spam -- but no received: heders?
here's the whole set of headers from some spam i've got
recently--
From lkcohlmcbgyw@canada.com Wed Nov 19 10:41:57 2003
Return-path: <lkcohlmcbgyw@canada.com>
Envelope-to: will@serensoft.com
Received: from mail by boss.serensoft.com with spam-scanned (Exim 3.35 #1 (Debian))
id 1AMVOt-00034C-00
for <will@serensoft.com>; Wed, 19 Nov 2003 10:41:57 -0600
Received: from localhost [127.0.0.1] by boss.serensoft.com
with SpamAssassin (2.60 1.212-2003-09-23-exp);
Wed, 19 Nov 2003 10:41:57 -0600
From: "Odonnell Tommie" <lkcohlmcbgyw@canada.com>
To: info@serensoft.com
Subject: Re: %RND_UC_CHAR[2-8], rimsky knew where
Date: Wed, 19 Nov 2003 03:39:43 -0100
Message-Id: <FARCGWMJAFGVSAHNETQRJN@yahoo.ca>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
boss.serensoft.com
X-Spam-Status: Yes, hits=18.7 required=5.0 tests=BAYES_99,BIZ_TLD,
FORGED_AOL_HTML,FORGED_MUA_AOL_FROM,HTML_FONTCOLOR_UNKNOWN,
HTML_FONT_INVISIBLE,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_TITLE_EMPTY,
MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MISSING_MIMEOLE,
MISSING_OUTLOOK_NAME,X_MSMAIL_PRIORITY_HIGH,X_PRIORITY_HIGH
autolearn=no version=2.60
X-Spam-Level: ******************
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_3FBB9D55.C18778B3"
clever subject, eh?
Subject: Re: %RND_UC_CHAR[2-8], rimsky knew where
normally there's a lot of "received:" headers that can track
back to the original ip -- but this looks like it was sent from
localhost... eesh!
Received: from mail by boss.serensoft.com with spam-scanned (Exim 3.35 #1 (Debian))
id 1AMVOt-00034C-00
for <will@serensoft.com>; Wed, 19 Nov 2003 10:41:57 -0600
Received: from localhost [127.0.0.1] by boss.serensoft.com
with SpamAssassin (2.60 1.212-2003-09-23-exp);
Wed, 19 Nov 2003 10:41:57 -0600
at least message-id implies it came thru yahoo.ca:
Message-Id: <FARCGWMJAFGVSAHNETQRJN@yahoo.ca>
i don't think i've been hacked (my server is port-forwarded from
behind a clarkconnect.org firewall) -- but how can someone spoof
127.0.0.1 as an originating ip?
--
I use Debian/GNU Linux version 3.0;
Linux boss 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i586 unknown
DEBIAN NEWBIE TIP #19 from Dave Sherohman <esper@sherohman.org>
and Will Trillich <will@serensoft.com>
:
How do you determine WHICH NETWORK SERVICES ARE OPEN (active)?
Try "netstat -a | grep LISTEN". To see numeric values (instead
of the common names for services using a particular port) then
try "netstat -na" instead. For more info, look at "man netstat".
Also try "lsof -i" as root. "man lsof" for details.
Also see http://newbieDoc.sourceForge.net/ ...
Reply to: