[lug] mailman and AV
Lee Woodworth
blug-mail at duboulder.com
Wed Nov 3 12:10:12 MST 2004
D. Stimits wrote:
> ...
>
>> Received: from homeoffice.org (adsl-70-240-238-238.dsl.hstntx.swbell.net
>> [70.240.238.238])
>> by new.community.tummy.com (Postfix) with SMTP id B93B720CCDA4
>> for <lug at lug.boulder.co.us>; Mon, 1 Nov 2004 23:09:33 -0700
>> (MST)
You can only rely on the very top Received: header since that is
generated by final MTA. All the others are suspect since they can be
created by the mail originator. In the case of the headers I posted, the
top Received: header is from tummy.com.
>
> ...
>
> host 70.240.238.238
> 238.238.240.70.in-addr.arpa domain name pointer
> adsl-70-240-238-238.dsl.hstntx.swbell.net.
>
> That so far is a forgery.
>
> host homeoffice.org
> homeoffice.org has address 216.55.156.109
>
> This too does not match homeoffice.org.
>
> host new.community.tummy.com
> new.community.tummy.com has address 198.49.126.209
>
> Perhaps it is coming through tummy.com, I'm not sure, but there is
> certainly some forgery going on. The real sender at the start of it all
> seems to be from swbell.net, and all in the header is certainly not
> correct. Anyone know who has a windows machine on swbell.net that also
> has the lug members in their address book? Most of these viruses send to
> address book recipients, and if someone has those those LUG people in
> their address book, would be a reason why 2 or more people on this list
> got it. I'm not great at sleuthing headers, but this one is not
> completely honest.
>
> D. Stimits, stimits AT comcast DOT net
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
More information about the LUG
mailing list