-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 22 Jan 2003 12:06:05 -0000 (GMT), Mark Cooke wrote: > > >> Spammer: smtp0542.mail.yahoo.com > > > > No, that is not the spammer. That was faked. You can submit an > > arbitrary sequence of characters in the greeting line when > > connecting to a mail server. > > I was under the assumsion that that was the faked from address of the > host No, it's just an (E)SMTP greeting and can be anything. Watch the "HELO" line below: $ telnet mx1.redhat.com 25 Trying 66.187.233.31... Connected to mx1.redhat.com. Escape character is '^]'. 220 **************************************************22*****200**0**02*2***0*00 HELO hi_dudes_at_redhat_dot_com 250 mx1.redhat.com Hello my-external-hostname.net [217.x.x.x],pleased to meet you MAIL FROM: none-existant-email-account@arcor.de 250 2.1.0 none-existant-email-account@arcor.de... Sender ok quit 221 2.0.0 mx1.redhat.com closing connection Connection closed by foreign host. But often it is the sender's local hostname or the domain name of the sender address. It depends on the mail client or relay what is put there. Spammers usually submit a faked hostname there, in hope it misleads the recipient. In your case, smtp0542.mail.yahoo.com does not even exist. > >> OpenRelay Server: pc-80-193-4-51-nm.blueyonder.co.uk [80.193.4.51] > > So why is this blueyonder address in there then ? It is the sender's hostname and IP address which in the "Received:" line is stored right after the sender's greeting string. Read it like this: Received: from ignore-senders-greeting-string-here (pc-80-193-4-51-nm.blueyonder.co.uk [80.193.4.51])(authenticated bits=0) by mail.pcc.edu.cn (8.12.3/8.12.3) with ESMTP id h0LItEL9003808for <tuesday350@hotmail.com>; Wed, 22 Jan 2003 02:55:23 +0800 Which translates to: Message _from_ (pc-80-193-4-51-nm.blueyonder.co.uk [80.193.4.51]) received _by_ mail.pcc.edu.cn _for_ <tuesday350@hotmail.com> on Wed, 22 Jan 2003 02:55:23 +0800 When reverse lookup on the IP address gives no result, the hostname may be missing: Received: from hello ([80.193.4.51])(authenticated bits=0) by mail.pcc.edu.cn (8.12.3/8.12.3) with ESMTP id h0LItEL9003808for <tuesday350@hotmail.com>; Wed, 22 Jan 2003 02:55:23 +0800 Complete "Received:" lines at the bottom of the mail headers can be faked. So, while usually you start following a mail's path by reading the "Recipient:" lines from bottom to top, that can be wrong and you may need to skip one or a few faked lines which would point you to a wrong provider/company. There are plenty of sources and FAQs on reading SPAM/UCE mail headers findable via Google. With every open relay you manage to shut down by informing the postmaster, several new open relays and compromised hosts are found and abused. Efficiently, you can fight SPAM only where you have control over a mail server and where you can reject messages or deny access. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Lphu0iMVcrivHFQRAi6zAJ9+F4ZYw0H1cnV9xrUkI45gjCCdAwCcCgMr 9CNMr1+KSg1jq9C38MMZoks= =vkWz -----END PGP SIGNATURE----- -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
