Re: scam warning (FW: IMPORTANT)
On Fri, Jan 04, 2002 at 12:50:58AM -0800, Karsten M. Self wrote:
| on Thu, Jan 03, 2002 at 05:26:37PM -0500, dman (dsh8290@rit.edu) wrote:
| >
| > I just got this message. Looks like the scammers are getting smarter
| > -- sent directly to me with no trail in the Received: headers (all the
| > received headers are my school accounts forwarding to other school
| > accounts and eventually to my house). Just beware :-).
|
| It's a spoofed origin packet. It appears to find a host on your network
| and claim to be coming from it, when in fact it's not. In your case and
| mine, the host is the primary MX server for the domain (mine came
| through mx00.ix.netcom.com). I got the same spam.
| > ----- Forwarded message from james langa <james100nig@yahoo.com> -----
| >
| > Received: from pony-express.cs.rit.edu ([129.21.30.24])
| > by localhost with esmtp (Exim 3.33 #1 (Debian))
| > id 16MGB3-0000i7-00
| > for <dman@dman.ddts.net>; Thu, 03 Jan 2002 17:17:33 -0500
| > Received: from vms4.rit.edu (vms4.isc.rit.edu [129.21.3.15])
| > by pony-express.cs.rit.edu (8.9.3/8.9.3) with ESMTP id RAA03543
| > for <dsh8290@cs.rit.edu>; Thu, 3 Jan 2002 17:10:06 -0500 (EST)
| > Received: from conversion.ritvax by ritvax.isc.rit.edu (PMDF V5.2-32 #40294)
| > id <01KCN4HCIEPCD2QKN1@ritvax.isc.rit.edu> for dsh8290@cs.rit.edu
| > (ORCPT rfc822;dsh8290@rit.edu); Thu, 3 Jan 2002 17:10:06 EST
| > Received: from ritvax.isc.rit.edu by ritvax.isc.rit.edu (PMDF V5.2-32 #41784)
| > id <01KCN4HCD15UCVGFBS@ritvax.isc.rit.edu> for dsh8290@cs.rit.edu
| > (ORCPT rfc822;dsh8290@rit.edu); Thu, 03 Jan 2002 17:10:05 -0500 (EST)
| > Received: from conversion.ritvax by ritvax.isc.rit.edu (PMDF V5.2-32 #41784)
| > id <01KCN4HBECZ4CVH0Z0@ritvax.isc.rit.edu> for dsh8290@ritvax.isc.rit.edu
| > (ORCPT rfc822;dsh8290@rit.edu); Thu, 03 Jan 2002 17:10:04 -0500 (EST)
| > Received: from vmsmx.rit.edu ([64.110.64.19])
| ^^^^^^^^^^^^
| That's not an rit.edu address.
Good catch. I didn't even look at the address. My mail does get
shoved around a couple different servers before it is delivered so I
didn't even notice it.
| Note that the "Received:" line host is whatever the remote MTA says it
| wants to be.
Yeah.
| A well-tuned mailserver will do some fancy stuff like a reverse
| lookup or auth to see if names match.
|
| Here's your spammer, looks like this Nigeria spam's actually from
| Nigeria:
Interesting. So perhaps we shouldn't blacklist that yahoo address?
-D
--
A)bort, R)etry, D)o it right this time
Reply to: