[SLUG] Back trace on an email (St. George Hoax)

[Andrew Monkhouse]

Hi everyone,

I just received one of those email's suposedly from St. George, telling 
me to log in to their website and update my records. Since I am not a 
St. George customer, I was a little suspicious :-D

Looking through the email, the scam worked by having a HREF tag 
containing the real St. George address followed by umpteen spaces (I 
guess around 160) followed by "[EMAIL PROTECTED]". So even if the mouse 
hovered over the link, the address displayed in the status bar would 
still appear correct.

St. George are aware of this, and have a note on their own web page 
warning people about this hoax.

Anyway, to my question. Just out of curiosity, I wondered if I could 
work out where this email came from. Here is the relevant data from the 
header:

Received: from localhost (localhost [127.0.0.1])
        by andrewm.localdomain (8.12.8/8.11.6) with ESMTP id 
h7KLKhj3005981
        for <[EMAIL PROTECTED]>; Thu, 21 Aug 2003 07:20:44 +1000
X-From_: [EMAIL PROTECTED] Wed Aug 20 22:18:49 2003
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Wed, 20 Aug 2003 22:18:49 +0100
Received: from xxx.freeserve.com [195.92.195.154]
        by localhost with POP3 (fetchmail-6.2.0)
        for [EMAIL PROTECTED] (single-drop); Thu, 21 Aug 2003 07:20:44 
+1000 (EST)
Received: from [203.2.192.89] (helo=mta08.mail.mel.aone.net.au)
        by imailg2.svr.pol.co.uk with esmtp (Exim 4.14)
        id 19paLw-0000ge-QM
        for [EMAIL PROTECTED]; Wed, 20 Aug 2003 22:18:49 +0100
Received: from [66.26.168.93] by mta08.mail.mel.aone.net.au with SMTP
          id 
<[EMAIL PROTECTED]>
          for <[EMAIL PROTECTED]>; Thu, 21 Aug 2003 07:18:46 +1000
Date: Thu, 21 Aug 2003 01:19:50 -0400
From: [EMAIL PROTECTED]

The stuff I have xxx'd out is my email accounts.

Now as far as I can tell, mta08.mail.mel.aone.net.au would have to be 
the starting point in the chain. I presume that this is an OzEmail mail 
server, since there is nothing else in the list that appears to be 
OzEmail, and the email in question was sent to my OzEmail account.

Does this mean that the originator sent the email from OzEmail? Or that 
the OzEmail mail server allows relaying?

Or has the chain been lost somewhere?

Or has SpamAssassin deleted part of the header (I doubt this, because 
if this was the case, then more of the header should have gone).

As I said: this is just out of curiosity. Anyone have any thoughts?

Regards, Andrew
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug