Flaw In List Software

Paul Wiener pmmail@rpglink.com
Thu, 03 Jun 1999 15:54:25 -0700 (PDT)


On Thu, 03 Jun 1999 00:17:45 -0700, Steve Lamb wrote:

>On Thu, 03 Jun 1999 00:07:21 -0700 (PDT), Paul Wiener wrote:
>
>>But spam headers are typically spoofed. That means you don't know who the ISP
>>of the spammer is. If a message is going to be traced back, header entry by
>>header entry, and compared to the server logs at each node, your ISP is
>>probably the safest place to start. Of course, it's pretty unlikely that
>>anyone will go to that much trouble to trace a piece of spam, unless it
>>threatens the life of a highly placed government official.
>
>    You can trust, generally, the first "received" headers.  The first one
>will be from your ISP, the next one will be from where the message came from.
> In fact, here are your headers:
>
>Received: from smtp02.primenet.com [206.165.6.132] (daemon)
>	by rpglink.com with esmtp (Exim 2.05 #1 (Debian))
>	id 10pRbD-0005Pk-00; Thu, 3 Jun 1999 00:07:35 -0700
>Received: (from daemon@localhost)
>	by smtp02.primenet.com (8.8.8/8.8.8) id AAA18943
>	for <pmmail@rpglink.com>; Thu, 3 Jun 1999 00:07:33 -0700 (MST)
>Received: from ip34-106.bur.primenet.com(207.218.34.106)
> via SMTP by smtp02.primenet.com, id smtpd018902; Thu Jun  3 00:07:23 1999
>
>    Rpglink is me, I know that is valid and it says it is coming from
>smtp02.primenet.com.  The next header is smtp02.primenet.com.  So at the very
>leasy, if your message were spam, you would want to complain to primenet.com,
>not rpglink.com.  If you send them the message with full headers they would
>see the next one which, BTW, like a custom headers (many ISPs do that now to
>cut down on forging) that points directly to your ip and time on according to
>their clocks.  From there they check the radius entry and nail you.
>
>    In the months I was postmaster at a smaller ISP usually all you needed
>were the first two headers.  "Here" and "there" and "there" was either where
>the spammer was coming from *or* was the open relay.  In either case, it is
>"there" that the complaint goes to, not "here."  :)

Steve, I sent a message with a spoofed ID to the list asking you to repeat
your header analysis on that one. I didn't expect the list to accept it,
since the spoofed address wasn't subscribed, so I also sent a copy of the
"forgery" directly to you. I haven't heard back on that yet. Did you receive
it? If so, would you mind forwarding it along with your response here to the
list (unless your response makes me look like an idiot)?

--
___________
Paul Wiener

paulish@paulish.com
got_the_T-shirt@been-there.com
paulish@cyberjunkie.com
paulish@planetarymotion.net
paulish@thepentagon.com
paulish@usa.net
tinea-pedis@bigfoot.com
KJ6AV@callsign.net
pw@i.am
--------------------------------------------------------