Thanks! I actually did turn off the unknown account. They are all bouncing back. But damn there are still tons of them bouncing out. Actually used the unknown account for signing up for web sites using a fake email. When they started to spam i mad that address a spam address. Oh well! I guess my question is how can they get away forging email addresses? And what if anything can one do? Matthew
On Tuesday, July 9, 2002, at 07:26 PM, Bill Cole wrote: > At 7:42 PM -0700 7/8/02, Matthew Hill imposed structure on a stream of > electrons, yielding: >> Here's another one for good measure! I dont see these going out from >> anywhere! > > > They aren't going out from your machines at all. > > This one is a little better than the AOL bounces, since Notes at least > preserves headers, after a fashion. Essentially it treats the bounce as > a continmued journey of the original, so you get the path of the bounce > and the path of the original all in one. > >> From: upxHel <[EMAIL PROTECTED]> >> From: [EMAIL PROTECTED] >> Date: Mon Jul 08, 2002 07:34:34 PM US/Pacific >> To: upxHel <[EMAIL PROTECTED]> >> Cc: >> Subject: DELIVERY FAILURE: User mjohnston >> ([EMAIL PROTECTED]) not listed in public Name & Address Book >> Return-Path: <> >> X-Mirrored-By: [EMAIL PROTECTED] > > That's why these are causing you trouble. The 'unknown' account is a > misfeature. I understand why SIMS (and other servers) offer it, but > there is good reason for it to be turned off by default. If it was off, > these bounces would be bouncing instead of delivering to you. > >> Received: from fw251.intermet.com ([204.146.63.251] verified) by >> milepost1.com (Stalker SMTP Server 1.8b8) with SMTP id S.0001112311 >> for <[EMAIL PROTECTED]>; Mon, 08 Jul 2002 19:37:33 -0700 >> Received: from hstgw031.intermet.com by fw251.intermet.com via smtpd >> (for user-vc8fec8.biz.mindspring.com [216.135.185.136]) with SMTP; 9 >> Jul 2002 02:37:30 UT > > That's the path of the bounce. hstgw01.intermet.com didn't like the > message, so it bounced it by way of its outbound firewall (that's a > guess at fw251) for you, and it noted that your primary MX resolves to > an IP which reverses to that Mindspring name. > > >> Received: from firewall.intermet.com ([10.250.0.2]) by >> hstgw031.intermet.com (Lotus Domino Release 5.0.4) with SMTP id >> 2002070822331807:6974 ; Mon, 8 Jul 2002 22:33:18 -0400 >> Received: from h162-040-098-242.adsl.navix.net ([162.40.98.242]) by >> firewall.intermet.com via smtpd (for hstgw031.intermet.com >> [10.1.0.31]) with SMTP; 9 Jul 2002 02:37:10 UT > > There it is. Back to here, the Received headers chain neatly. > h162-040-098-242.adsl.navix.net handed the original message to > firewall.intermet.com, aimed at hstgw01 (which we know from above is > what did the bouncing.) Past here it's garbage... > > > >> Received: from unknown (HELO da001d2020.lax-ca.osd.concentric.net) >> (194.29.209.49) by f64.law4.hotmail.com with QMQP; Jul, 08 2002 >> 9:27:17 PM +0300 > > huh? hotmail? BS. QMQP? Not likely. +0300? Doubtful. This doesn't > chain with the later (i.e. above) received headers AND the unlikely > timezone and protocol are a known spamsign. QMQP is real, but you won't > see it outside of QMail installations, and Hotmail doesn't use QMail > anyway. Or have servers in the Middle East/Eastern Europe/East Africa. > > The nail in the coffin is that MTA's don't put AM/PM into Received > headers. > > >> Received: from [203.186.145.225] by hotmail.com (3.2) with ESMTP id >> MHotMailBE7297E1009B400437E7CBBA91E10D0B0; Jul, 08 2002 8:05:23 PM >> -0000 >> Received: from [176.244.234.14] by smtp-server6.tampabay.rr.com with >> local; Jul, 08 2002 7:30:09 PM +0300 >> Received: from rly-yk04.mx.aol.com ([99.100.131.137]) by rly- >> xw01.mx.aol.com with NNFMP; Jul, 08 2002 6:15:10 PM -0700 > > > More chaining, protocol, and zone problems. More PM's. NNFMP is a > protocol that is proprietary and used only internally at Yahoo. The > 'local' protocol is supposed to indicate that a message came from the > machine adding the Received header. Plus this message seems to have > traveled back in time, with a hand-off at PDT AOL servers (itself iffy) > at 2002/07/09:01:15:10 UTC and then showing up about 9 hours earlier in > Tampa Bay, (the one outside of Baghdad, according to the zone) them > hitting some British arm of Hotmail 3:35 later, carrying the Received > header that the AOL machines were going to create almost 6 hours into > the future. At least, that what it appears to be if the PM's which > MTA's don't use are all correct. > > IOW: those Received headers are bogus, and not even forged to be > minimally believable. This is a demo of rules #1 & #2 of spammers: > spammers lie and spammers are profoundly stupid. > > >> Mime-Version: 1.0 >> X-Mailer: QUALCOMM Windows Eudora Version 5.1 >> X-Priority: 1 (High) >> X-Mimetrack: Itemize by SMTP Server on HSTGW031/IMET(Release 5.0.4 >> |June 8, 2000) at 07/08/2002 10:33:20 PM, Serialize by Router on >> HSTGW031/IMET(Release 5.0.4 |June 8, 2000) at 07/08/2002 10:33:41 PM, >> Serialize complete at 07/08/2002 10:33:41 PM >> Message-Id: <[EMAIL PROTECTED]> >> Content-Type: multipart/report; report-type=delivery-status; >> boundary="==IFJRGLKFGIR62893UHRUHIHD" >> >> Your message >> >> Subject: OUR LAST PICK WENT UP 47% IN JUST 2 >> DAYS--------------------13593 kbqqn >> >> was not delivered to: >> >> [EMAIL PROTECTED] >> >> because: >> >> User mjohnston ([EMAIL PROTECTED]) not listed in public >> Name & Address Book >> >> Reporting-MTA: dns;hstgw031.intermet.com > > That tells you where to split those Received headers into original > message and bounce paths. > > -- Bill Cole [EMAIL PROTECTED] > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <[EMAIL PROTECTED]>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > > -- ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
