[Mimedefang] Negative addresses??
Kelson
kelson at speed.net
Fri Dec 2 20:17:22 EST 2005
Ashley M. Kirchner wrote:
> Can someone explain this to me? It's from a spam message (in fact, a
> lot of them are coming through MD+SA these days) and they all show the
> same thing, negative numbers:
>
> Received: from -1216216520 ([222.60.136.228])
> by serpico.pcraft.com (8.13.0/8.13.0) with SMTP id jB30Mott008917
> for <ashley.kirchner at highpeaks.org>; Fri, 2 Dec 2005 17:22:54 -0700
Here it looks like the negative number is actually the HELO string,
which can be set to pretty much anything.
> Received: from goprat.com (-1216301840 [-1213314064])
> by ghfixtures.com (Qmailv1) with ESMTP id 8568A5A816
> for <ashley.kirchner at highpeaks.org>; Fri, 02 Dec 2005 17:22:58 -0800
Assuming serpico.pcraft.com is your server, this line is probably
forged, so again anything could go into the spots.
If I were to guess, someone has spamwarethat's generating random numbers
for fake IP addresses, but has an error in formatting, so they're
getting displayed as negative integers instead of dotted quads.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list