[svlug] ACCU meeting is still on as far as I know.
Rick Moen
rick at linuxmafia.com
Tue Oct 7 22:25:47 PDT 2008
<hat="SVLUG sysadmin"
Quoting Steven Widom (stevenw3 at mindspring.com):
> I will run security checks on my system
That won't do a lot of good, given that this seems to have been a
straightforward case of SMTP forgery. Here are the Received headers
from upstream, that were in the message as received at host
mail.svlug.org:
Received: from elasmtp-junco.atl.sa.earthlink.net ([209.86.89.63]:42187)
by svlug.org with esmtp (Exim 4.44 #1) id 1KmvkX-0005zL-Sa
for <svlug at lists.svlug.org>; Mon, 06 Oct 2008 12:28:16 -0700
Received: from [71.202.151.166]
by elasmtp-junco.atl.sa.earthlink.net with esmtpa (Exim 4.67)
(envelope-from <stevenw3 at mindspring.com>) id 1KmvkN-0002pC-1f
for svlug at lists.svlug.org; Mon, 06 Oct 2008 15:27:59 -0400
Received: from 127.0.0.1 (AVG SMTP 8.0.173 [270.7.6/1710]);
Mon, 06 Oct 2008 12:27:57 -0700
The only datapoint in there that's absolutely reliable is the prior-hop
IP (09.86.89.63), which is an Earthlink MTA. (Mindspring and Earthlink
have been the same company since early 2000.) The rest could be forged,
but I'm betting it's not. Claimed 2nd-prior hop IP, 71.202.151.166, is
a Comcast broadband address. And that's where I figure the mischief
originated. Could be just some jerk, or it could be yet another
malware-zombified home MS-Windows box.
Good luck getting Comcast to take responsiblity or investigate, but I
suppose it could happen. Towards that end, if you need a fresh copy of
the forged message, please let me know offlist. (Just as it's futile
to even attempt to trace SMTP messages without full headers, you should
never send complaint/inquiry mail about such messages without those full
headers. In particular, if you're not seeing the full set of Received
headers, you need to figure out how to get to them before proceeding.)
</hat>
More information about the svlug
mailing list