Re: scam warning (FW: IMPORTANT)

To: debian-user <debian-user@lists.debian.org>
Subject: Re: scam warning (FW: IMPORTANT)
From: dman <dsh8290@rit.edu>
Date: Fri, 4 Jan 2002 14:32:38 -0500
Message-id: <[🔎] 20020104193238.GB8471@localhost>
Mail-followup-to: debian-user <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20020104005058.Q15949@navel.introspect>
References: <[🔎] 20020103222637.GA2745@localhost> <[🔎] 20020104005058.Q15949@navel.introspect>

On Fri, Jan 04, 2002 at 12:50:58AM -0800, Karsten M. Self wrote:
| on Thu, Jan 03, 2002 at 05:26:37PM -0500, dman (dsh8290@rit.edu) wrote:
| > 
| > I just got this message.  Looks like the scammers are getting smarter
| > -- sent directly to me with no trail in the Received: headers (all the
| > received headers are my school accounts forwarding to other school
| > accounts and eventually to my house).  Just beware :-).
| 
| It's a spoofed origin packet.  It appears to find a host on your network
| and claim to be coming from it, when in fact it's not.  In your case and
| mine, the host is the primary MX server for the domain (mine came
| through mx00.ix.netcom.com).  I got the same spam.
 
| > ----- Forwarded message from james langa <james100nig@yahoo.com> -----
| > 
| > Received: from pony-express.cs.rit.edu ([129.21.30.24])
| > 	by localhost with esmtp (Exim 3.33 #1 (Debian))
| > 	id 16MGB3-0000i7-00
| > 	for <dman@dman.ddts.net>; Thu, 03 Jan 2002 17:17:33 -0500
| > Received: from vms4.rit.edu (vms4.isc.rit.edu [129.21.3.15])
| > 	by pony-express.cs.rit.edu (8.9.3/8.9.3) with ESMTP id RAA03543
| > 	for <dsh8290@cs.rit.edu>; Thu, 3 Jan 2002 17:10:06 -0500 (EST)
| > Received: from conversion.ritvax by ritvax.isc.rit.edu (PMDF V5.2-32 #40294)
| >  id <01KCN4HCIEPCD2QKN1@ritvax.isc.rit.edu> for dsh8290@cs.rit.edu
| >  (ORCPT rfc822;dsh8290@rit.edu); Thu, 3 Jan 2002 17:10:06 EST
| > Received: from ritvax.isc.rit.edu by ritvax.isc.rit.edu (PMDF V5.2-32 #41784)
| >  id <01KCN4HCD15UCVGFBS@ritvax.isc.rit.edu> for dsh8290@cs.rit.edu
| >  (ORCPT rfc822;dsh8290@rit.edu); Thu, 03 Jan 2002 17:10:05 -0500 (EST)
| > Received: from conversion.ritvax by ritvax.isc.rit.edu (PMDF V5.2-32 #41784)
| >  id <01KCN4HBECZ4CVH0Z0@ritvax.isc.rit.edu> for dsh8290@ritvax.isc.rit.edu
| >  (ORCPT rfc822;dsh8290@rit.edu); Thu, 03 Jan 2002 17:10:04 -0500 (EST)
| > Received: from vmsmx.rit.edu ([64.110.64.19])
|                                  ^^^^^^^^^^^^
| That's not an rit.edu address.  

Good catch.  I didn't even look at the address.  My mail does get
shoved around a couple different servers before it is delivered so I
didn't even notice it.

| Note that the "Received:" line host is whatever the remote MTA says it
| wants to be.

Yeah.

|  A well-tuned mailserver will do some fancy stuff like a reverse
|  lookup or auth to see if names match.
| 
| Here's your spammer, looks like this Nigeria spam's actually from
| Nigeria:

Interesting.  So perhaps we shouldn't blacklist that yahoo address?

-D

-- 

A)bort, R)etry, D)o it right this time

Reply to:

Follow-Ups:
- Re: scam warning (FW: IMPORTANT)
  - From: "Karsten M. Self" <kmself@ix.netcom.com>

References:
- scam warning (FW: IMPORTANT)
  - From: dman <dsh8290@rit.edu>
- Re: scam warning (FW: IMPORTANT)
  - From: "Karsten M. Self" <kmself@ix.netcom.com>

Prev by Date: Re: OT: Language War (Re: "C" Manual)
Next by Date: Re: Debian Lists, USENET & Spam
Previous by thread: Re: scam warning (FW: IMPORTANT)
Next by thread: Re: scam warning (FW: IMPORTANT)
Index(es):
- Date
- Thread