Posted: Fri Nov 18, 2005 3:18 am Post subject: spoofed record?
not sure if this is the correct area to post. but it is from a spam email so i will give it a try.
first of all, here is the header of it.
Return-Path: <MerlinBirddescriptor@hav.cubana.avianet.cu>
X-Envelope-To: webmaster@printforce.com.au
X-Spam-Status: No, hits=3.2 required=5.0
tests=BAYES_50: 1.567,RCVD_ILLEGAL_IP: 1.588
X-Spam-Level: ***
Received: from dsl.static8597204112.ttnet.net.tr ([85.97.204.112])
by mail.printforce.com.au;
Fri, 18 Nov 2005 03:43:44 +0800
Received: from symphony-08.iinet.net.au ([227.142.170.208]:1906 "HELO
mail.ies.edu") by ies.edu with SMTP
id <S522132AbRLJEtW>; Thu, 17 Nov 2005 21:43:34 +0200
Date: Thu, 17 Nov 2005 16:43:34 -0300
Message-Id: <5.1.71.2081924.0083fc70@ies.edu>
From: "Quinton Cohen" <MerlinBirddescriptor@hav.cubana.avianet.cu>
To: <mail@printforce.com.au>
Subject: You can get it only here baseball
List-ID: <mail@printforce.com.au>
when i did a whois on the last ip it came up with "ERROR: IP Range Reserved by IANA.org".
i did a whois on senderbase of the first and found it did have some records of spam. so the email i suspect came from that.
but im just confused as to why the last ip came up with that message. is it a spoofed record. whats the deal with it being reserved?
The IP in question is a multi-cast IP and therefore should not be used here, this is almost certainly a spoofed header, which your spam filter has spotted.
another question i have is, does the ip always have to be located in the middle if the brackets such as ([*****])
such as this header
Return-Path: <webmaster@jgpholdings.com.au>
X-Envelope-To: webmaster@printforce.com.au
X-Spam-Status: No, hits=0.8 required=5.0
tests=BAYES_00: -1.665,FORGED_RCVD_HELO: 0.266,NO_REAL_NAME: 0.336,
PRIORITY_NO_NAME: 1.836,RCVD_BY_IP: 0.051
X-Spam-Level:
Received: from venus3.veridas.net ([202.52.32.26])
by mail.printforce.com.au
for webmaster@printforce.com.au;
Tue, 22 Nov 2005 07:21:18 +0800
Received: (qmail 7476 invoked from network); 22 Nov 2005 05:43:31 +1000
Received: from dsl-202-52-51-018.nsw.veridas.net (HELO igate1.rwwsor.com.au) (202.52.51.1
by 202.52.32.207 with SMTP; 22 Nov 2005 05:43:31 +1000
Received: from [192.168.0.235] (helo=iagihmud.au)
by igate1.rwwsor.com.au with smtp (Exim 4.52)
id 1EeHZR-0000qV-Kq; Tue, 22 Nov 2005 06:43:21 +1100
From: webmaster@jgpholdings.com.au
To: GetupQuick@printforce.com.au
Date: Mon, 21 Nov 2005 19:41:07 UTC
Subject: Your Password
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <a3ee9.d2bbcf732546a@jgpholdings.com.au>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="==2be6da.f8e35b9f1021"
Content-Transfer-Encoding: 7bit
would the first recieved (202.52.32.26) be the true origin of the email?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum