On Thu, Aug 28, 2003 at 10:49:51AM -0400, Bret Comstock Waldow wrote: > On Thu, 2003-08-28 at 02:36, Del wrote: > > [EMAIL PROTECTED] wrote: > > > during last weekend, I received several hundred of the the latest ms > > > 'virus' emails, all about 100k, with about 7 different subjects. on Monday, > > > the flow slowed down, just maybe a hundred or so all day, and, I assumed > > > the worst was over, so to speak. > > > > > > However, between Tuesday and Wed this week, I received in excess of 1,000 > > > emails in say 12 hours, and, when I looked at it in the afternoon, I was > > > getting one new mssg every minute. > > > > I had the same problem. It was all coming from one machine at > > cornell.edu so I put in a .procmail rule to redirect all mail > > with a header "Received: (from that machine)" line in it back > > to the complaints address I found on their web site (which > > otherwise wasn't responding when I sent them mail asking them > > to fix it). > > > > After that the flood lasted another 2-3 hours then stopped, > > all by magick. > > Newbie question here. Is this definitive? > > I've read that this virus spoofs the return address, which I understand > to mean the text, but what about the IP chain? > > I've read in separate articles about "untraceable" spam. Is this > happening here? > > If there's a definitive way to be sure of the origin of an email, I'd > like to know that's so, and how to determine it.
When a mail comes into a server, they usually put in a "received" line which nowadays usually reports the IP address of the connecting server and what it says it's hostname is. You can send a mail message with a few recieved messages of your own like I've done with this one. momandpop.com is what the server said it was, cia.whitehouse.gov is the reverse lookup of the actual ip address sent from (4.3.2.1) cheers, Woody -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
