IP spoofed spam - off topic
hello, sorry for the off topic post. real quick; had a server x.x.x.110 running sendmail. getting complaints of spam originating from that box. removed IP, still getting complaints. turned system off, still getting complaints. Can an IP be spoofed so totally in mail headers? headers: Received: from mailserv01.dartgc.com ([207.34.255.70]) by southwind.org (8.9.3/8.9.3) with ESMTP id WAA21910 for x; Sun, 15 Apr 2001 22:10:26 -0700 (PDT) Date: Sun, 15 Apr 2001 22:10:26 -0700 (PDT) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Received: from ngqjz.msn.com ([x.x.x.110]) by mailserv01.dartgc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H5VRZ1Y1; Mon, 16 Apr 2001 01:09:20 -0400 Again, sorry for the off topic post, and thanks. * Mick Dobra Systems Administrator MTCO Communications 1-800-859-6826 *
Re: IP spoofed spam - off topic
On Mon, Apr 16, 2001 at 04:00:32PM -0500, mick wrote: hello, sorry for the off topic post. real quick; had a server x.x.x.110 running sendmail. getting complaints of spam originating from that box. removed IP, still getting complaints. turned system off, still getting complaints. Can an IP be spoofed so totally in mail headers? headers: Received: from mailserv01.dartgc.com ([207.34.255.70]) by southwind.org (8.9.3/8.9.3) with ESMTP id WAA21910 for x; Sun, 15 Apr 2001 22:10:26 -0700 (PDT) Date: Sun, 15 Apr 2001 22:10:26 -0700 (PDT) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Received: from ngqjz.msn.com ([x.x.x.110]) by mailserv01.dartgc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H5VRZ1Y1; Mon, 16 Apr 2001 01:09:20 -0400 How is anyone supposed to give you a sure answer if you munge/hide relevant information?
Re: IP spoofed spam - off topic
The system is off, and has had that ip removed. It no longer belongs to a functioning system. 207.179.205.110 if it helps. On Mon, 16 Apr 2001, Alex Pennace wrote: On Mon, Apr 16, 2001 at 04:00:32PM -0500, mick wrote: hello, sorry for the off topic post. real quick; had a server x.x.x.110 running sendmail. getting complaints of spam originating from that box. removed IP, still getting complaints. turned system off, still getting complaints. Can an IP be spoofed so totally in mail headers? headers: Received: from mailserv01.dartgc.com ([207.34.255.70]) by southwind.org (8.9.3/8.9.3) with ESMTP id WAA21910 for x; Sun, 15 Apr 2001 22:10:26 -0700 (PDT) Date: Sun, 15 Apr 2001 22:10:26 -0700 (PDT) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Received: from ngqjz.msn.com ([x.x.x.110]) by mailserv01.dartgc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H5VRZ1Y1; Mon, 16 Apr 2001 01:09:20 -0400 How is anyone supposed to give you a sure answer if you munge/hide relevant information? * Mick Dobra Systems Administrator MTCO Communications 1-800-859-6826 *
Re: IP spoofed spam - off topic
On Mon, 16 Apr 2001, Alex Pennace wrote: On Mon, Apr 16, 2001 at 04:00:32PM -0500, mick wrote: hello, sorry for the off topic post. real quick; had a server x.x.x.110 running sendmail. getting complaints of spam originating from that box. removed IP, still getting complaints. turned system off, still getting complaints. Can an IP be spoofed so totally in mail headers? headers: Received: from mailserv01.dartgc.com ([207.34.255.70]) by southwind.org (8.9.3/8.9.3) with ESMTP id WAA21910 for x; Sun, 15 Apr 2001 22:10:26 -0700 (PDT) Date: Sun, 15 Apr 2001 22:10:26 -0700 (PDT) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Received: from ngqjz.msn.com ([x.x.x.110]) by mailserv01.dartgc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H5VRZ1Y1; Mon, 16 Apr 2001 01:09:20 -0400 How is anyone supposed to give you a sure answer if you munge/hide relevant information? As an additional note: Looks like every system receiving the spam are Exchange servers. Is someone exploiting an exchange fault? * Mick Dobra Systems Administrator MTCO Communications 1-800-859-6826 *
Re: IP spoofed spam - off topic
mick [EMAIL PROTECTED] wrote: Can an IP be spoofed so totally in mail headers? Short answer: yes. Spammers are getting better at spoofing mail headers, as misguided "spam protection" features in MTAs force them to. Long answer: can't analyze the situation properly when you munge header information. You might try running the headers through SpamCop or SamSpade to see if they can detect the header forgery. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: IP spoofed spam - off topic
On Mon, 16 Apr 2001, Charles Cazabon wrote: mick [EMAIL PROTECTED] wrote: Can an IP be spoofed so totally in mail headers? Short answer: yes. Spammers are getting better at spoofing mail headers, as misguided "spam protection" features in MTAs force them to. Long answer: can't analyze the situation properly when you munge header information. You might try running the headers through SpamCop or SamSpade to see if they can detect the header forgery. munge the headers? that was a direct copy from the spamcop message! I changed the ip address because that ip (and the server it used to be on) is no longer operational. but thats it. 207.179.205.110 was the address. Charles * Mick Dobra Systems Administrator MTCO Communications 1-800-859-6826 *
Re: IP spoofed spam - off topic
From: mick [EMAIL PROTECTED] Date: Mon, 16 Apr 2001 16:00:54 -0500 (CDT) hello, sorry for the off topic post. real quick; had a server x.x.x.110 running sendmail. getting complaints of spam originating from that box. removed IP, still getting complaints. turned system off, still getting complaints. Can an IP be spoofed so totally in mail headers? headers: Received: from mailserv01.dartgc.com ([207.34.255.70]) by southwind.org (8.9.3/8.9.3) with ESMTP id WAA21910 for x; Sun, 15 Apr 2001 22:10:26 -0700 (PDT) Date: Sun, 15 Apr 2001 22:10:26 -0700 (PDT) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Received: from ngqjz.msn.com ([x.x.x.110]) by mailserv01.dartgc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H5VRZ1Y1; Mon, 16 Apr 2001 01:09:20 -0400 Again, sorry for the off topic post, and thanks. Who controls 207.34.255.70 and is it really mailserv01.dartgc.com? Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature