal errors > - <[EMAIL PROTECTED]> > (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED]) >- Transcript of session follows - ... when talking > to ahrc00bh0106287.nae.ds.army.mil. while trying to contact > hrcmail.hoffman.army.mil.: > >>> DATA > <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 > 5.1.1 <[EMAIL PROTECTED]>... User unknown <<< 554 5.5.2 > No valid recipients > > --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil > Content-Type: message/delivery-status > > Reporting-MTA: dns; hrcpro21.hoffman.army.mil > Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT) > > Final-Recipient: RFC822; [EMAIL PROTECTED] > Action: failed > Status: 5.7.1 > Remote-MTA: DNS; hrcmail.hoffman.army.mil > Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for > [EMAIL PROTECTED] > Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT) > > > --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil > Content-Type: message/rfc822 > > Return-Path: <[EMAIL PROTECTED]> > Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl > [89.78.68.55]) > by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425; > Fri, 16 Mar 2007 08:55:31 -0400 (EDT) > Received: from 208.100.26.91 (HELO smtp.igive.com) > by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) > id JLM3A5-)G'4.A-M/ > for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060 > From: "Effie Drummond" > To: <[EMAIL PROTECTED]> > Subject: Choosing Online Pharmacy. > Date: Fri, 16 Mar 2007 12:55:33 -0060 > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="=_NextPart_000_000E_01C767D2.C434B490" > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) > X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 > Importance: Normal > X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message > X-Antivirus-Status: Clean > x-scc-prev-hop: 89.78.68.55 > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please
You're safe, Robert. I've seen this part in spam sent to my domain for about a year: > Received: from 208.100.26.91 (HELO smtp.igive.com) > by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) > id JLM3A5-)G'4.A-M/ The gibberish in the received block is a definite "spam signature" and is entirely fake. The army isn't going to be breaking down your door and making you eat this spam. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Robert Grosshandler > Sent: Friday, March 16, 2007 7:39 AM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Bounce / Spoof Analysis Help Please > > Hi > > We're seeing bounce messages similar to the following. I > don't think our server has been compromised, but I want to be > sure. We legitimately send mail from 208.100.26.91, but I > think (hope) its appearance in the following is spoofed. > > > > --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil > The-original-message-was-received-at-Fri,-16-Mar-2007-08: > 55:31 -0400 (EDT) > >- The following addresses had permanent fatal errors > - <[EMAIL PROTECTED]> > (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED]) >- Transcript of session follows - ... when talking > to ahrc00bh0106287.nae.ds.army.mil. while trying to contact > hrcmail.hoffman.army.mil.: > >>> DATA > <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 > 5.1.1 <[EMAIL PROTECTED]>... User unknown <<< 554 5.5.2 > No valid recipients > > --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil > Content-Type: message/delivery-status > > Reporting-MTA: dns; hrcpro21.hoffman.army.mil > Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT) > > Final-Recipient: RFC822; [EMAIL PROTECTED] > Action: failed > Status: 5.7.1 > Remote-MTA: DNS; hrcmail.hoffman.army.mil > Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for > [EMAIL PROTECTED] > Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT) > > > --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil > Content-Type: message/rfc822 > > Return-Path: <[EMAIL PROTECTED]> > Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl > [89.78.68.55]) > by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425; > Fri, 16 Mar 2007 08:55:31 -0400 (EDT) > Received: from 208.100.26.91 (HELO smtp.igive.com) > by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) > id JLM3A5-)G'4.A-M/ > for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060 > From: "Effie Drummond" > To: <[EMAIL PROTECTED]> > Subject: Choosing Online Pharmacy. > Date: Fri, 16 Mar 2007 12:55:33 -0060 > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="=_NextPart_000_000E_01C767D2.C434B490" > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) > X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 > Importance: Normal > X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message > X-Antivirus-Status: Clean > x-scc-prev-hop: 89.78.68.55 > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bounce / Spoof Analysis Help Please
Hi We're seeing bounce messages similar to the following. I don't think our server has been compromised, but I want to be sure. We legitimately send mail from 208.100.26.91, but I think (hope) its appearance in the following is spoofed. --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil The-original-message-was-received-at-Fri,-16-Mar-2007-08: 55:31 -0400 (EDT) - The following addresses had permanent fatal errors - <[EMAIL PROTECTED]> (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED]) - Transcript of session follows - ... when talking to ahrc00bh0106287.nae.ds.army.mil. while trying to contact hrcmail.hoffman.army.mil.: >>> DATA <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 5.1.1 <[EMAIL PROTECTED]>... User unknown <<< 554 5.5.2 No valid recipients --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/delivery-status Reporting-MTA: dns; hrcpro21.hoffman.army.mil Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Remote-MTA: DNS; hrcmail.hoffman.army.mil Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT) --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/rfc822 Return-Path: <[EMAIL PROTECTED]> Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl [89.78.68.55]) by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425; Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060 From: "Effie Drummond" To: <[EMAIL PROTECTED]> Subject: Choosing Online Pharmacy. Date: Fri, 16 Mar 2007 12:55:33 -0060 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_000E_01C767D2.C434B490" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message X-Antivirus-Status: Clean x-scc-prev-hop: 89.78.68.55 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
