From owner-freebsd-chat Sun Mar 26 9:31:16 2000 Delivered-To: freebsd-chat@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 412BF37BA3B for ; Sun, 26 Mar 2000 09:31:02 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id TAA28526 for chat@freebsd.org; Sun, 26 Mar 2000 19:31:00 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 205488869; Sun, 26 Mar 2000 19:29:42 +0200 (CEST) Date: Sun, 26 Mar 2000 19:29:41 +0200 From: Ollivier Robert To: chat@freebsd.org Subject: Re: Spam e-mail headers Message-ID: <20000326192941.A49403@keltia.freenix.fr> Mail-Followup-To: chat@freebsd.org References: <000801bf9735$f19e2f80$40390918@vncvr1.wa.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000801bf9735$f19e2f80$40390918@vncvr1.wa.home.com>; from johnmpurser@home.com on Sun, Mar 26, 2000 at 07:14:12AM -0800 X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to John Purser: > Anybody got any (useful) ideas? I think the Earthlink header is a red-herring, it is a fake one, probably generated by the spammer's software. I think the sucker's coming through Prodigy from a dialup in splitrock.net. Splitrock must be a customer of Prodigy's and they have access to Prodigy's SMTP server because of that. Complain to both Prodigy and Splitrock. > Received: from pimout4-int.prodigy.net (pimout4-ext.prodigy.net > [207.115.63.103]) > by mx1-e.mail.home.com (8.9.1/8.9.1) with ESMTP id AAA24197; > Sun, 26 Mar 2000 00:16:38 -0800 (PST) > Received: from smtp.prodigy.net (MIAMB106-30.splitrock.net [209.156.28.214]) > by pimout4-int.prodigy.net (8.8.5/8.8.5) with SMTP id DAA67476; > Sun, 26 Mar 2000 03:15:16 -0500 This header is probably genuine, having to relation whatsoever with the previous one. I'm a bit surprised they still run 8.8.5 though. > Received: from harrier.prod.itd.earthlink.net (207.217.121.12) by > earthlink.net (8.8.5/8.6.5) with SMTP id GAA01093 for > ; Sun, 26 Mar 2000 00:58:57 -0600 (EST) Faked. This Sendmail versions signature is a common point in several spamware. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #78: Sun Feb 27 15:32:39 CET 2000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message