OT: got spam today that fooled Spamcop reporting
DNSAdmin
dnsadmin at 1BIGTHINK.COM
Fri Jan 30 17:01:22 GMT 2004
At 08:55 AM 1/30/2004 -0500, you wrote:
>Gang,
> I got a spam today from 166.90.145.153 that I sent off to
>spamcop for reporting. When I got the response back and went
>to the SpamCop link, its software had deduced that *my* mail
>server was the spam source, not 166.90.145.153. I looked at
>the mail headers and found:
>
> From jaearick at colby.edu Fri Jan 30 06:40:02 2004 -0500
> Return-Path: <qsmj at ydrfcp.makeup-site.info>
> Received: from hqbzdctu.makeup-site.info ([166.90.145.153])
> by basalt.colby.edu (8.12.11/8.12.11/1.48') with ESMTP id
> i0UBdtTk029229
> for <jaearick at colby.edu>; Fri, 30 Jan 2004 06:39:56 -0500 (EST)
>
>Ok so far, it agrees with my syslogs. Then the bogosity begins:
>
> Resent-Date: Fri, 30 Jan 2004 06:39:55 -0500 (EST)
> Resent-From: qsmj at ydrfcp.makeup-site.info
> Resent-Message-Id: <200401301139.i0UBdtTk029229 at basalt.colby.edu>
> Received: from basalt.colby.edu (137.146.210.56)
> by hqbzdctu.makeup-site.info with SMTP id CLQ8TSZ8TN7; Fri, 30 Jan 2004
> 06:30:
> 30 -0400
> Received: from nfgwb.makeup-site.info (HELO nfgwb) (172.16.78.185)
> by basalt.colby.edu with SMTP; Fri, 30 Jan 2004 06:30:30 -0400
> Reply-To: <qsmj at ydrfcp.makeup-site.info>
> From: "Elizabeth" <qsmj at ydrfcp.makeup-site.info>
>
>Hmmm. The bottom-most IP (172.16.78.185) is an IANA reserved number so
>Spamcop throws it away. The next number up is 137.146.210.56, my
>mail server, so SpamCop locks onto that and says that my mail server
>sent the spam. Not so. There is no msgid CLQ8TSZ8TN7 in my syslogs.
>In fact it isn't even the right number of characters since my server
>runs sendmail 8.12.11. This header is totally forged.
--SNIP--
>Jeff Earickson
>Colby College
Hi Jeff,
Feel free to block that IP, No RDNS on it and Level3 has whole 'C' blocks
that they protect for spammers.
I hate Level3 for that!
Anyone: If you are on Level3 Networks, you support spammers. Take your
business elsewhere!
Cheers!
More information about the MailScanner
mailing list