[Mimedefang] Accuracy of infected IP in mdlog

Joseph Brennan brennan at columbia.edu
Fri May 14 13:48:40 EDT 2004


> I know all of that, I was just thinking that "Reiceved:" headers line are
> not
> so generally spoofed than "from:" headers line. And I really think it's
> the
> case when I look at the behaviour of virus which are in the wild.


A user sent me an example this morning.  (Line-wrapped by me for
legibility)


Received: from 213-153-55-213.dyn.salzburg-online.at
  (213-153-55-213.dyn.salzburg-online.at [213.153.55.213]) by
  tepin.cc.columbia.edu (8.12.11/8.12.11) with SMTP id i4DJF6Va029037;
  Thu, 13 May 2004 15:15:08 -0400 (EDT)
Received: from mail865.pjz.optusnet.com.au ([84.180.144.0]) by
  xv79-e0.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824);
  Thu, 13 May 2004 18:12:40 -0200
Received: from SKCR39 (p216.66.164.202.jzmsa2.tes.optusnet.com.au
  [111.156.120.128]) by mail247.bjw.optusnet.com.au (11.91.5k7/1.43.1)
  with SMTP id x0K28Cw78016; Fri, 14 May 2004 02:10:40 +0600


This was in spam, but the kind that is sent through a hacked
Windows box.  The lower two Received's are fake.

And I've seen this before.  There's one that pretends the origin
is outblaze.com.  Have you seen that one?


Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York



More information about the MIMEDefang mailing list