It appears the Sobig.F remailer capabilities are being used. I have
received 4 complaints in the last 2 days about spamming from my dial
pool with headers like these:
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: x
Received: (qmail 14974 invoked by uid 88); 24 Sep 2003 03:39:33 -0000
Received: from unknown (HELO 209?144?2?150.dr?tw211.du.argolink.net)
(209.144.2.150)
by mail5.safeserver.com with SMTP; 24 Sep 2003 03:39:33 -0000
Received: from [188.207.43.80] by 209_144_2_150.dr_tw211.du.argolink.net
with ESMTP id
<940513-87248>; Wed, 24 Sep 2003 05:29:57 +0100
Message-ID: <[EMAIL PROTECTED]>
From: "Donnell Childress" <[EMAIL PROTECTED]>
Reply-To: "Donnell Childress" <[EMAIL PROTECTED]>
To: x
Subject: Fw: x vali-um, xan-ax, am-bien, no dr visit shipped to ur door
amity z rlq nbw
Date: Wed, 24 Sep 03 05:29:57 GMT
X-Mailer: eGroups Message Poster
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="0_.FCE6ED9E.C"
X-Priority: 3
X-MSMail-Priority: Normal
Note the first received line is using one of my dial customers as the
outbound server. (du.argolink.net is the zone I use for my dial
customers) The HELO string is always the proper PTR hostname, although
it looks like some servers (like the one above) don't like the
underscores (2 of the reports have them correct, 2 have the question
marks).
Thanks,
Chuck Frolick
ArgoNet, Inc.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
