On Fri, Feb 10, 2017 at 11:56:02AM -0600, Andrew Latham wrote:
> On a great many mailing lists, Suresh is spot on as this looks more like
> infected user but headers would be good.
Here are a couple recent specimens that appear to fit this pattern:
--------------------------------------------------------
Received: from route-level2.fsdata.se (route-level2.fsdata.se [89.221.252.217])
by taos.firemountain.net (8.15.1/8.14.9) with ESMTPS id v190EnHs001330
(version=TLSv1 cipher=AES128-SHA bits=128 verify=NO)
for <[email protected]>; Wed, 8 Feb 2017 19:15:01 -0500 (EST)
From: <[email protected]>
To: Jon Lewis <[email protected]>, jamie rishaw <[email protected]>,
Michael Thomas
<[email protected]>, Rich Kulawiec <[email protected]>
Subject: =?utf-8?B?d2hhdCBhIG5pY2Ugc3VycHJpc2U=?=
Date: Wed, 8 Feb 2017 19:14:20 -0500
Message-ID: <[email protected]>
--------------------------------------------------------
--------------------------------------------------------
Received: from mcegress-14-lw-3.correio.biz (mcegress-14-lw-3.correio.biz
[191.252.14.3])
by taos.firemountain.net (8.15.1/8.14.9) with ESMTP id v0B5dsb7001374
for <[email protected]>; Wed, 11 Jan 2017 00:40:06 -0500 (EST)
From: "Mikael Abrahamsson" <[email protected]>
To: "John Curran" <[email protected]>,
"Paul Graydon"
<[email protected]>,
"Rich Kulawiec" <[email protected]>, "Seth Mattinen" <[email protected]>
Subject: =?utf-8?B?ZmFudGFzdGljIHBsYWNl?=
Date: Wed, 11 Jan 2017 01:38:43 -0400
Message-ID: <[email protected]>
--------------------------------------------------------
---rsk
