[lug] email mystery

D. Stimits stimits at idcomm.com
Tue Feb 20 19:59:46 MST 2001 

Kirk Rafferty wrote:
> 
> The message originated from dns2.kokushikan.ac.jp [202.253.226.22].
> It gets a little tricky sometimes, but most spam originates from
> the site that last connected to your mail server.  So, working
> backwards in the envelope headers, you see the line
> 
> Received: from dns2.kokushikan.ac.jp (dns2.kokushikan.ac.jp
> [202.253.226.22]) by totalrecall.idcomm.com (8.9.3/8.9.3)
> with ESMTP id GAA19192; Tue, 20 Feb 2001 06:18:31 -0700
> 
> The other thing that gives this particular spam away is the
> "From: crdserv at yahoo.com" header, imbeded between two
> "Received:" headers.  You won't ever see "From:" headers in
> the envelope section (the "Received:" headers) of an email.
> 
> I did an RSS lookup on this IP, and it is in the RSS database.
> You'll stop a lot of spam at the source if you can convince the
> powers that be at idcomm.com to implement RSS.  You can find
> more info at http://mail-abuse.org/rss/.

Thanks! I am going to see if I can get idcomm to look into this, I get a
ton of junk that is in no way addressed to me. RSS seems like a good
idea. I'm still confused as to how this could actually reach my
particular account without it being addressed anywhere...seems like a
bug being exploited.

D. Stimits, stimits at idcomm.com

> 
> Good luck, and hope this helps!
> 
> -k
> 
> On Tue, Feb 20, 2001 at 02:03:17PM -0700, D. Stimits wrote:
> > I'm trying to figure out how some of the spam email gets to me. The full
> > headers don't show me anywhere in the path, although it does show the
> > email servers from my ISP. The ISP uses a mix of Linux and NT boxes. Is
> > there some sort of mass email feature to allow sending to everyone at
> > some domain? Here is a sample full header I got:
> >
> > Return-Path:
> >                  <crdserv at yahoo.com>
> >         Received:
> >                  from totalrecall.idcomm.com (totalrecall.idcomm.com
> > [207.40.196.5]) by mailhost.idcomm.com
> >                  (8.10.0/8.10.0) with ESMTP id f1KDK4p16394; Tue, 20 Feb
> > 2001 06:20:04 -0700
> >         Received:
> >                  from dns2.kokushikan.ac.jp (dns2.kokushikan.ac.jp
> > [202.253.226.22]) by totalrecall.idcomm.com
> >                  (8.9.3/8.9.3) with ESMTP id GAA19192; Tue, 20 Feb 2001
> > 06:18:31 -0700
> >            From:
> >                  crdserv at yahoo.com
> >         Received:
> >                  from yahoo.com (localhost [127.0.0.1]) by
> > dns2.kokushikan.ac.jp (8.9.3+3.2W/3.7Wpl2/02/06/01) with
> >                  SMTP id WAA03068; Tue, 20 Feb 2001 22:16:19 +0900 (JST)
> >             Date:
> >                  Tue, 20 Feb 2001 22:16:19 +0900 (JST)
> >       Message-ID:
> >                  <200102201316.WAA03068 at dns2.kokushikan.ac.jp>
> >         Reply-To:
> >                  crdserv at yahoo.com
> >               To:
> >                  crdserv at yahoo.com
> >           Subject:
> >                  Clear Up Bad Credit Today! Get approved for loans and
> > more...
> >   X-Mozilla-Status:
> >                  8001
> >  X-Mozilla-Status2:
> >                  00000000
> >           X-UIDL:
> >                  _RAE.H8mk6.mailhost
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list