You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Thomas Lindell <tl...@adlmail.com> on 2006/07/26 17:58:58 UTC
spam
Gah just when I thought I had spam problems resolved not it appears someones
able to send spam directly from the server
Return-Path: <do...@burkeauto.com>
X-Original-To: admin@adlmail.com
Delivered-To: admin@adlmail.com
Received: from localhost (localhost.airbornedatalink.com [127.0.0.1])
by adlsrv4.airbornedatalink.com (Postfix) with ESMTP id
19D3A34004
for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:52 -0500 (CDT)
X-Virus-Scanned: amavisd-new at adlmail.com
Received: from adlsrv4.airbornedatalink.com ([127.0.0.1])
by localhost (adlsrv4.airbornedatalink.com [127.0.0.1])
(amavisd-new, port 10024)
with ESMTP id 63sUVcMA5Y1h for <ad...@adlmail.com>;
Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net
[82.234.174.1])
by adlsrv4.airbornedatalink.com (Postfix) with SMTP id
402AB34001
for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
Message-ID: <00...@itm84>
Reply-To: "Wojciech Doucette" <do...@burkeauto.com>
From: "Wojciech Doucette" <do...@burkeauto.com>
To: admin@adlmail.com
Subject: Re: keiyqVjlAGRA
Date: Wed, 26 Jul 2006 08:37:50 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_01C6B08E.C7334B30"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Antivirus: AVG for E-mail 7.1.394 [268.10.4/399
Based on this header I believe it's some sort of bounce attack or local
attack
Anyone have any thoughts I'm at my wits end
Tom
Re: spam
Posted by Stuart Johnston <st...@ebby.com>.
Huh? The first received header (read from the bottom up):
Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net [82.234.174.1])
by adlsrv4.airbornedatalink.com (Postfix) with SMTP id 402AB34001
for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
I suppose you might say that the HELO (burkeauto.com) is faked.
Thomas Lindell wrote:
> Does that mean they just faked the headers?
>
>
> I am new to mail administration only been doing it a couple of months now
> and I appreciate all the help.
>
> Thanks
>
> Tom
>
> -----Original Message-----
> From: Stuart Johnston [mailto:stuart@ebby.com]
> Sent: Wednesday, July 26, 2006 11:00 AM
> To: Thomas Lindell
> Cc: 'Spamassassin Users List'
> Subject: Re: spam
>
> I think you may be misreading the headers. This mail came from
> pro75-3-82-234-174-1.fbx.proxad.net
> [82.234.174.1] (a French ISP).
>
>
> Thomas Lindell wrote:
>> Gah just when I thought I had spam problems resolved not it appears
>> someones able to send spam directly from the server
>>
>>
>>
>> Return-Path: <do...@burkeauto.com>
>>
>> X-Original-To: admin@adlmail.com
>>
>> Delivered-To: admin@adlmail.com
>>
>> Received: from localhost (localhost.airbornedatalink.com [127.0.0.1])
>>
>> by adlsrv4.airbornedatalink.com (Postfix) with ESMTP id
>> 19D3A34004
>>
>> for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:52 -0500 (CDT)
>>
>> X-Virus-Scanned: amavisd-new at adlmail.com
>>
>> Received: from adlsrv4.airbornedatalink.com ([127.0.0.1])
>>
>> by localhost (adlsrv4.airbornedatalink.com [127.0.0.1])
>> (amavisd-new, port 10024)
>>
>> with ESMTP id 63sUVcMA5Y1h for <ad...@adlmail.com>;
>>
>> Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
>>
>> Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net
>> [82.234.174.1])
>>
>> by adlsrv4.airbornedatalink.com (Postfix) with SMTP id
>> 402AB34001
>>
>> for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
>>
>> Message-ID: <00...@itm84>
>>
>> Reply-To: "Wojciech Doucette" <do...@burkeauto.com>
>>
>> From: "Wojciech Doucette" <do...@burkeauto.com>
>>
>> To: admin@adlmail.com
>>
>> Subject: Re: keiyqVjlAGRA
>>
>> Date: Wed, 26 Jul 2006 08:37:50 -0700
>>
>> MIME-Version: 1.0
>>
>> Content-Type: multipart/alternative;
>>
>> boundary="----=_NextPart_000_0001_01C6B08E.C7334B30"
>>
>> X-Priority: 3
>>
>> X-MSMail-Priority: Normal
>>
>> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
>>
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>>
>> X-Antivirus: AVG for E-mail 7.1.394 [268.10.4/399
>>
>>
>>
>>
>>
>> Based on this header I believe it's some sort of bounce attack or local
>> attack
>>
>>
>>
>> Anyone have any thoughts I'm at my wits end
>>
>>
>>
>> Tom
>>
>
Re: spam
Posted by jdow <jd...@earthlink.net>.
Email headers are very easily forged. What's fun is when you start
receiving bounces from other sites that are mal-configured complaining
about the spam from your site based on the From and Reply-to headers
that have been forged. That's called a joe-job. And about all you can
do is delete the complaints and whine about it. Oh, you can make a vow
that you will never EVER find a spammer innocent of ANYTHING if you
find one on trial and you are in the jury. (Just don't tell the lawyers
or judges about that vow.) Of course, if paperwork does not bother you
and possible prison time is no worry then killing any spammer you meet
would meet with vast approval in most of the civilized world.
{o.o}
----- Original Message -----
From: "Thomas Lindell" <tl...@adlmail.com>
> Does that mean they just faked the headers?
>
>
> I am new to mail administration only been doing it a couple of months now
> and I appreciate all the help.
>
> Thanks
>
> Tom
>
> -----Original Message-----
> From: Stuart Johnston [mailto:stuart@ebby.com]
>
> I think you may be misreading the headers. This mail came from
> pro75-3-82-234-174-1.fbx.proxad.net
> [82.234.174.1] (a French ISP).
>
>
> Thomas Lindell wrote:
>> Gah just when I thought I had spam problems resolved not it appears
>> someones able to send spam directly from the server
>>
>>
>>
>> Return-Path: <do...@burkeauto.com>
>>
>> X-Original-To: admin@adlmail.com
>>
>> Delivered-To: admin@adlmail.com
>>
>> Received: from localhost (localhost.airbornedatalink.com [127.0.0.1])
>>
>> by adlsrv4.airbornedatalink.com (Postfix) with ESMTP id
>> 19D3A34004
>>
>> for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:52 -0500 (CDT)
>>
>> X-Virus-Scanned: amavisd-new at adlmail.com
>>
>> Received: from adlsrv4.airbornedatalink.com ([127.0.0.1])
>>
>> by localhost (adlsrv4.airbornedatalink.com [127.0.0.1])
>> (amavisd-new, port 10024)
>>
>> with ESMTP id 63sUVcMA5Y1h for <ad...@adlmail.com>;
>>
>> Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
>>
>> Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net
>> [82.234.174.1])
>>
>> by adlsrv4.airbornedatalink.com (Postfix) with SMTP id
>> 402AB34001
>>
>> for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
>>
>> Message-ID: <00...@itm84>
>>
>> Reply-To: "Wojciech Doucette" <do...@burkeauto.com>
>>
>> From: "Wojciech Doucette" <do...@burkeauto.com>
>>
>> To: admin@adlmail.com
>>
>> Subject: Re: keiyqVjlAGRA
>>
>> Date: Wed, 26 Jul 2006 08:37:50 -0700
>>
>> MIME-Version: 1.0
>>
>> Content-Type: multipart/alternative;
>>
>> boundary="----=_NextPart_000_0001_01C6B08E.C7334B30"
>>
>> X-Priority: 3
>>
>> X-MSMail-Priority: Normal
>>
>> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
>>
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>>
>> X-Antivirus: AVG for E-mail 7.1.394 [268.10.4/399
>>
>>
>>
>>
>>
>> Based on this header I believe it's some sort of bounce attack or local
>> attack
>>
>>
>>
>> Anyone have any thoughts I'm at my wits end
>>
>>
>>
>> Tom
>>
RE: spam
Posted by Thomas Lindell <tl...@adlmail.com>.
Does that mean they just faked the headers?
I am new to mail administration only been doing it a couple of months now
and I appreciate all the help.
Thanks
Tom
-----Original Message-----
From: Stuart Johnston [mailto:stuart@ebby.com]
Sent: Wednesday, July 26, 2006 11:00 AM
To: Thomas Lindell
Cc: 'Spamassassin Users List'
Subject: Re: spam
I think you may be misreading the headers. This mail came from
pro75-3-82-234-174-1.fbx.proxad.net
[82.234.174.1] (a French ISP).
Thomas Lindell wrote:
> Gah just when I thought I had spam problems resolved not it appears
> someones able to send spam directly from the server
>
>
>
> Return-Path: <do...@burkeauto.com>
>
> X-Original-To: admin@adlmail.com
>
> Delivered-To: admin@adlmail.com
>
> Received: from localhost (localhost.airbornedatalink.com [127.0.0.1])
>
> by adlsrv4.airbornedatalink.com (Postfix) with ESMTP id
> 19D3A34004
>
> for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:52 -0500 (CDT)
>
> X-Virus-Scanned: amavisd-new at adlmail.com
>
> Received: from adlsrv4.airbornedatalink.com ([127.0.0.1])
>
> by localhost (adlsrv4.airbornedatalink.com [127.0.0.1])
> (amavisd-new, port 10024)
>
> with ESMTP id 63sUVcMA5Y1h for <ad...@adlmail.com>;
>
> Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
>
> Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net
> [82.234.174.1])
>
> by adlsrv4.airbornedatalink.com (Postfix) with SMTP id
> 402AB34001
>
> for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
>
> Message-ID: <00...@itm84>
>
> Reply-To: "Wojciech Doucette" <do...@burkeauto.com>
>
> From: "Wojciech Doucette" <do...@burkeauto.com>
>
> To: admin@adlmail.com
>
> Subject: Re: keiyqVjlAGRA
>
> Date: Wed, 26 Jul 2006 08:37:50 -0700
>
> MIME-Version: 1.0
>
> Content-Type: multipart/alternative;
>
> boundary="----=_NextPart_000_0001_01C6B08E.C7334B30"
>
> X-Priority: 3
>
> X-MSMail-Priority: Normal
>
> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
>
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>
> X-Antivirus: AVG for E-mail 7.1.394 [268.10.4/399
>
>
>
>
>
> Based on this header I believe it's some sort of bounce attack or local
> attack
>
>
>
> Anyone have any thoughts I'm at my wits end
>
>
>
> Tom
>
Re: spam
Posted by Stuart Johnston <st...@ebby.com>.
I think you may be misreading the headers. This mail came from pro75-3-82-234-174-1.fbx.proxad.net
[82.234.174.1] (a French ISP).
Thomas Lindell wrote:
> Gah just when I thought I had spam problems resolved not it appears
> someones able to send spam directly from the server
>
>
>
> Return-Path: <do...@burkeauto.com>
>
> X-Original-To: admin@adlmail.com
>
> Delivered-To: admin@adlmail.com
>
> Received: from localhost (localhost.airbornedatalink.com [127.0.0.1])
>
> by adlsrv4.airbornedatalink.com (Postfix) with ESMTP id
> 19D3A34004
>
> for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:52 -0500 (CDT)
>
> X-Virus-Scanned: amavisd-new at adlmail.com
>
> Received: from adlsrv4.airbornedatalink.com ([127.0.0.1])
>
> by localhost (adlsrv4.airbornedatalink.com [127.0.0.1])
> (amavisd-new, port 10024)
>
> with ESMTP id 63sUVcMA5Y1h for <ad...@adlmail.com>;
>
> Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
>
> Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net
> [82.234.174.1])
>
> by adlsrv4.airbornedatalink.com (Postfix) with SMTP id
> 402AB34001
>
> for <ad...@adlmail.com>; Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
>
> Message-ID: <00...@itm84>
>
> Reply-To: "Wojciech Doucette" <do...@burkeauto.com>
>
> From: "Wojciech Doucette" <do...@burkeauto.com>
>
> To: admin@adlmail.com
>
> Subject: Re: keiyqVjlAGRA
>
> Date: Wed, 26 Jul 2006 08:37:50 -0700
>
> MIME-Version: 1.0
>
> Content-Type: multipart/alternative;
>
> boundary="----=_NextPart_000_0001_01C6B08E.C7334B30"
>
> X-Priority: 3
>
> X-MSMail-Priority: Normal
>
> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
>
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>
> X-Antivirus: AVG for E-mail 7.1.394 [268.10.4/399
>
>
>
>
>
> Based on this header I believe it’s some sort of bounce attack or local
> attack
>
>
>
> Anyone have any thoughts I’m at my wits end
>
>
>
> Tom
>