[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Is my server being used
- Subject: Re: [cobalt-users] Is my server being used
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Thu Jul 26 01:07:45 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"Dan Kriwitsky" <webhosting@xxxxxxxxx> wrote:
> > I have received, yes received a couple of emails lately that have
> > a "From:"
> > listed something like the following
> >
> > From: _XxHustlerxX_@xxxxxxxxxxxxxxxxxxxxxx
>
> I'm guessing it's spam.
>
> >
> > I have no user with the name,
> >
> > The maillog has the following:
> >
> > from=<_XxHustlerxX_@xxxxxxxxx>, size=17779, class=0, nrcpts=1, msgid=<>,
> > proto=ESMTP, daemon=MTA, relay=femail13.sdc1.sfba.home.com [24.0.95.140]
> >
> > to=<tags@xxxxxxxxxx>, delay=00:00:00, xdelay=00:00:00, mailer=local,
> > pri=47310, dsn=2.0.0, stat=Sent
>
> Some spamware has the ability of applying the recipient mail server MX
info
> as the From: address for each piece of spam so it won't get bounced
instead
> of just sending using Bcc.
I believe Sendmail will append the machine name to what's found in the From
header whenever it doesn't include a domain name. This is done so that when
a local user sends an email from the server shell an email address is used
which can be replied to by non-local users. Since email programs let the
user supply any From address the user wants it's likely that the person
sending the spam used "_XxHustlerxX_" as the From address with no domain
name attached. To all but your most sophisticated users it will appear that
the message was sent from your machine (and to them it probably appears to
be from the server admin if it's the machine name that's attached), but the
rest of the headers tell the true story.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/