Replying to both of youse... /I/ think that the spammer got the envelope From: section right (in other words, the SMTP conversation was From: <[EMAIL PROTECTED]>
My reason for saying this is the "envelope-sender" message in the headers. However he somehow, in a way I can't quite reproduce, messed up the body portion in a way that caused the MTA to think it should append the local hostname. I can talk to my sendmail box and have it change "Billy" to "[EMAIL PROTECTED]" even if it accepted a From: <[EMAIL PROTECTED]> in the SMTP conversation. So the spammer intended the From to look like "Steven <[EMAIL PROTECTED]>" but wound up with the first MTA's hostname appended to it. Make sense? -- be - MOS JAPAN is a WONDERFUL planet -- I wonder if we'll ever reach their level of COMPARATIVE SHOPPING ... > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Ed Crowley [MVP] > Sent: Thursday, February 23, 2006 2:53 AM > To: Exchange Discussions > Subject: RE: Help with Smtp Header Spoofing > > Why do you think it wasn't put there by the sender? > > Ed Crowley MCSE+Internet MVP > Freelance E-Mail Philosopher > Protecting the world from PSTs and Bricked Backups!T > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of John Strongosky > Sent: Wednesday, February 22, 2006 3:00 PM > To: Exchange Discussions > Subject: RE: Help with Smtp Header Spoofing > > Bill, thanks for the reply. I've trained my boss's to look at > the spam % and find why a piece of email was quarantined or > not. What they want to know is, Why did the our domain get > added to the from line, even though it has the Verizon domain > in the from line. With our domain there it makes it look like > it came from us. Is there any fix for this misformatted from > line that you know of? > > john > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of East, Bill > Sent: Wednesday, February 22, 2006 11:35 AM > To: Exchange Discussions > Subject: RE: Help with Smtp Header Spoofing > > So what is it that your bosses want to know? Why it wasn't > flagged as spam? > It almost was, it looks like SpamAssassin flagged it for a > couple things and assigned it a likelihood of 13%. But the > spammers, I've heard, run their messages through SA before > sending them and strip out as much as possible that would trigger it. > > The From address is just goofy, it looks like one of your > mail systems saw that it wasn't really valid and tried to fix > it by adding your domain after it. > > But it mostly just looks like collateral damage from the spam wars. > -- > be - MOS > > If you can't write it right, you can't think it right. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > Behalf Of John > > Strongosky > > Sent: Wednesday, February 22, 2006 11:12 AM > > To: Exchange Discussions > > Subject: Help with Smtp Header Spoofing > > > > Hey Everyone, > > > > Several of my boss's have received a similar emails as > the one below > > and now they want to know how it got thru our smtp > gateways. Our smtp > > gateways are running BSD unix and sendmail. I believe it > has something > > got do with the way the "From" address was formatted but I > don't know > > what this type of spoofing is called so I don't know where > to start to > > find out how to stop it... > > > > Any help would be greatly appreciated... > > > > v/r > > john > > > > Received: from smtp2.sdccd.cc.ca.us ([XX.X.XXX.XX]) by > > XXXXXX.sdccd.cc.ca.us with SMTP (Microsoft Exchange Internet Mail > > Service Version 5.5.2655.55) > > id C7ZCQ6FA; Sun, 12 Feb 2006 23:08:10 -0800 > > Received: from verizon.net (bzq-88-154-142-128.red.bezeqint.net > > [88.154.142.128]) > > by smtp2.sdccd.cc.ca.us (8.13.4/8.13.4) with SMTP id > > k1D77wwx028734 > > for <[EMAIL PROTECTED]>; Sun, 12 Feb 2006 > > 23:08:05 -0800 (PST) > > (envelope-from [EMAIL PROTECTED]) > > Message-Id: <[EMAIL PROTECTED]> > > From: "Steven"" <[EMAIL PROTECTED]>"@smtp2.sdccd.cc.ca.us > > To: <[EMAIL PROTECTED]> > > Subject: Mexican Pharmacy > > Date: Mon, 13 Feb 2006 09:08:01 -0500 > > Mime-Version: 1.0 > > Content-Type: text/plain; charset=us-ascii > > X-SDCCD-SPAM: Report=DATE_IN_FUTURE_06_12 1.3, __CT 0, > __CT_TEXT_PLAIN > > 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0 > > X-SDCCD-SPAM: Gauge=XIII > > X-SDCCD-SPAM: Probability=13% > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > > To subscribe: > http://e-newsletters.internet.com/discussionlists.html/ > > To unsubscribe send a blank email to > > [EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > To unsubscribe via postal mail, please contact us at: > > Jupitermedia Corp. > > Attn: Discussion List Management > > 475 Park Avenue South > > New York, NY 10016 > > > > Please include the email address which you have been contacted with. > > > > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
