Actually, the headers indicated that it was submitted through the lafayette.edu mailers from another domain, using Cliff's email address as the originator.
The only way the lafayette mailers could have prevented that would be by using authenticated SMTP submissions or SPF (Sender Policy Framework). Since state universities are generally underfunded, it's unlikely that most of them will have the latest security technologies in place. I replied to Cliff privately with my cursory diagnosis, letting him know that, although possible, based on header analysis alone, it's unlikely that his email account was hacked, and it is very likely that a spammer has a list of addresses, including his, and is using them with spam software, much like a mail merge. On Thu, Apr 25, 2013 at 9:10 AM, Joey K Tuttle <[email protected]> wrote: > Agree, the host for that domain is in Bankok - the worrisome part is that > close inspection of the message header indicates it originated from a > lafayette.edu computer and mail servers. > > Hopefully Cliff will see this exchange and find the malware that is > pretending to be him... > > > On 2013/04/25 08:53 , Dan Bron wrote: > >> Raul wrote: >> >>> A quick peek at [link from Cliff's email account] >>> (using lynx and wget) suggests malware. >>> >> >> Probably better not to propagate the link, then. I didn't receive the >> first >> message (must have been caught by my spam filter), but I got yours, >> quoting >> it, including the suspicious URL. >> >> -Dan >> > ------------------------------**------------------------------**---------- > For information about J forums see > http://www.jsoftware.com/**forums.htm<http://www.jsoftware.com/forums.htm> > ---------------------------------------------------------------------- For information about J forums see http://www.jsoftware.com/forums.htm
