[SpamCop-List] Re: Fake NDR contains false headers in "bounced" msg
MikeE at ster.invalid
Sun Aug 15 19:20:11 EDT 2004
Don Wannit wrote:
> the Received header has a timestamp which I know to be bogus,
> because that machine is not powered up, and had not been for some 42
> hours prior to the timestamp on that Received: header.
However, your contribution to the information about the mirador line in
what I'm calling the 'original' spam - in which I posit that *ONLY* the
mirador line is bogus doesn't negate my argument. You want to
extrapolate that the bogosity of the mirador line expands to the entire
belated bounce structure. I entirely disagree. John's comments are
mildly supportive of that - but the important arguments are the
fundamentals of the issue which I described earlier.
> I see that IP 188.8.131.52 (the supposed recipient of the spam
> being bounced) is listed in dynablock.njabl.org as a dynamic address.
You are not characterizing the issue as I described it. I'm alleging
that 184.108.40.206 rDNS as7-m214.net.htnet.hr is, in fact the
actual *source* of the spamitem; the structure of the spam headers as
I'm calling it is below [brainstorm = for frontier.net]:
Abbreviated Received lines *comment
from (localhost.brainstorminternet.net [127.0.0.1]) by
starfish.brainstorminternet.net *brainstorm internal
from starfish.brainstorminternet.net ([127.0.0.1]) by
(starfish.brainstorminternet.net *brainstorm internal
from (as7-m214.net.htnet.hr [220.127.116.11]) by
from (mail.mirador.com [18.104.22.168]) by as7-m214.net.htnet.hr
> Our SMTP server would have rejected it.
Arguing about what your server would have done isn't relevant. You are
arguing or commenting about a bogusline.
> Note that the Received:
> headers above that one all show *.brainstorminternet.net with an IPS
> of 127.0.0.1 -- either starfish.brainstorminternet.net is
> misconfigured w.r.t. proper Received headers, or the payload is a set
> of forged headers.
No. That is all internal handling stuff. The brainstorm servers who are
handling that item never passed it off -- they don't have to use 'real'
IP numbers. When a server is 'receiving' an item which it never passes
on, it doesn't 'have to' properly call itself in the lines. Those lines
are from brainstorm getting something it never passed on. What it did
eventually was mail 'back' [to the bogus From] something it never
> I have to say I'd readily believe that starfish.brainstorminternet.net
> is a compromised machine, and I would not believe that a powered-down
> machine can send any email. :-)
Nope. I completely disagree. The Croatian is the perp. The brainstorm
is just doing a 'bad' thing by belatedly bouncing something.
> Any other candidates, based on the full headers?
kibitzer, not SC admin
More information about the SpamCop-List