On Fri, Aug 29, 2003 at 08:59:30AM +1000, Anthony Wood wrote: > On Thu, Aug 28, 2003 at 10:49:51AM -0400, Bret Comstock Waldow wrote: > > On Thu, 2003-08-28 at 02:36, Del wrote: > > > [EMAIL PROTECTED] wrote: > > > > during last weekend, I received several hundred of the the latest ms > > > > 'virus' emails, all about 100k, with about 7 different subjects. on Monday, > > > > the flow slowed down, just maybe a hundred or so all day, and, I assumed > > > > the worst was over, so to speak. > > > > > > > > However, between Tuesday and Wed this week, I received in excess of 1,000 > > > > emails in say 12 hours, and, when I looked at it in the afternoon, I was > > > > getting one new mssg every minute. > > > > > > I had the same problem. It was all coming from one machine at > > > cornell.edu so I put in a .procmail rule to redirect all mail > > > with a header "Received: (from that machine)" line in it back > > > to the complaints address I found on their web site (which > > > otherwise wasn't responding when I sent them mail asking them > > > to fix it). > > > > > > After that the flood lasted another 2-3 hours then stopped, > > > all by magick. > > > > Newbie question here. Is this definitive? > > > > I've read that this virus spoofs the return address, which I understand > > to mean the text, but what about the IP chain? > > > > I've read in separate articles about "untraceable" spam. Is this > > happening here? > > > > If there's a definitive way to be sure of the origin of an email, I'd > > like to know that's so, and how to determine it. > > When a mail comes into a server, they usually put in a "received" > line which nowadays usually reports the IP address of the > connecting server and what it says it's hostname is. > > You can send a mail message with a few recieved messages of your own like I've done > with this one.
Sorry, looks like postfix and/or mutt strips it out. What a responsible program. This is what I had: > Received: from momandpop.com (cia.whitehouse.gov [4.3.2.1]) by > beast.switchonline.com.au (Postfix) with ESMTP id C08CC53B for +<[EMAIL PROTECTED]>; Fri, 29 Aug 2003 08:57:54 +1000 (EST) > momandpop.com is what the server said it was, cia.whitehouse.gov is the reverse > lookup of the actual ip address sent from (4.3.2.1) > > cheers, > Woody > -- > SLUG - Sydney Linux User's Group - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug -- Woody -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
