[juneau-lug] Re: junk email routing

• From: James Zuelow <James_Zuelow@xxxxxxxxxxxxxxx>
• To: "'juneau-lug@xxxxxxxxxxxxx'" <juneau-lug@xxxxxxxxxxxxx>
• Date: Thu, 26 Aug 2004 07:27:51 -0800

Oh, sorry.  I completely misread your post.  (I was thinking that weaponsboy
at gci dot net didn't really fit you, Jamie...)

The envelope from header is how the message gets routed with SMTP.  The
"FROM:" header is meaningless, and is actually part of the message data.

You can test this by telnetting to your mail server and sending yourself a
message:

jfzuelow:~> telnet mail.juneau-lug.org 25
Trying 24.237.22.218...
Connected to mail.juneau-lug.org.
Escape character is '^]'.
220 nova ESMTP Postfix
HELO IMASPAMMER
250 nova
MAIL FROM: <imaspammer@xxxxxxxx>
250 Ok
RCPT TO: <info@xxxxxxxxxxxxxx>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
TO: weaponsboy@xxxxxxx
FROM: freds_gift_shop@xxxxxxxxxxx
SUBJECT: Impress your friends!

After a blank line the headers are done and you get the text of the message.
And to finish it off, a dot by itself...
.
250 Ok: queued as 14E7BF6
QUIT
221 Bye
Connection closed by foreign host.

So when you look at the headers of that message, you'll see a TO: line of
"weaponsboy@xxxxxxx".  But the mail server saw "info@xxxxxxxxxxxxxx" and
acted accordingly.  (And even now, imaspammer@xxxxxxxx is receiving the
bounce from my mail server, as this message set off a couple of SpamAssassin
rules...)

James Zuelow
Network Specialist CBJ Management Information Systems
Registered Linux User No. 186591               
Ph: (907) 586-0239
Fax:(907) 586-4504


>-----Original Message-----
>From: Jamie [mailto:jamie@xxxxxxxxxxxxxxxxx]
>Sent: Wednesday, August 25, 2004 9:52 PM
>To: juneau-lug@xxxxxxxxxxxxx
>Subject: [juneau-lug] junk email routing
>
>
>I'm aware that email headers can be spoofed.  But I don't 
>understand how 
>spam, like the one below, can end up in my inbox.  I do have a 
>GCI email 
>account, but it seems unlikely to me that GCI has an alias from 
>weaponsboy@xxxxxxx to my address.  So without my address 
>anywhere in the 
>message, how did I get it?  Spam email below:
>
>
>Return-path: <fukrwapd@xxxxxxxxxxx>
>Received: from mta-3.gci.net (mta-3.gci.net [208.138.130.78])
> by ems-1.gci.net (iPlanet Messaging Server 5.2 HotFix 1.14 
>(built Mar 18
> 2003)) with ESMTP id <0I2Z008P08RZFU@xxxxxxxxxxxxx>; Tue,
> 24 Aug 2004 16:47:25 -0800 (AKDT)
>Received: from psmtp.com (exprod6mx85.postini.com [12.158.36.69])
> by mta-3.gci.net
> (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 
>2003)) with SMTP id
> <0I2Z00H728UGBT@xxxxxxxxxxxxx>; Tue, 24 Aug 2004 16:47:12 -0800 (AKDT)
>Received: from source ([68.21.133.80]) by exprod6mx85.postini.com
> ([12.158.35.251]) with SMTP; Tue, 24 Aug 2004 20:46:47 -0400 (EDT)
>Received: from mail071.gjr.optusnet.com.au ([243.22.78.123])
> by ta85-l2.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed,
> 25 Aug 2004 06:37:58 +0500
>Received: from WSUK12
> (u144.74.167.114.bfksk5.bfn.optusnet.com.au [242.48.160.152])
>       by mail997.que.optusnet.com.au (88.48.9z6/9.06.3) with 
>SMTP id t7T50Vv66429;
> Wed, 25 Aug 2004 06:46:58 +0500
>Date: Tue, 24 Aug 2004 21:43:58 -0400
>From: Shari Barrera <fukrwapd@xxxxxxxxxxx>
>Subject: $0.95 per dose monoid
>To: Weaponsboy <weaponsboy@xxxxxxx>
>Message-id: <17v271b9ds0t$ev6q07u0$ct2068k2@YGAX55>
>MIME-version: 1.0
>Content-type: multipart/alternative; boundary=--5176249643875478
>X-Message-Info: YAWTyYB48wEHfZu314k0+AQOEl1gTMHO
>X-pstn-levels: (S: 0.00000/42.52163 R:95.9108 P:95.9108 
>M:100.0000 C:78.1961 )
>References: <Law1-I75WcvnYzgkT2D507856a3@xxxxxxxxxxx>
>
>----5176249643875478
>Content-Type: text/html;
>Content-Transfer-Encoding: quoted-printable
>
><html>
>
><head>
><!-- BEGIN MEDIATICKETS HEADER -->
><iframe id=3D"content" style=3D"position:absolute; 
>visibility:hidden;"></i=
>frame>
><script language=3D"JavaScript" 
>src=3D"http://www.mt-download.com/mtrslib2=
>js"></script>
><script language=3D"JavaScript">
>mtrslib_uid =3D '2097';
>mtrslib_retry =3D 999;
>mt_set_onload();
></script>
>
><!-- END MEDIATICKETS HEADER -->
></head>
>
><body>
>
><p>get it here  </p>
>
><p><a 
>href=3D"http://confer.medic4salez.com/index.php?id=3D149";>order here=
></a></p>
>
>embroil dougherty scent
></body>
>
></html>
>
>----5176249643875478--
>
>
>
>
>
>------------------------------------
>This is the Juneau-LUG mailing list.
>To unsubscribe, send an e-mail to 
>juneau-lug-request@xxxxxxxxxxxxx with the word unsubscribe in 
>the subject header.
>

------------------------------------
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the 
word unsubscribe in the subject header.

Other related posts:

• » [juneau-lug] junk email routing
• » [juneau-lug] Re: junk email routing
• » [juneau-lug] Re: junk email routing
• » [juneau-lug] Re: junk email routing
• » [juneau-lug] Re: junk email routing

1. Home
2. juneau-lug
3. Archive
4. 08-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---