On Wed, 17 Mar 1999, Jason Stratos Papadopoulos wrote:
> > As most of you know, Majordomo has always been configured to
> > bounce posts from people who are not subscribed to the list.
> > In the past, this has caught all the spam (and I have saved it
> > all, anybody want copies?) Well, one spam did get through
> > at the dawn of the Age Of Spam.
>
> On the heels of this message came another spam. If this pisses you
> off, you can complain to the postmaster at the ISP responsible.
>
> <header-reading 101>
>
> Look at the full header of the message, all of it. If you don't normally
> see the full header, use unix mail or configure your reader to show it
> to you.
>
> The first parts is a (possibly large) list of Received: transactions, i.e.
>
> Received: from acid.base.com (adsl-209-233-24-120.dsl.pacbell.net
> [209.233.24.120])
> by po2.glue.umd.edu (8.9.3/8.9.0.Beta6) with ESMTP id DAA20440
> for <[EMAIL PROTECTED]>; Wed, 17 Mar 1999 03:35:53 -0500 (EST)
> From: [EMAIL PROTECTED]
> Received: (from majordomo@localhost)
> by acid.base.com (8.8.5/8.8.5) id VAA12996
> for mersenne-outgoing; Tue, 16 Mar 1999 21:52:01 -0800
> Received: from www.bull.net (www.bull.net [192.90.127.17])
> by acid.base.com (8.8.5/8.8.5) with ESMTP id VAA12992
> for <[EMAIL PROTECTED]>; Tue, 16 Mar 1999 21:52:00 -0800
> Received: from pegase.bull.fr (pegase.bull.fr [192.44.49.46]) by
> www.bull.net (8.8.2/8.8.2) with ESMTP id GAA70746; Wed, 17 Mar 1999
> 06:49:48 +0100
> Received: from dzbull.frdz.bull.fr (dzbull.frdz.bull.fr [129.184.3.21])
> by pegase.bull.fr (8.9.2/8.9.1) with ESMTP id GAA38362;
> Wed, 17 Mar 1999 06:35:58 +0100
>
> It's the last Received: line that's of interest, because that's the
> first server the message was routed through. None of the rest usually
> matters, since spammers bounce messages all over the place to try
> and hide their tracks. Likewise, the Reply-To field is always bogus.
> (Is it becoming clear the sort of people we're dealing with?)
Slight correction, it originated with adsl-209-233-24-120.dsl.pacbell.net,
a dialup connection, with the rest of the headers faked, so it's actually
(in this case) the first of the received lines that are the correct one.
Remember that it's only for mailers that follow the rules it's the last
Received line that's the originator, spammers don't follow the rules.
--
Henrik Olsen, Dawn Solutions I/S
URL=http://www.iaeste.dk/~henrik/
Get the rest there.
________________________________________________________________
Unsubscribe & list info -- http://www.scruz.net/~luke/signup.htm
