"jdow" <[EMAIL PROTECTED]> wrote: > I'm not sure why someone on a private non-routed IP network would > route the email through a "Received: from" that was masqueraded. It > might be that someone on the network is trying to hide the fact that > he is sending the spam.
That seems unlikely. This was a legit email from the LDS Church website (lds.org). It was an email generated after I submitted something for a calendar item (i.e. just an acknowledgment that my submission had been received and was awaiting approval). > It might be a set of aliased addresses on the same machine. The > addresses do SEEM to be on the same subnet modulo what the actual > broadcast mask setting is. If they are on different subnets the > machine might have two IP addresses quite legitimately, one it > listens to internally and one it listens to externally. Indeed -- it does seem odd that it would have two IPs on the same subnet. One guess that I have is that they sometimes use two machines: one as web/CGI/DB server and another as mail server -- and, sometimes, only one. They might use two IPs on the same subnet that way (normally, one for each machine, of course) -- and, when only one machine is up, have it aliased for both IPs? > What is interesting is that the mail even reached your "portalmail" > machine. Is 192.168.20.x your internal network? If not it is defacto > forged and something is seriously misconfigured for it to get to you. Sorry for any confusion -- portalmail is not my machine. My only machine in the headers is frobozz.dcg.com. So, the "Received: from 192.168.20.11 ([192.168.20.203]) by portalmail.gmhwh.org" is all at their end. Then the "Received: from portalmail.gmhwh.org (portalmail.gmhwh.org [12.110.19.29] (may be forged)) by frobozz.dcg.com..." is the connection to my machine from their portalmail machine. > Are both addresses on the same machine as either an alias on one NIC > or as two NICs? If not the user of the 203 machine might be trying to > get the owner of the 11 machine in trouble or simply trying to hide > the fact that he was the origin. Could be, I guess, but seems very unlikely to me based on whose machine(s) they actually are. In any case, at least I now understand why the SARE_RECV_SUSP_3 fired, so I'm all set there! :) - John...
