RE: strange headers
Will read them and try and understand them! It wasn't from a spammer tho but from someone who wants us to sponsor them (we sell skateboards). -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: 06 November 2003 17:54 To: Exchange Discussions Subject: RE: strange headers Read and understand RFC 821 and 822, and their successors 2821 and 2822, and you'll understand a lot about how spammers ply their trade. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Hackney Sent: Thursday, November 06, 2003 5:15 AM To: Exchange Discussions Subject: strange headers Hi, our organisation received an email yesterday and I don't quite know why it appeared the way it did. Basically, someone sent an email from a Hotmail address yet the 'from' field did not display the hotmail address, but an address that looked as tho it was from our network. Now I know that it is possible to spoof addresses and so on but I didn't think this was possible thru hotmail tho having looked on their site, it appears you can do POP and the line below 'mail pickup service seems to indicate that. I don't use hotmail so I don't know whether POP could have been used. Would someone be able to look at the headers below and tell me what happened? I believe that someone did use a POP thru hotmail and spoofed the address but would like confirmation or correction I have also included the original mail but deleted some parts. (incidentally, what is the best practice for posting headers? should I block our sensitive stuff or is it easy enough to get hold of that it is not worth the bother?) Much obliged Rob Microsoft Mail Internet Headers Version 2.0 Received: from gateway.mydomain.xxx.net ([xxx.xxx.xx.x]) by servername.mydomain.co.uk with Microsoft SMTPSVC(5.0.2195.6713); Sat, 1 Nov 2003 16:55:11 + Received: from server.isp.net ([xxx.xxx.xxx.xxx]) by gateway.mydomain.xxx.net (x.xx.x/x.xx.x) with ESMTP id hA1Gt79Q098836 for <[EMAIL PROTECTED]>; Sat, 1 Nov 2003 16:55:07 GMT x-previous-hop: 64.4.18.193 Received: from hotmail.com (law12-oe58.law12.hotmail.com [64.4.18.193]) by server.isp.net (x.xx.x/x.xx.x) with ESMTP id hA1Gt84r029294 for <[EMAIL PROTECTED]>; Sat, 1 Nov 2003 16:55:09 GMT Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 1 Nov 2003 08:55:06 -0800 Received: from xx.xxx.xx.xxx by law12-oe58.law12.hotmail.com with DAV; Sat, 01 Nov 2003 16:55:06 + X-Originating-IP: [xx.xxx.xx.xxx] X-Originating-Email: [EMAIL PROTECTED] From: "The one" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: getting sponsored Date: Sat, 1 Nov 2003 16:54:57 - MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0005_01C3A098.E1BED900" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. Message-ID: <[EMAIL PROTECTED]> X-OriginalArrivalTime: 01 Nov 2003 16:55:06.0977 (UTC) FILETIME=[E7226510:01C3A098] X-Virus-Checked: 61885 X-Skip-Virus-Check: yes X-Sender-IP: 212.50.178.147 X-INT-DeliveryDone: hA1Gt79Q098836 Return-Path: [EMAIL PROTECTED] --=_NextPart_000_0005_01C3A098.E1BED900 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --=_NextPart_000_0005_01C3A098.E1BED900 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --=_NextPart_000_0005_01C3A098.E1BED900-- -Original Message- From: The one [mailto:[EMAIL PROTECTED] Sent: 01 November 2003 16:55 To: Mailbox Subject: send back on [EMAIL PROTECTED] This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. It should not be deemed to constitute a binding contract between TKC Group and the recipient(s) unless a purchase order number is quoted. Any views or opinions presented are solely those of the author and do not necessarily represent those of TKC Group Ltd. If you are not the intended recipient(s), please do not copy or disclose its contents. Please return it to: [EMAIL PROTECTED] then delete the email. intY has scanned this email for all known viruses (www.inty.com) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: strange headers
Read and understand RFC 821 and 822, and their successors 2821 and 2822, and you'll understand a lot about how spammers ply their trade. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Hackney Sent: Thursday, November 06, 2003 5:15 AM To: Exchange Discussions Subject: strange headers Hi, our organisation received an email yesterday and I don't quite know why it appeared the way it did. Basically, someone sent an email from a Hotmail address yet the 'from' field did not display the hotmail address, but an address that looked as tho it was from our network. Now I know that it is possible to spoof addresses and so on but I didn't think this was possible thru hotmail tho having looked on their site, it appears you can do POP and the line below 'mail pickup service seems to indicate that. I don't use hotmail so I don't know whether POP could have been used. Would someone be able to look at the headers below and tell me what happened? I believe that someone did use a POP thru hotmail and spoofed the address but would like confirmation or correction I have also included the original mail but deleted some parts. (incidentally, what is the best practice for posting headers? should I block our sensitive stuff or is it easy enough to get hold of that it is not worth the bother?) Much obliged Rob Microsoft Mail Internet Headers Version 2.0 Received: from gateway.mydomain.xxx.net ([xxx.xxx.xx.x]) by servername.mydomain.co.uk with Microsoft SMTPSVC(5.0.2195.6713); Sat, 1 Nov 2003 16:55:11 + Received: from server.isp.net ([xxx.xxx.xxx.xxx]) by gateway.mydomain.xxx.net (x.xx.x/x.xx.x) with ESMTP id hA1Gt79Q098836 for <[EMAIL PROTECTED]>; Sat, 1 Nov 2003 16:55:07 GMT x-previous-hop: 64.4.18.193 Received: from hotmail.com (law12-oe58.law12.hotmail.com [64.4.18.193]) by server.isp.net (x.xx.x/x.xx.x) with ESMTP id hA1Gt84r029294 for <[EMAIL PROTECTED]>; Sat, 1 Nov 2003 16:55:09 GMT Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 1 Nov 2003 08:55:06 -0800 Received: from xx.xxx.xx.xxx by law12-oe58.law12.hotmail.com with DAV; Sat, 01 Nov 2003 16:55:06 + X-Originating-IP: [xx.xxx.xx.xxx] X-Originating-Email: [EMAIL PROTECTED] From: "The one" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: getting sponsored Date: Sat, 1 Nov 2003 16:54:57 - MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0005_01C3A098.E1BED900" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. Message-ID: <[EMAIL PROTECTED]> X-OriginalArrivalTime: 01 Nov 2003 16:55:06.0977 (UTC) FILETIME=[E7226510:01C3A098] X-Virus-Checked: 61885 X-Skip-Virus-Check: yes X-Sender-IP: 212.50.178.147 X-INT-DeliveryDone: hA1Gt79Q098836 Return-Path: [EMAIL PROTECTED] --=_NextPart_000_0005_01C3A098.E1BED900 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --=_NextPart_000_0005_01C3A098.E1BED900 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --=_NextPart_000_0005_01C3A098.E1BED900-- -Original Message- From: The one [mailto:[EMAIL PROTECTED] Sent: 01 November 2003 16:55 To: Mailbox Subject: send back on [EMAIL PROTECTED] This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. It should not be deemed to constitute a binding contract between TKC Group and the recipient(s) unless a purchase order number is quoted. Any views or opinions presented are solely those of the author and do not necessarily represent those of TKC Group Ltd. If you are not the intended recipient(s), please do not copy or disclose its contents. Please return it to: [EMAIL PROTECTED] then delete the email. intY has scanned this email for all known viruses (www.inty.com) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: strange headers
I'm sure I read somewhere about some explot/vuln that involved DAV (which I noticed in the headers) - maybe that has something to do with it? regards, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:[EMAIL PROTECTED] > -Original Message- > From: Rob Hackney [mailto:[EMAIL PROTECTED] > Sent: 06 November 2003 13:15 > To: Exchange Discussions > Subject: strange headers > > > > > Hi, our organisation received an email yesterday and I don't > quite know > why it appeared the way it did. > Basically, someone sent an email from a Hotmail address yet the 'from' > field did not display the hotmail address, but an address > that looked as > tho it was from our network. Now I know that it is possible to spoof > addresses and so on but I didn't think this was possible thru hotmail > tho having looked on their site, it appears you can do POP > and the line > below 'mail pickup service seems to indicate that. I don't > use hotmail > so I don't know whether POP could have been used. > Would someone be able to look at the headers below and tell me what > happened? I believe that someone did use a POP thru hotmail and > spoofed the address but would like confirmation or correction > I have also included the original mail but deleted some parts. > (incidentally, what is the best practice for posting headers? > should I > block our sensitive stuff or is it easy enough to get hold of > that it is > not worth the bother?) > Much obliged > Rob > > Microsoft Mail Internet Headers Version 2.0 > Received: from gateway.mydomain.xxx.net ([xxx.xxx.xx.x]) by > servername.mydomain.co.uk with Microsoft SMTPSVC(5.0.2195.6713); > Sat, 1 Nov 2003 16:55:11 + > Received: from server.isp.net ([xxx.xxx.xxx.xxx]) > by gateway.mydomain.xxx.net (x.xx.x/x.xx.x) with ESMTP id > hA1Gt79Q098836 > for <[EMAIL PROTECTED]>; Sat, 1 Nov 2003 16:55:07 GMT > x-previous-hop: 64.4.18.193 > Received: from hotmail.com (law12-oe58.law12.hotmail.com > [64.4.18.193]) > by server.isp.net (x.xx.x/x.xx.x) with ESMTP id hA1Gt84r029294 > for <[EMAIL PROTECTED]>; Sat, 1 Nov 2003 16:55:09 GMT > Received: from mail pickup service by hotmail.com with Microsoft > SMTPSVC; > Sat, 1 Nov 2003 08:55:06 -0800 > Received: from xx.xxx.xx.xxx by law12-oe58.law12.hotmail.com with DAV; > Sat, 01 Nov 2003 16:55:06 + > X-Originating-IP: [xx.xxx.xx.xxx] > X-Originating-Email: [EMAIL PROTECTED] > From: "The one" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: getting sponsored > Date: Sat, 1 Nov 2003 16:54:57 - > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="=_NextPart_000_0005_01C3A098.E1BED900" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2600. > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. > Message-ID: <[EMAIL PROTECTED]> > X-OriginalArrivalTime: 01 Nov 2003 16:55:06.0977 (UTC) > FILETIME=[E7226510:01C3A098] > X-Virus-Checked: 61885 > X-Skip-Virus-Check: yes > X-Sender-IP: 212.50.178.147 > X-INT-DeliveryDone: hA1Gt79Q098836 > Return-Path: [EMAIL PROTECTED] > > --=_NextPart_000_0005_01C3A098.E1BED900 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > --=_NextPart_000_0005_01C3A098.E1BED900 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > > --=_NextPart_000_0005_01C3A098.E1BED900-- > > -Original Message- > From: The one [mailto:[EMAIL PROTECTED] > Sent: 01 November 2003 16:55 > To: Mailbox > Subject: > > > send back on [EMAIL PROTECTED] > > This email is confidential and intended solely for the use of > the individual(s) to whom it is addressed. It should not be > deemed to constitute a binding contract between TKC Group and > the recipient(s) unless a purchase order number is quoted. > Any views or opinions presented are solely those of the > author and do not necessarily represent those of TKC Group > Ltd. If you are not the intended recipient(s), please do not > copy or disclose its contents. Please return it to: > [EMAIL PROTECTED] then delete the email. > > intY has scanned this email for all known viruses (www.inty.com) > > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]