[Dshield] odd email spoof, any ideas?
kaos at earthlink.net
Wed Feb 25 20:45:11 GMT 2004
john beck wrote:
> Can anyone comment on this email that is getting through our filter,
> the recipient is not what is indicated in the header. I am pasting in
> the exported email with header. I do not see how it is getting to
> destination, the bdpiersc at xxxx.com (obscured by me, has our domain) is
> not real and it is getting delivered to a user on my domain.
Check your firewall logs for the actual SMTP "RCPT TO" value. The
RFC2822 header (is "SendTo" even a valid 822 header field?) is often
forged by spammers -- it's the SMTP transaction that matters.
More information about the list