On Thu, 2003-08-28 at 19:05, Anthony Wood wrote: > On Fri, Aug 29, 2003 at 08:59:30AM +1000, Anthony Wood wrote: > > On Thu, Aug 28, 2003 at 10:49:51AM -0400, Bret Comstock Waldow wrote: > > > On Thu, 2003-08-28 at 02:36, Del wrote: > > > > [EMAIL PROTECTED] wrote: > > > > > during last weekend, I received several hundred of the the latest ms > > > > > 'virus' emails, all about 100k, with about 7 different subjects. on Monday, > > > > > the flow slowed down, just maybe a hundred or so all day, and, I assumed > > > > > the worst was over, so to speak. > > > > > > > > > > However, between Tuesday and Wed this week, I received in excess of 1,000 > > > > > emails in say 12 hours, and, when I looked at it in the afternoon, I was > > > > > getting one new mssg every minute. > > > > > > > > I had the same problem. It was all coming from one machine at > > > > cornell.edu so I put in a .procmail rule to redirect all mail > > > > with a header "Received: (from that machine)" line in it back > > > > to the complaints address I found on their web site (which > > > > otherwise wasn't responding when I sent them mail asking them > > > > to fix it). > > > > > > > > After that the flood lasted another 2-3 hours then stopped, > > > > all by magick. > > > > > > Newbie question here. Is this definitive? > > > > > > I've read that this virus spoofs the return address, which I understand > > > to mean the text, but what about the IP chain? > > > > > > I've read in separate articles about "untraceable" spam. Is this > > > happening here? > > > > > > If there's a definitive way to be sure of the origin of an email, I'd > > > like to know that's so, and how to determine it. > > > > When a mail comes into a server, they usually put in a "received" > > line which nowadays usually reports the IP address of the > > connecting server and what it says it's hostname is. > > > > You can send a mail message with a few recieved messages of your own like I've > > done with this one. > > Sorry, looks like postfix and/or mutt strips it out. What a responsible program. > > This is what I had: > > > Received: from momandpop.com (cia.whitehouse.gov [4.3.2.1]) by > > beast.switchonline.com.au (Postfix) with ESMTP id C08CC53B for > +<[EMAIL PROTECTED]>; Fri, 29 Aug 2003 08:57:54 +1000 (EST) > > > > momandpop.com is what the server said it was, cia.whitehouse.gov is the reverse > > lookup of the actual ip address sent from (4.3.2.1)
Here's one of mine: Sender: [EMAIL PROTECTED] Received: from LUCKYLZ ([211.154.93.35]) by siaag1af.compuserve.com (8.12.9/8.12.7/SUN-2.7) with ESMTP id h7SCxV7X003565 for <[EMAIL PROTECTED]>; Thu, 28 Aug 2003 08:59:39 -0400 (EDT) So, [EMAIL PROTECTED] is spoofed, but the originating IP is correct? Or just the reporting server siaag1af.compuserve.com? Does compuserve take any steps to verify the included sender IP? Bret -- bwaldow at alum dot mit dot edu -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
