[Mimedefang] Faked Received + Old Lists
Joseph Brennan
brennan at columbia.edu
Tue Nov 28 08:33:49 EST 2006
How OLD are the lists spammers use? The stock spam below was sent to
system at cu20b.columbia.edu. cu20b was retired in 1987!
The lower Received header is faked. columbia.edu resolves to
external-smtp-multi-vif.cc.columbia.edu, but that's a virtual
interface, not a host. No Received would ever have "by external..."
in it. This is a variation on the recently described Received forgery.
We have been checking already for "by columbia.edu" in Received, and
I will add this variation today.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
------------ Forwarded Message ------------
. . .
> Received: from ppp25-145.adsl.forthnet.gr
> (ppp25-145.adsl.forthnet.gr [212.251.108.145])
> by longan.cc.columbia.edu (8.13.7/8.13.6) with SMTP
> id kAS8pfii018311 for <system at cu20b.columbia.edu>;
> Tue, 28 Nov 2006 03:51:49 -0500 (EST)
> X-Original-To: system at cu20b.columbia.edu
> Delivered-To: system at cu20b.columbia.edu
> Received: from [212.251.108.145] (port=40748
> helo=ppp25-145.adsl.forthnet.gr)
> by external-smtp-multi-vif.cc.columbia.edu with esmtp
> id 515070-515070-81 for system at cu20b.columbia.edu;
> Tue, 28 Nov 2006 10:51:44 +0200 (EET)
> Message-ID: <24f701c712db$01c712db$916cfbd4 at cu20b.columbia.edu>
> From: "Misty" <chhefs at columbia.edu>
> To: "Amado" <system at columbia.edu>
> Subject: AggressiveInvestorsAlert
> Date: Tue, 28 Nov 2006 10:51:44 +0200 (EET)
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_001_24F6_01C712CA.6E04A380"
. . .
>
> BLNM Price Climbs 92% and Volume is up 10,000% In Just Two Days Trading!
> It's not to late to get in!
>
> Company: Bralorne Mining Company
> Symbol: BLNM.OB
> Price: $0.31 (+92% in 2 days)
> 5 Day Target: $1.15
---------- End Forwarded Message ----------
More information about the MIMEDefang
mailing list