Mailing List SIMS@mail.stalker.com Message #11158
From: Aaron Lynch <a.list@ninewire.com>
Subject: Re: HELP with spam
Date: Tue, 09 Jul 2002 22:14:34 -0700
To: (SIMS Discussions) <SIMS@mail.stalker.com>
Abandon all hope?

Forging an email address is trivially easy.   You can do it in your own
email client...




On 7/9/02 10:10 PM, Matthew Hill mashed the following keys :

> Thanks!  I actually did turn off the unknown account.  They are all
> bouncing back.  But damn there are still tons of them bouncing out.
> Actually used the unknown account for signing up for web sites using a
> fake email.  When they started to spam i mad that address a spam
> address.  Oh well!
> I guess my question is how can they get away forging email addresses?
> And what if anything can one do?
> Matthew
>
> On Tuesday, July 9, 2002, at 07:26 PM, Bill Cole wrote:
>
>> At 7:42 PM -0700 7/8/02, Matthew Hill  imposed structure on a stream of
>> electrons, yielding:
>>> Here's another one for good measure!  I dont see these going out from
>>> anywhere!
>>
>>
>> They aren't going out from your machines at all.
>>
>> This one is a little better than the AOL bounces, since Notes at least
>> preserves headers, after a fashion. Essentially it treats the bounce as
>> a continmued journey of the original, so you get the path of the bounce
>> and the path of the original all in one.
>>
>>> From: upxHel <aiALDEN@milepost1.com>
>>> From: Postmaster@intermet.com
>>> Date: Mon Jul 08, 2002  07:34:34 PM US/Pacific
>>> To: upxHel <aiALDEN@milepost1.com>
>>> Cc:
>>> Subject: DELIVERY FAILURE: User mjohnston
>>> (mjohnston@notes.intermet.com) not listed in public Name & Address Book
>>> Return-Path: <>
>>> X-Mirrored-By: Unknown@milepost1.com
>>
>> That's why these are causing you trouble. The 'unknown' account is a
>> misfeature.  I understand why SIMS (and other servers) offer it, but
>> there is good reason for it to be turned off by default. If it was off,
>> these bounces would be bouncing instead of delivering to you.
>>
>>> Received: from fw251.intermet.com ([204.146.63.251] verified) by
>>> milepost1.com (Stalker SMTP Server 1.8b8) with SMTP id S.0001112311
>>> for <aiALDEN@milepost1.com>; Mon, 08 Jul 2002 19:37:33 -0700
>>> Received: from hstgw031.intermet.com by fw251.intermet.com via smtpd
>>> (for user-vc8fec8.biz.mindspring.com [216.135.185.136]) with SMTP; 9
>>> Jul 2002 02:37:30 UT
>>
>> That's the path of the bounce. hstgw01.intermet.com didn't like the
>> message, so it bounced it by way of its outbound firewall (that's a
>> guess at fw251) for you, and it noted that your primary MX resolves to
>> an IP which reverses to that Mindspring name.
>>
>>
>>> Received: from firewall.intermet.com ([10.250.0.2]) by
>>> hstgw031.intermet.com (Lotus Domino Release 5.0.4) with SMTP id
>>> 2002070822331807:6974 ; Mon, 8 Jul 2002 22:33:18 -0400
>>> Received: from h162-040-098-242.adsl.navix.net ([162.40.98.242]) by
>>> firewall.intermet.com via smtpd (for hstgw031.intermet.com
>>> [10.1.0.31]) with SMTP; 9 Jul 2002 02:37:10 UT
>>
>> There it is. Back to here, the Received headers chain neatly.
>> h162-040-098-242.adsl.navix.net  handed the original message to
>> firewall.intermet.com, aimed at hstgw01 (which we know from above is
>> what did the bouncing.) Past here it's garbage...
>>
>>
>>
>>> Received: from unknown (HELO da001d2020.lax-ca.osd.concentric.net)
>>> (194.29.209.49) by f64.law4.hotmail.com with QMQP; Jul, 08 2002
>>> 9:27:17 PM +0300
>>
>> huh? hotmail? BS. QMQP? Not likely.  +0300? Doubtful. This doesn't
>> chain with the later (i.e. above) received headers AND the unlikely
>> timezone and protocol are a known spamsign. QMQP is real, but you won't
>> see it outside of QMail installations, and Hotmail doesn't use QMail
>> anyway. Or have servers in the Middle East/Eastern Europe/East Africa.
>>
>> The nail in the coffin is that MTA's don't put AM/PM into Received
>> headers.
>>
>>
>>> Received: from [203.186.145.225] by hotmail.com (3.2) with ESMTP id
>>> MHotMailBE7297E1009B400437E7CBBA91E10D0B0; Jul, 08 2002 8:05:23 PM
>>> -0000
>>> Received: from [176.244.234.14] by smtp-server6.tampabay.rr.com with
>>> local; Jul, 08 2002 7:30:09 PM +0300
>>> Received: from rly-yk04.mx.aol.com ([99.100.131.137]) by rly-
>>> xw01.mx.aol.com with NNFMP; Jul, 08 2002 6:15:10 PM -0700
>>
>>
>> More chaining, protocol, and zone problems. More PM's. NNFMP is a
>> protocol that is proprietary and used only internally at Yahoo. The
>> 'local' protocol is supposed to indicate that a message came from the
>> machine adding the Received header. Plus this message seems to have
>> traveled back in time, with a hand-off at PDT AOL servers (itself iffy)
>> at 2002/07/09:01:15:10 UTC and then showing up about 9 hours earlier in
>> Tampa Bay, (the one outside of Baghdad, according to the zone) them
>> hitting some British arm of Hotmail 3:35 later, carrying the Received
>> header that the AOL machines were going to create almost 6 hours into
>> the future. At least, that what it appears to be if the PM's which
>> MTA's don't use are all correct.
>>
>> IOW: those Received headers are bogus, and not even forged to be
>> minimally believable. This is a demo of rules #1 & #2 of spammers:
>> spammers lie and spammers are profoundly stupid.
>>
>>
>>> Mime-Version: 1.0
>>> X-Mailer: QUALCOMM Windows Eudora Version 5.1
>>> X-Priority: 1 (High)
>>> X-Mimetrack: Itemize by SMTP Server on HSTGW031/IMET(Release 5.0.4
>>> |June 8, 2000) at 07/08/2002 10:33:20 PM, Serialize by Router on
>>> HSTGW031/IMET(Release 5.0.4 |June 8, 2000) at 07/08/2002 10:33:41 PM,
>>> Serialize complete at 07/08/2002 10:33:41 PM
>>> Message-Id: <OF217B294A.00A6F03D-ON85256BF1.000E0A01@intermet.com>
>>> Content-Type: multipart/report; report-type=delivery-status;
>>> boundary="==IFJRGLKFGIR62893UHRUHIHD"
>>>
>>> Your message
>>>
>>>   Subject: OUR LAST PICK WENT UP 47% IN JUST 2
>>> DAYS--------------------13593 kbqqn
>>>
>>> was not delivered to:
>>>
>>>   mjohnston@notes.intermet.com
>>>
>>> because:
>>>
>>>   User mjohnston (mjohnston@notes.intermet.com) not listed in public
>>> Name & Address Book
>>>
>>> Reporting-MTA: dns;hstgw031.intermet.com
>>
>> That tells you where to split those Received headers into original
>> message and bounce paths.
>>
>> -- Bill Cole                                  bill@scconsult.com
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>  the mailing list <SIMS@mail.stalker.com>.
>> To unsubscribe, E-mail to: <SIMS-off@mail.stalker.com>
>> To switch to the DIGEST mode, E-mail to <SIMS-digest@mail.stalker.com>
>> To switch to the INDEX mode, E-mail to <SIMS-index@mail.stalker.com>
>> Send administrative queries to  <SIMS-request@mail.stalker.com>
>>
>>
> --
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <SIMS@mail.stalker.com>.
> To unsubscribe, E-mail to: <SIMS-off@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <SIMS-digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <SIMS-index@mail.stalker.com>
> Send administrative queries to  <SIMS-request@mail.stalker.com>
>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster