[SpamCop-List] Re: Mysterious Email - Maybe/Maybe Not

[N. Miller]

On Mon, 27 Jun 2005 13:04:15 -0700, Dar wrote:

> Opinions, please? Full headers in spamcop.spam
> 
> My clients think someone is using *her* email to send spam. But
> when I received the email in question via attachment and checked
> the headers, the IP matches their own. It matches the IP in the
> mail log files displaying mail login info as well. It doesn't
> appear to be a static IP in that the same IP goes back several
> days in the log files.

Do I have to assume the missing pieces that Mike mentioned? Your server,
"dar3.robust.net"(?) logged a connection from "BUNNY2
(user-12hdj3c.cable.mindspring.com [69.22.204.108])". That much hardly
seems doubtful.

> Servicing request from "user-12hdj3c.cable.mindspring.com" at 69.22.204.108

> Someone could have forged the *from* address, but is it possible
> to forge an IP? My initial feeling was that she sent email to
> him and forgot? By accident?

That line can't be forged unless the forger has access to
"dar3.robust.net". Unless your correspondent knows that they are running an
"end-to-end" SMTP client on a dynamic IP address, that message is the
result of some kind of open proxy, or the like.

-- 
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint