Abandon all hope? Forging an email address is trivially easy. You can do it in your own email client...
On 7/9/02 10:10 PM, Matthew Hill mashed the following keys : > Thanks! I actually did turn off the unknown account. They are all > bouncing back. But damn there are still tons of them bouncing out. > Actually used the unknown account for signing up for web sites using a > fake email. When they started to spam i mad that address a spam > address. Oh well! > I guess my question is how can they get away forging email addresses? > And what if anything can one do? > Matthew > > On Tuesday, July 9, 2002, at 07:26 PM, Bill Cole wrote: > >> At 7:42 PM -0700 7/8/02, Matthew Hill imposed structure on a stream of >> electrons, yielding: >>> Here's another one for good measure! I dont see these going out from >>> anywhere! >> >> >> They aren't going out from your machines at all. >> >> This one is a little better than the AOL bounces, since Notes at least >> preserves headers, after a fashion. Essentially it treats the bounce as >> a continmued journey of the original, so you get the path of the bounce >> and the path of the original all in one. >> >>> From: upxHel <[EMAIL PROTECTED]> >>> From: [EMAIL PROTECTED] >>> Date: Mon Jul 08, 2002 07:34:34 PM US/Pacific >>> To: upxHel <[EMAIL PROTECTED]> >>> Cc: >>> Subject: DELIVERY FAILURE: User mjohnston >>> ([EMAIL PROTECTED]) not listed in public Name & Address Book >>> Return-Path: <> >>> X-Mirrored-By: [EMAIL PROTECTED] >> >> That's why these are causing you trouble. The 'unknown' account is a >> misfeature. I understand why SIMS (and other servers) offer it, but >> there is good reason for it to be turned off by default. If it was off, >> these bounces would be bouncing instead of delivering to you. >> >>> Received: from fw251.intermet.com ([204.146.63.251] verified) by >>> milepost1.com (Stalker SMTP Server 1.8b8) with SMTP id S.0001112311 >>> for <[EMAIL PROTECTED]>; Mon, 08 Jul 2002 19:37:33 -0700 >>> Received: from hstgw031.intermet.com by fw251.intermet.com via smtpd >>> (for user-vc8fec8.biz.mindspring.com [216.135.185.136]) with SMTP; 9 >>> Jul 2002 02:37:30 UT >> >> That's the path of the bounce. hstgw01.intermet.com didn't like the >> message, so it bounced it by way of its outbound firewall (that's a >> guess at fw251) for you, and it noted that your primary MX resolves to >> an IP which reverses to that Mindspring name. >> >> >>> Received: from firewall.intermet.com ([10.250.0.2]) by >>> hstgw031.intermet.com (Lotus Domino Release 5.0.4) with SMTP id >>> 2002070822331807:6974 ; Mon, 8 Jul 2002 22:33:18 -0400 >>> Received: from h162-040-098-242.adsl.navix.net ([162.40.98.242]) by >>> firewall.intermet.com via smtpd (for hstgw031.intermet.com >>> [10.1.0.31]) with SMTP; 9 Jul 2002 02:37:10 UT >> >> There it is. Back to here, the Received headers chain neatly. >> h162-040-098-242.adsl.navix.net handed the original message to >> firewall.intermet.com, aimed at hstgw01 (which we know from above is >> what did the bouncing.) Past here it's garbage... >> >> >> >>> Received: from unknown (HELO da001d2020.lax-ca.osd.concentric.net) >>> (194.29.209.49) by f64.law4.hotmail.com with QMQP; Jul, 08 2002 >>> 9:27:17 PM +0300 >> >> huh? hotmail? BS. QMQP? Not likely. +0300? Doubtful. This doesn't >> chain with the later (i.e. above) received headers AND the unlikely >> timezone and protocol are a known spamsign. QMQP is real, but you won't >> see it outside of QMail installations, and Hotmail doesn't use QMail >> anyway. Or have servers in the Middle East/Eastern Europe/East Africa. >> >> The nail in the coffin is that MTA's don't put AM/PM into Received >> headers. >> >> >>> Received: from [203.186.145.225] by hotmail.com (3.2) with ESMTP id >>> MHotMailBE7297E1009B400437E7CBBA91E10D0B0; Jul, 08 2002 8:05:23 PM >>> -0000 >>> Received: from [176.244.234.14] by smtp-server6.tampabay.rr.com with >>> local; Jul, 08 2002 7:30:09 PM +0300 >>> Received: from rly-yk04.mx.aol.com ([99.100.131.137]) by rly- >>> xw01.mx.aol.com with NNFMP; Jul, 08 2002 6:15:10 PM -0700 >> >> >> More chaining, protocol, and zone problems. More PM's. NNFMP is a >> protocol that is proprietary and used only internally at Yahoo. The >> 'local' protocol is supposed to indicate that a message came from the >> machine adding the Received header. Plus this message seems to have >> traveled back in time, with a hand-off at PDT AOL servers (itself iffy) >> at 2002/07/09:01:15:10 UTC and then showing up about 9 hours earlier in >> Tampa Bay, (the one outside of Baghdad, according to the zone) them >> hitting some British arm of Hotmail 3:35 later, carrying the Received >> header that the AOL machines were going to create almost 6 hours into >> the future. At least, that what it appears to be if the PM's which >> MTA's don't use are all correct. >> >> IOW: those Received headers are bogus, and not even forged to be >> minimally believable. This is a demo of rules #1 & #2 of spammers: >> spammers lie and spammers are profoundly stupid. >> >> >>> Mime-Version: 1.0 >>> X-Mailer: QUALCOMM Windows Eudora Version 5.1 >>> X-Priority: 1 (High) >>> X-Mimetrack: Itemize by SMTP Server on HSTGW031/IMET(Release 5.0.4 >>> |June 8, 2000) at 07/08/2002 10:33:20 PM, Serialize by Router on >>> HSTGW031/IMET(Release 5.0.4 |June 8, 2000) at 07/08/2002 10:33:41 PM, >>> Serialize complete at 07/08/2002 10:33:41 PM >>> Message-Id: <[EMAIL PROTECTED]> >>> Content-Type: multipart/report; report-type=delivery-status; >>> boundary="==IFJRGLKFGIR62893UHRUHIHD" >>> >>> Your message >>> >>> Subject: OUR LAST PICK WENT UP 47% IN JUST 2 >>> DAYS--------------------13593 kbqqn >>> >>> was not delivered to: >>> >>> [EMAIL PROTECTED] >>> >>> because: >>> >>> User mjohnston ([EMAIL PROTECTED]) not listed in public >>> Name & Address Book >>> >>> Reporting-MTA: dns;hstgw031.intermet.com >> >> That tells you where to split those Received headers into original >> message and bounce paths. >> >> -- Bill Cole [EMAIL PROTECTED] >> >> >> ############################################################# >> This message is sent to you because you are subscribed to >> the mailing list <[EMAIL PROTECTED]>. >> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> >> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> >> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> >> Send administrative queries to <[EMAIL PROTECTED]> >> >> > -- > > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <[EMAIL PROTECTED]>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
