So if you had received the mail sent here yesterday claiming to be from Alain Durand would you block Sun or IBM? I am sure Alain did not send a random executable file to a non-existent account. It appears someone figured out he had responded to me on this list in the past, and plenty of times daily there are messages with the same content sent to half a dozen account names as a cc set. Correlating Durand to Hain is completely in line with typical spammer behavior. The fact this message got here is not a Sun problem (but someone at IBM might want to send me a note). The point is that it really doesn't matter which proxy was used what shows up here looks like a legitimate message from someone I have corresponded with in the past. The only way to detect a fraud at the MUA would be to have a verifiable signature from Alain (this was trapped at my MTA due to the exe file). Tony 192.35.***.***:43014;4.65.25.155:25;Tue, 17 Feb 2004 15:12:51 -0800 tndh.net S471B7 MAIL FROM:<alain.durand@xxxxxxx> RCPT TO:<hain@xxxxxxxx> <<MAIL-DATA>> Received: from mtrumble (192.35.***.***:43014) by tndh.net with [XMail 1.17 (Win32/Ix86) ESMTP Server] id <S471B7> for <hain@xxxxxxxx> from <alain.durand@xxxxxxx>; Tue, 17 Feb 2004 15:12:51 -0800 Date: Tue, 17 Feb 2004 17:10:17 -0600 To: hain@xxxxxxxx Subject: ID qfp... thanks From: alain.durand@xxxxxxx Message-ID: <adkselafptndppsbnlb@xxxxxxx> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------443488178303183" ----------443488178303183 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Yours ID fscyygroiei -- Thank ----------443488178303183 Content-Type: application/x-msdownload; name="pcrceynyu.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="cdv.exe" > 192.35.***.*** Non-authoritative answer: ***.***.35.192.in-addr.arpa name = ***.***.ibm.com *** - if someone from IBM wants to contact me off list I will provide the missing name/number > -----Original Message----- > From: owner-ietf@xxxxxxxx [mailto:owner-ietf@xxxxxxxx] On Behalf Of Vernon > Schryver > Sent: Tuesday, February 17, 2004 8:03 PM > To: ietf@xxxxxxxx > Subject: Re: How Not To Filter Spam > > > From: "william(at)elan.net" > > > > It is also a classic example of what is wrong with the MUA filtering > > > > You certain dont assume that there is nothing wrong with the filtering > > system you use and others may try duplicate as well. Otherwise how would > > you explain that you have Elan and completewhois.com listed as filtered > > on your site. Do you honestly believe we ever sent you any SPAM? Or > maybe > > you're making certain assumptions about envelope from or normal "From:" > > headers and complaining when others are making the similar assumptions? > > Mail from Elan and completewhois.com is unwelcome at rhyolite.com in > patt because of a message that said: > > ] Elan.Net Internet > ] T.1 T.3 Frame Relay > ] If you need more information about us or are interested in network > services > ] (managed hosting, collocation, dedicated servers, t1, t3), please send > email to info@xxxxxxxx > ] > ] For More info > ] http://www.elan.net > ] sales@xxxxxxxx > > There are additional, independent, sufficient reasons for that listing > that we do not need to explore. If you will read my web pages, you'll > see that my list of unwelcome domains is not only about senders of > unsolicited bulk email. > > An advantage of a vanity or other tiny domain is that it can use > blacklists that would have intolerable false positive rates at other > or larger outfits but that have 0.000% local false positive rates. > > > Vernon Schryver vjs@xxxxxxxxxxxx