spam -- but no received: heders?

Wed, 19 Nov 2003 11:21:50 -0800 

here's the whole set of headers from some spam i've got
recently--

        From [EMAIL PROTECTED] Wed Nov 19 10:41:57 2003
        Return-path: <[EMAIL PROTECTED]>
        Envelope-to: [EMAIL PROTECTED]
        Received: from mail by boss.serensoft.com with spam-scanned (Exim 3.35 #1 
(Debian))
                id 1AMVOt-00034C-00
                for <[EMAIL PROTECTED]>; Wed, 19 Nov 2003 10:41:57 -0600
        Received: from localhost [127.0.0.1] by boss.serensoft.com
                with SpamAssassin (2.60 1.212-2003-09-23-exp);
                Wed, 19 Nov 2003 10:41:57 -0600
        From: "Odonnell Tommie" <[EMAIL PROTECTED]>
        To: [EMAIL PROTECTED]
        Subject: Re: %RND_UC_CHAR[2-8], rimsky knew where
        Date: Wed, 19 Nov 2003 03:39:43 -0100
        Message-Id: <[EMAIL PROTECTED]>
        X-Spam-Flag: YES
        X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
                boss.serensoft.com
        X-Spam-Status: Yes, hits=18.7 required=5.0 tests=BAYES_99,BIZ_TLD,
                FORGED_AOL_HTML,FORGED_MUA_AOL_FROM,HTML_FONTCOLOR_UNKNOWN,
                HTML_FONT_INVISIBLE,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_TITLE_EMPTY,
                MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MISSING_MIMEOLE,
                MISSING_OUTLOOK_NAME,X_MSMAIL_PRIORITY_HIGH,X_PRIORITY_HIGH 
                autolearn=no version=2.60
        X-Spam-Level: ******************
        MIME-Version: 1.0
        Content-Type: multipart/mixed; boundary="----------=_3FBB9D55.C18778B3"

clever subject, eh?

        Subject: Re: %RND_UC_CHAR[2-8], rimsky knew where

normally there's a lot of "received:" headers that can track
back to the original ip -- but this looks like it was sent from
localhost...  eesh!

        Received: from mail by boss.serensoft.com with spam-scanned (Exim 3.35 #1 
(Debian))
                id 1AMVOt-00034C-00
                for <[EMAIL PROTECTED]>; Wed, 19 Nov 2003 10:41:57 -0600
        Received: from localhost [127.0.0.1] by boss.serensoft.com
                with SpamAssassin (2.60 1.212-2003-09-23-exp);
                Wed, 19 Nov 2003 10:41:57 -0600

at least message-id implies it came thru yahoo.ca:

        Message-Id: <[EMAIL PROTECTED]>

i don't think i've been hacked (my server is port-forwarded from
behind a clarkconnect.org firewall) -- but how can someone spoof
127.0.0.1 as an originating ip?

-- 
I use Debian/GNU Linux version 3.0;
Linux boss 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i586 unknown
 
DEBIAN NEWBIE TIP #19 from Dave Sherohman <[EMAIL PROTECTED]>
and Will Trillich <[EMAIL PROTECTED]>
:
How do you determine WHICH NETWORK SERVICES ARE OPEN (active)?
Try "netstat -a | grep LISTEN". To see numeric values (instead
of the common names for services using a particular port) then
try "netstat -na" instead. For more info, look at "man netstat".
   Also try "lsof -i" as root. "man lsof" for details.

Also see http://newbieDoc.sourceForge.net/ ...


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to