On Thu, Aug 28, 2003 at 08:17:18PM -0400, Bret Comstock Waldow wrote: > On Thu, 2003-08-28 at 19:05, Anthony Wood wrote: > > On Fri, Aug 29, 2003 at 08:59:30AM +1000, Anthony Wood wrote: > > > On Thu, Aug 28, 2003 at 10:49:51AM -0400, Bret Comstock Waldow wrote: > > > > On Thu, 2003-08-28 at 02:36, Del wrote: > > > > > [EMAIL PROTECTED] wrote: > > > > > > during last weekend, I received several hundred of the the latest ms > > > > > > 'virus' emails, all about 100k, with about 7 different subjects. on Monday, > > > > > > the flow slowed down, just maybe a hundred or so all day, and, I assumed > > > > > > the worst was over, so to speak. > > > > > > > > > > > > However, between Tuesday and Wed this week, I received in excess of 1,000 > > > > > > emails in say 12 hours, and, when I looked at it in the afternoon, I was > > > > > > getting one new mssg every minute. > > > > > > > > > > I had the same problem. It was all coming from one machine at > > > > > cornell.edu so I put in a .procmail rule to redirect all mail > > > > > with a header "Received: (from that machine)" line in it back > > > > > to the complaints address I found on their web site (which > > > > > otherwise wasn't responding when I sent them mail asking them > > > > > to fix it). > > > > > > > > > > After that the flood lasted another 2-3 hours then stopped, > > > > > all by magick. > > > > > > > > Newbie question here. Is this definitive? > > > > > > > > I've read that this virus spoofs the return address, which I understand > > > > to mean the text, but what about the IP chain? > > > > > > > > I've read in separate articles about "untraceable" spam. Is this > > > > happening here? > > > > > > > > If there's a definitive way to be sure of the origin of an email, I'd > > > > like to know that's so, and how to determine it. > > > > > > When a mail comes into a server, they usually put in a "received" > > > line which nowadays usually reports the IP address of the > > > connecting server and what it says it's hostname is. > > > > > > You can send a mail message with a few recieved messages of your own like I've > > > done with this one. > > > > Sorry, looks like postfix and/or mutt strips it out. What a responsible program. > > > > This is what I had: > > > > > Received: from momandpop.com (cia.whitehouse.gov [4.3.2.1]) by > > > beast.switchonline.com.au (Postfix) with ESMTP id C08CC53B for > > +<[EMAIL PROTECTED]>; Fri, 29 Aug 2003 08:57:54 +1000 (EST) > > > > > > > momandpop.com is what the server said it was, cia.whitehouse.gov is the reverse > > > lookup of the actual ip address sent from (4.3.2.1) > > Here's one of mine: > > Sender: [EMAIL PROTECTED] > Received: from LUCKYLZ ([211.154.93.35]) by siaag1af.compuserve.com > (8.12.9/8.12.7/SUN-2.7) with ESMTP id h7SCxV7X003565 for > <[EMAIL PROTECTED]>; Thu, 28 Aug 2003 08:59:39 -0400 (EDT) > > So, [EMAIL PROTECTED] is spoofed, but the originating IP is correct? Or
I guess that IP could be spoofed too. I'm a bit hazy on the black (hat) arts. Spam.pl a common complaints script uses whois to check the abuse email address for the ip addresses and sends a complaint to them. Make sure you list mailservers of any lists you are on (e.g. slug) as "friends". > just the reporting server siaag1af.compuserve.com? Does compuserve take > any steps to verify the included sender IP? Dunno. Woody -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
