Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

what's this (email question)

From: Glenn English <ghe () slsware com>
Date: Fri, 29 Apr 2005 17:51:30 -0600
Email with headers similar to this has begun showing up in my spam box.
The last (and only) Received: says it came from localhost. 

Am I owned? :-) 

I didn't think it is possible to forge the last Received:. I've been
getting bounces for mail never sent from here, but I just assumed it was
a spammer forging my domain name. Maybe not?? I notice Spamassassin says
the HELO was forged -- I don't understand how this could happen.

(server.slsware.com is my SMTP server. indra.net is a local ISP, with
whom I have an account; I have a .forward to myself at slsware in my
directory at indra.)

--------------------------------------------------------------
From faygaspar () flowcadillac com  Fri Feb 11 16:54:29 2005
Received: from localhost by server.slsware.com
        with SpamAssassin (2.64 2004-01-11);
        Fri, 11 Feb 2005 16:54:31 -0700
From: "Alfonso Sprague" <faygaspar () flowcadillac com>
To: barrett () indra net
Subject: ***SPAM*** Mortgage New Update
Date: Sat, 12 Feb 2005 01:50:08 -0300
Message-Id: <2QBVlvR91d () knowhow com>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on
server.slsware.com
X-Spam-Pyzor:
X-Spam-Status: Yes, hits=5.5 required=5.0
tests=FORGED_RCVD_NET_HELO,NO_COST,
        RATWARE_EMWAC autolearn=no version=2.64
X-Spam-Level: *****
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_420D45B7.2C897397"
X-Bogosity: Yes, tests=bogofilter, spamicity=0.999777, version=0.13.7.2,
algorithm=fisher
Status: RO
X-Status:
X-Keywords:
X-UID: 37323
--------------------------------------------------------------

My MTA's Received: usually looks something like this:

--------------------------------------------------------------
Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net
        [204.127.202.55]) by mail.slsware.com (Postfix) with ESMTP 
        id 81D13FB9D for <ghe () slsware com>; Fri, 29 Apr 2005 
        16:23:17 -0600 (MDT)
--------------------------------------------------------------

mail and server.slsware.com are the same machine and IP. Postfix calls
it mail, and reverse DNS *on that machine* calls it server. Reverse DNS
from the Internet calls it something having to do with an unused block
(long story).

-- 
Glenn English
ghe () slsware com
GPG ID: D0D7FF20

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: