OK Myron, I see what you're saying about these being forged... so the bottom-line is I can't do ANYthing about it, right? I mean: I'm getting 100 postmaster error e-mails PER DAY like these! All because spammers are forging their 'reply-to' addresses as 'ME', so I get the error returns...
Anyone have ideas for what I can do? (Besides hunt them down, one by one, and string them up by their toe nails!) :-) -Fred. ------------------------------------------ Frederick H. Colclough Director, Information Systems Space Foundation 719-576-8000 http://www.spacefoundation.org ------------------------------------------ On 9 Sep 2004 at 11:24, Myron Davis wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I assume you're running qmail right? I say it's forged everything > past the (host-81-190-14-183.rzeszow.mm.pl [81.190.14.183]) mark. All > the headers after that point were generated by the 81.190.14.183 ip > address. Because you don't trust that machine you should not trust > the headers. > > In addition you are running qmail right? So if it truly came from > your machine they didn't do a very good job as faking it. You should > see some headers after that part that look something like: Received: > (qmail 19127 invoked by uid 1005), or something to that affect. > Nowhere does it mention qmail. So they say they received it from > you... so what where are the headers that your mail server would add > to it? Not there! Where is the unique id code the you could query > your logs for, doesn't exist. It is still possible that mail is > relaying through your system because you are hacked... but it > certainly isn't because of your mail server. Your mail server would > naturally deliver mail directly to the target not bounce it through > the 81.190.14.183 IP address. > > They attempted to forge the headers and at first glance it looks okay > but under just a little closer look you can see they are somewhat > false :) > > - -Myron > > > Myron, > > > > So do you think they're just using MY e-mail address as their > > 'reply-to' for their spam? Here's another piece of one, with a > > snippet & question below: > > > > **** > > Received: from scanri1.uhc.com ([10.85.124.102]) > > by UHCNH006.UHC.COM (Lotus Domino Release 5.0.12) > > with ESMTP id 2004090912371109:478102 ; > > Thu, 9 Sep 2004 12:37:11 -0500 > > Received: from mailinbound.uhc.com (stamper.uhc.com [10.6.188.245]) > > by scanri1.uhc.com > > (Content Technologies SMTPRS 4.3.12) with ESMTP id > > <[EMAIL PROTECTED]> for > > <[EMAIL PROTECTED]>; > > Thu, 9 Sep 2004 12:41:04 -0500 > > Received: from postwoman-pat.uhc.com (Postwoman-Pat.uhc.com > > [168.183.16.151]) > > by mailinbound.uhc.com (8.11.6/8.11.6) with ESMTP id i89Ha5T02860 > > for <[EMAIL PROTECTED]>; Thu, 9 Sep 2004 12:36:05 -0500 > > Received: from host-81-190-14-183.rzeszow.mm.pl > > (host-81-190-14-183.rzeszow.mm.pl [81.190.14.183]) by > > postwoman-pat.uhc.com (Postfix) with SMTP id 3032698011 for > > <[EMAIL PROTECTED]>; Thu, 9 Sep 2004 12:36:02 -0500 (CDT) > > Received: from ussf.org (mail.spacefoundation.org [216.87.68.187]) > > by host-81-190-14-183.rzeszow.mm.pl (Postfix) with ESMTP id > > FD78D9410B for <[EMAIL PROTECTED]>; Thu, 09 Sep 2004 12:34:51 > > -0500 Date: Thu, 09 Sep 2004 12:34:51 -0500 From: "Platters V. > > Eavesdrops" <[EMAIL PROTECTED]> X-Mailer: The Bat! (v2.00.9) Personal > > Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: > > <[EMAIL PROTECTED]> To: Heidi > > <[EMAIL PROTECTED]> Subject: Read:_Best offer of this year ;) > > **** > > > > Don't the lines: > > Received: from ussf.org (mail.spacefoundation.org [216.87.68.187]) > > by host-81-190-14-183.rzeszow.mm.pl (Postfix) with ESMTP id > > FD78D9410B for <[EMAIL PROTECTED]>; Thu, 09 Sep 2004 12:34:51 > > -0500 > > > > say that this spam e-mail DID COME from MY SERVER? > > (mail.spacefoundation.org)?? > > > > Thanks. > > > > -Fred. > > ------------------------------------------ > > Frederick H. Colclough > > Director, Information Systems > > Space Foundation > > 719-576-8000 > > http://www.spacefoundation.org > > ------------------------------------------ > > > > > > On 9 Sep 2004 at 9:44, Myron Davis wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> I don't think you're reading this right... seems to be forged to > >> me, unless your mail server is at 80.8.104.163 and it is hosted in > >> france. What I'd start doing is publishing SPF records. It might > >> help some with the joe-job. > >> > >> - -Myron > >>
