Received: from 66.38.133.97 [200.252.69.131] by mail.bentall.com
(SMTPD32-8.02) id A3E5113000F4; Wed, 17 Sep 2003 10:03:33 -0700
Received:
from [73.250.175.174]
by 66.38.133.97 with
SMTP
for <snip>; Wed, 17 Sep
2003 06:00:29 +0000
Message-ID:
<[EMAIL PROTECTED]>
From: "Sheldon Barton"
<[EMAIL PROTECTED]>
Reply-To: "Sheldon Barton"
<[EMAIL PROTECTED]>
To: <snip>, <snip>, <snip>,
<snip>, <snip>, <snip>
Subject: can you please
her?
Date: Wed, 17 Sep 03 06:00:29 GMT
X-Mailer:
mnhjklop
MIME-Version: 1.0
Content-Type:
multipart/alternative;
boundary="E.F961FB6_.FD28E2.7305.B"
X-Priority: 3
X-MSMail-Priority:
Normal
Now that is interesting. The miscreant
address 200.252.69.131 is apparently an open proxy. What is interesting
about this message is the forgery of the headers. The 66.38.133.97 name is
bogus, the spammer is using my mail server's address as their
hostname. The 73.250.175.174 address is either a deliberate forgery or an
internal address of the open proxy, because it is a non-routable address
reserved by IANA.
Also note the bogus X-Mailer name. The X-MS-Mail-Priority header on the other hand, either gives away that the source was part of the Microsoft Outlook family, or is another forgery.
Based on the number of ip4r tests the source address was in, plus the COUNTRY routing, plus the obfuscation, plus the reply-to address, this message easily reached my HOLD weight. Which makes the effort to forge the headers so remarkable!
Andrew 8)
