[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Unsolicited email problems

Okay, let's look at the headers:

Mark Jaggers wrote:

> Here are the headers from the email our client received
> 
> Return-Path: <desa@xxxxxxx>
> Received: from ns2.i-terminal.at ([195.3.104.220])
>  by mark.dfsolutions.com (8.9.3/8.9.3) with ESMTP id KAA12532
>  for <carolyn@xxxxxxxxxxxxxx>; Thu, 11 May 2000 10:08:00 -0500

See the header above?  When your mailserver (mark.dfsolutions.com)
received the email, the "envelope" said it was for
"<carolyn@xxxxxxxxxxxxxx>".  That's the address that's on the spammers
email list.

> From: desa@xxxxxxx

You might just block everything with a russian return address; most
stuff from Russia these days is spam <frown>.

> Received: from oemcomputer (ac8ccc83.ipt.aol.com [172.140.204.131]) by
> ns2.i-terminal.at with SMTP (Microsoft Exchange Internet Mail Service
> Version 5.5.2650.21)
>  id KW1M5V13; Thu, 11 May 2000 17:12:50 +0200

Either an open relay in Austria is accepting mail directly from a
dialoup aol.com address at (172.140.204.131) OR the spam is originating
in Austria by a server adding bogus received headers.  This is more
likely, since there's a "From:" header between the two received headers.

There's nothing you can realy do to prove which.  You can only trust the
topmost "Received:" header.

> Message-ID: <00000fbd35eb$0000077b$00000fad@oemcomputer ([102.74.4.25]) by
> mtiwmhc08.worldnet.att.net (InterMail v03.02.07.07 118-134) with SMTP id
> <20000116195506.ZOOK28505@oemcomputer> from worldnet.att.net
> ([12.77.194.15]) by mtiwmhc03.worldnet.att.net>

This is a broken header as well.  Increases the chances the headers were
mangled/changed/created from whole cloth by a server in Austria.

But of course the mail may have come from a worldnet.att.net dialup
account.  This looks like part Message-ID header and part Received
header.

> To: <S21USA@xxxxxxxxxxxxxxxxxxxx>

I'm still not sure how this happens; I've seen it a few times myself. 
It's NOT what's in the envelope, though.  I think what's happening is a
spam-server is using a sophisticated program to either go in through
port 25 or fingering your computer to find out the eventual distribution
address, and puts it into the "To:" address; perhaps some spammers think
that's a way to make sure your email gets read and/or properly
distributed.  Some spammers are pretty dumb, and some think in ways we
just can't imagine <wry grin>.

> Subject: *DEADLINE* is this Sunday          .

People who see such subjects usually just delete them, don't they? 
Especially if they're from people they don't know.  I delete lots of
messages every day.

> Date: Thu, 11 May 2000 09:31:19 -0400
> X-Priority: 1
> X-MSMail-Priority: High
> X-UIDL: 202b4e82aef86a8d4b59ef46533e3602
> 
> I guess I am just trying to figure out was this email directed to them or
> what it directed to our mail domain mark.dfsolutions.com and somehow got
> routed to our client.

The mail was sent to >  carolyn@xxxxxxxxxxxxxxx  The last "Received:"
header was added by your mailserver, and IS reliable.

> Our client is on a seperate IP address but all mail
> on our server goes through mail.dfsolutions.com.  I did not receive this
> Spam.  Only this one client.  Or is the email directed to them but when she
> received it it looks like it was sent to us.

It was sent directly to her.

I can post a quick and dirty email spam filter that can be implemented
in individuals MUAs if anyone's interested.

Repeat: it's NOT for MTAs but for MUAs, and it requires users have a bit
of clue.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
nobaloney.net
P. O. Box 52672
Riverside, CA  92517
voice: (909) 787-8589  *  fax: (909) 782-0205