[Mimedefang] Negative addresses??

Kelson kelson at speed.net
Fri Dec 2 20:17:22 EST 2005


Ashley M. Kirchner wrote:
>    Can someone explain this to me?  It's from a spam message (in fact, a 
> lot of them are coming through MD+SA these days) and they all show the 
> same thing, negative numbers:
> 
> Received: from -1216216520 ([222.60.136.228])
>    by serpico.pcraft.com (8.13.0/8.13.0) with SMTP id jB30Mott008917
>    for <ashley.kirchner at highpeaks.org>; Fri, 2 Dec 2005 17:22:54 -0700

Here it looks like the negative number is actually the HELO string, 
which can be set to pretty much anything.

> Received: from goprat.com (-1216301840 [-1213314064])
>    by ghfixtures.com (Qmailv1) with ESMTP id 8568A5A816
>    for <ashley.kirchner at highpeaks.org>; Fri, 02 Dec 2005 17:22:58 -0800

Assuming serpico.pcraft.com is your server, this line is probably 
forged, so again anything could go into the spots.

If I were to guess, someone has spamwarethat's generating random numbers 
for fake IP addresses, but has an error in formatting, so they're 
getting displayed as negative integers instead of dotted quads.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>



More information about the MIMEDefang mailing list