[Mimedefang] Have I mentioned that MIMEDefang is great?

[Joseph Brennan]

Michael Sims noted,

> Over the past couple of days I've received several spam reports from my
> end users which contain messages that came directly from Hotmail relays.
. . .
> (1) The X-Originating-Email header and envelope sender contained a
> different email address than that of the From header.
> (2) The message headers contained 2 X-Originating-IP headers.
> (3) One of the X-Originating-IP headers had "IP" spelled as "Ip"
> (4) One of the X-Originating-IP headers had an IP that was clearly forged
> (octets with leading zeros or not in 0-255 range)


Kind of like this...

Received: from hotmail.com (bay3-dav44.bay3.hotmail.com [65.54.169.74])
	by ns3.99hats.com (8.9.3/8.9.3) with ESMTP id VAA15082
	for <tlxl at xydata.com>; Sat, 7 Jun 2003 21:40:55 -0400
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Sat, 7 Jun 2003 19:07:39 -0700
Received: from 128.59.xx.xx by bay3-dav44.bay3.hotmail.com with DAV;
	Sun, 08 Jun 2003 02:07:39 +0000
X-Originating-IP: [128.59.xx.xx]
X-Originating-Email: [njonm4te34asy at msn.com]
Subject: Grow Young, Not Old
From: "Moriarty Jover" <MoriartyJover at myrealbox.com>
To: "Balmes Miessner" <BalmesMiessner at email.com>
Importance: Normal
X-Originating-Ip: [50.078.80.327]


We got this from Spamcop.  The X-Originating-IP showed a Columbia
IP address, in which I have substituted xx's.

The host appears to have been infected with the Sobig virus or
something like it.  As it happens the owner has been reconfiguring
it over the past few days, so we can't get details of what it was
like on Saturday when the mail was sent.

It's been speculated that the purpose of Sobig is to open ports
for spamming.  This is only one incident so we should not infer
too much from it.

Joseph Brennan          Columbia University in the City of New York
postmaster at columbia.edu                 Academic Technologies Group