[Dshield] odd email spoof, any ideas?

Darren Gasser kaos at earthlink.net
Wed Feb 25 20:45:11 GMT 2004


john beck wrote:

> Can anyone comment on this email that is getting through our filter, 
> the recipient is not what is indicated in the header.  I am pasting in 
> the exported email with header.  I do not see how it is getting to 
> destination, the bdpiersc at xxxx.com (obscured by me, has our domain) is 
> not real and it is getting delivered to a user on my domain.


Check your firewall logs for the actual SMTP "RCPT TO" value.  The 
RFC2822 header (is "SendTo" even a valid 822 header field?) is often 
forged by spammers -- it's the SMTP transaction that matters.

-Darren




More information about the list mailing list