OK Myron,

I see what you're saying about these being forged... so the bottom-line is I can't do 
ANYthing about it, right?  I mean:  I'm getting 100 postmaster error e-mails PER DAY 
like these!  All because spammers are forging their 'reply-to' addresses as 'ME', so I 
get the error returns...

Anyone have ideas for what I can do?  (Besides hunt them down, one by one, and 
string them up by their toe nails!)  :-)

-Fred.
------------------------------------------
Frederick H. Colclough
Director, Information Systems
Space Foundation
719-576-8000
http://www.spacefoundation.org
------------------------------------------

On 9 Sep 2004 at 11:24, Myron Davis wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I assume you're running qmail right?  I say it's forged everything
> past the (host-81-190-14-183.rzeszow.mm.pl [81.190.14.183]) mark.  All
> the headers after that point were generated by the 81.190.14.183 ip
> address.  Because you don't trust that machine you should not trust
> the headers.
> 
> In addition you are running qmail right?  So if it truly came from
> your machine they didn't do a very good job as faking it.  You should
> see some headers after that part that look something like: Received:
> (qmail 19127 invoked by uid 1005), or something to that affect. 
> Nowhere does it mention qmail.  So they say they received it from
> you... so what where are the headers that your mail server would add
> to it?  Not there!  Where is the unique id code the you could query
> your logs for, doesn't exist.  It is still possible that mail is
> relaying through your system because you are hacked... but it
> certainly isn't because of your mail server.  Your mail server would
> naturally deliver mail directly to the target not bounce it through
> the 81.190.14.183 IP address.
> 
> They attempted to forge the headers and at first glance it looks okay
> but under just a little closer look you can see they are somewhat
> false :)
> 
> - -Myron
> 
> > Myron,
> >
> > So do you think they're just using MY e-mail address as their
> > 'reply-to' for their spam?   Here's another piece of one, with a
> > snippet & question below:
> >
> > ****
> > Received: from scanri1.uhc.com ([10.85.124.102])
> >           by UHCNH006.UHC.COM (Lotus Domino Release 5.0.12)
> >           with ESMTP id 2004090912371109:478102 ;
> >           Thu, 9 Sep 2004 12:37:11 -0500
> > Received: from mailinbound.uhc.com (stamper.uhc.com [10.6.188.245])
> > by scanri1.uhc.com
> >  (Content Technologies SMTPRS 4.3.12) with ESMTP id
> > <[EMAIL PROTECTED]> for
> > <[EMAIL PROTECTED]>;
> >  Thu, 9 Sep 2004 12:41:04 -0500
> > Received: from postwoman-pat.uhc.com (Postwoman-Pat.uhc.com
> > [168.183.16.151])
> >     by mailinbound.uhc.com (8.11.6/8.11.6) with ESMTP id i89Ha5T02860
> >     for <[EMAIL PROTECTED]>; Thu, 9 Sep 2004 12:36:05 -0500
> > Received: from host-81-190-14-183.rzeszow.mm.pl
> > (host-81-190-14-183.rzeszow.mm.pl [81.190.14.183])  by
> > postwoman-pat.uhc.com (Postfix) with SMTP id 3032698011     for
> > <[EMAIL PROTECTED]>; Thu,  9 Sep 2004 12:36:02 -0500 (CDT)
> > Received: from ussf.org (mail.spacefoundation.org [216.87.68.187])
> >     by host-81-190-14-183.rzeszow.mm.pl (Postfix) with ESMTP id
> > FD78D9410B  for <[EMAIL PROTECTED]>; Thu, 09 Sep 2004 12:34:51
> > -0500 Date: Thu, 09 Sep 2004 12:34:51 -0500 From: "Platters V.
> > Eavesdrops" <[EMAIL PROTECTED]> X-Mailer: The Bat! (v2.00.9) Personal
> > Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID:
> > <[EMAIL PROTECTED]> To: Heidi
> > <[EMAIL PROTECTED]> Subject: Read:_Best offer of this year ;)
> > ****
> >
> > Don't the lines:
> > Received: from ussf.org (mail.spacefoundation.org [216.87.68.187])
> >     by host-81-190-14-183.rzeszow.mm.pl (Postfix) with ESMTP id
> > FD78D9410B  for <[EMAIL PROTECTED]>; Thu, 09 Sep 2004 12:34:51
> > -0500
> >
> > say that this spam e-mail DID COME from MY SERVER?
> > (mail.spacefoundation.org)??
> >
> > Thanks.
> >
> > -Fred.
> > ------------------------------------------
> > Frederick H. Colclough
> > Director, Information Systems
> > Space Foundation
> > 719-576-8000
> > http://www.spacefoundation.org
> > ------------------------------------------
> >
> >
> > On 9 Sep 2004 at 9:44, Myron Davis wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> I don't think you're reading this right... seems to be forged to
> >> me, unless your mail server is at 80.8.104.163 and it is hosted in
> >> france. What I'd start doing is publishing SPF records.  It might
> >> help some with the joe-job.
> >>
> >> - -Myron
> >>

Reply via email to