[Declude.JunkMail] Bounce / Spoof Analysis Help Please
Hi We're seeing bounce messages similar to the following. I don't think our server has been compromised, but I want to be sure. We legitimately send mail from 208.100.26.91, but I think (hope) its appearance in the following is spoofed. --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil The-original-message-was-received-at-Fri,-16-Mar-2007-08: 55:31 -0400 (EDT) - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED]) - Transcript of session follows - ... when talking to ahrc00bh0106287.nae.ds.army.mil. while trying to contact hrcmail.hoffman.army.mil.: DATA 550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 5.1.1 [EMAIL PROTECTED]... User unknown 554 5.5.2 No valid recipients --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/delivery-status Reporting-MTA: dns; hrcpro21.hoffman.army.mil Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Remote-MTA: DNS; hrcmail.hoffman.army.mil Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT) --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/rfc822 Return-Path: [EMAIL PROTECTED] Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl [89.78.68.55]) by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425; Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060 From: Effie Drummond To: [EMAIL PROTECTED] Subject: Choosing Online Pharmacy. Date: Fri, 16 Mar 2007 12:55:33 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_000E_01C767D2.C434B490 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message X-Antivirus-Status: Clean x-scc-prev-hop: 89.78.68.55 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please
You're safe, Robert. I've seen this part in spam sent to my domain for about a year: Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ The gibberish in the received block is a definite spam signature and is entirely fake. The army isn't going to be breaking down your door and making you eat this spam. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, March 16, 2007 7:39 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Bounce / Spoof Analysis Help Please Hi We're seeing bounce messages similar to the following. I don't think our server has been compromised, but I want to be sure. We legitimately send mail from 208.100.26.91, but I think (hope) its appearance in the following is spoofed. --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil The-original-message-was-received-at-Fri,-16-Mar-2007-08: 55:31 -0400 (EDT) - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED]) - Transcript of session follows - ... when talking to ahrc00bh0106287.nae.ds.army.mil. while trying to contact hrcmail.hoffman.army.mil.: DATA 550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 5.1.1 [EMAIL PROTECTED]... User unknown 554 5.5.2 No valid recipients --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/delivery-status Reporting-MTA: dns; hrcpro21.hoffman.army.mil Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Remote-MTA: DNS; hrcmail.hoffman.army.mil Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT) --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/rfc822 Return-Path: [EMAIL PROTECTED] Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl [89.78.68.55]) by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425; Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060 From: Effie Drummond To: [EMAIL PROTECTED] Subject: Choosing Online Pharmacy. Date: Fri, 16 Mar 2007 12:55:33 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_000E_01C767D2.C434B490 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message X-Antivirus-Status: Clean x-scc-prev-hop: 89.78.68.55 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please
Many thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, March 16, 2007 11:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please You're safe, Robert. I've seen this part in spam sent to my domain for about a year: Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ The gibberish in the received block is a definite spam signature and is entirely fake. The army isn't going to be breaking down your door and making you eat this spam. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, March 16, 2007 7:39 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Bounce / Spoof Analysis Help Please Hi We're seeing bounce messages similar to the following. I don't think our server has been compromised, but I want to be sure. We legitimately send mail from 208.100.26.91, but I think (hope) its appearance in the following is spoofed. --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil The-original-message-was-received-at-Fri,-16-Mar-2007-08: 55:31 -0400 (EDT) - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED]) - Transcript of session follows - ... when talking to ahrc00bh0106287.nae.ds.army.mil. while trying to contact hrcmail.hoffman.army.mil.: DATA 550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 5.1.1 [EMAIL PROTECTED]... User unknown 554 5.5.2 No valid recipients --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/delivery-status Reporting-MTA: dns; hrcpro21.hoffman.army.mil Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Remote-MTA: DNS; hrcmail.hoffman.army.mil Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT) --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/rfc822 Return-Path: [EMAIL PROTECTED] Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl [89.78.68.55]) by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425; Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060 From: Effie Drummond To: [EMAIL PROTECTED] Subject: Choosing Online Pharmacy. Date: Fri, 16 Mar 2007 12:55:33 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_000E_01C767D2.C434B490 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message X-Antivirus-Status: Clean x-scc-prev-hop: 89.78.68.55 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
