You gotta look at the complete headers. This mail came from a server in Italy, the IP isn't an active assigned one, it may be dynamic IP, but the host is adhoc.net, as you can see from a traceroute of the IP, 213.152.196.254
The "text file" mentioned was stripped, because Techserv admin for this list is smart enough to strip all list attachments, thus preserving us from viruses, trojans, etc. At least from ones sent through the list. The mail spoofs being from a subscriber to the list, [EMAIL PROTECTED], which I think is a subscription set up to keep an archive of the list. Obviously, the mail was designed to make someone who didn't look at the headers think it was from techserv administration. Pretty likely they harvested domains from all mail-archive.com lists. If you don't get lots of mail like this, count yourself lucky. I get about 500 spams a day, a good amount of phishing mail, and that may be just what this is, attempting to harvest addresses or other information. The mail did *not* come from the mail-archive, that was spoofed as far as I can tell, i.e., this was false: (envelope-from <[EMAIL PROTECTED]> mail-archive.com is a reputable and very large mailing list archive, allowing full search of lists. You can look at it at http://www.mail-archive.com/ Archives of the PEDA list go back a few years there.... At 05:59 AM 6/22/2007, [EMAIL PROTECTED] wrote: >Return-path: <[EMAIL PROTECTED]> >Envelope-to: [EMAIL PROTECTED], > [EMAIL PROTECTED] >Delivery-date: Fri, 22 Jun 2007 06:04:50 -0400 >Received: from jsp101.midphase.com ([66.225.254.160]:44139) > by athena.myboxnetplace.com with esmtps (TLSv1:AES256-SHA:256) > (Exim 4.63) > (envelope-from <[EMAIL PROTECTED]>) > id 1I1g0Y-0002hU-M5; Fri, 22 Jun 2007 06:04:50 -0400 >Received: from localhost ([127.0.0.1] helo=jsp101.midphase.com) > by jsp101.midphase.com with esmtp (Exim 4.63) > (envelope-from <[EMAIL PROTECTED]>) > id 1I1fva-0006OZ-AK; Fri, 22 Jun 2007 04:59:42 -0500 >Received: from [213.152.196.254] (helo=mail-archive.com) > by jsp101.midphase.com with esmtp (Exim 4.63) > (envelope-from <[EMAIL PROTECTED]>) id 1I1fvW-0006OR-DV > for [email protected]; Fri, 22 Jun 2007 04:59:39 -0500 >From: [EMAIL PROTECTED] >To: [email protected] >Date: Fri, 22 Jun 2007 11:59:38 +0200 ____________________________________________________________ You are subscribed to the PEDA discussion forum To Post messages: mailto:[email protected] Unsubscribe and Other Options: http://techservinc.com/mailman/listinfo/peda_techservinc.com Browse or Search Old Archives (2001-2004): http://www.mail-archive.com/[EMAIL PROTECTED] Browse or Search Current Archives (2004-Current): http://www.mail-archive.com/[email protected]
