[Dshield] Unidentifiable e-mail

Shawn Cox shawn.cox at pcca.com
Wed Jan 28 16:18:02 GMT 2004


I have been getting these at my company as well.  I have Trend InterScan at
the border and trend forward on to iMail8.01 on a separate server that is
completely behind the firewall.

Here's what I know:

This is what arrives at the users pc when viewing from Outlook Express
Properties.  It appears in Outlook with no From address and no Subject just
an envelope with a time stamp.
<--begin-->
Received: from PCNWMAILSCNDNS.pcca.com [10.5.1.7] by pcca.com
  (SMTPD32-8.01) id ACC13A90034; Mon, 26 Jan 2004 10:13:53 -0600
Received: from 68.53.85.156 by PCNWMAILSCNDNS.pcca.com (InterScan E-Mail
VirusWall NT); Mon, 26 Jan 2004 10:13:53 -0600
Received: from 240.246.104.248 by 68.53.85.156; Sun, 25 Jan 2004
13:20:46 -0300
Message-ID: <H[20
X-UIDL: 371779181
<--end-->

Interscan log excerpt:
<--begin-->
01/26/2004 10:13:53 Iscan-maild[1508]: Message from: <jivbqv at yahoo.com>
01/26/2004 10:13:53 Iscan-maild[1508]: *#*  map ->
C:\INTERS~1\issmtpd\mqueue\DFIF19E.tmp: Subject -  , id - 1508
01/26/2004 10:13:53 Iscan-maild[1508]: Message to: shawn.cox at pcca.com
01/26/2004 10:13:53 Iscan-maild[2176]: Delivering mail to shawn.cox at pcca.com
through mail.pcca.com
<--end-->

iMail Log Excerpt
<--begin-->
20040126 101353 127.0.0.1       SMTPD (03A90034) [10.5.1.6] connect 10.5.1.7
port 1453
20040126 101353 127.0.0.1       SMTPD (03A90034) [10.5.1.7] HELO
PCNWMAILSCNDNS.pcca.com
20040126 101353 127.0.0.1       SMTPD (03A90034) [10.5.1.7] MAIL
FROM:<jivbqv at yahoo.com>
20040126 101353 127.0.0.1       SMTPD (03A90034) [10.5.1.7] RCPT TO:
<shawn.cox at pcca.com>
20040126 101353 127.0.0.1       SMTPD (03A90034) [10.5.1.7]
d:\IMail\spool\D3cc103a90034e735.SMD 350
20040126 101353 127.0.0.1       SMTP (0C040E76) processing
d:\IMail\spool\Q3cc103a90034e735.SMD
20040126 101353 127.0.0.1       SMTP (0C040E76) ldeliver pcca.com
shawn.cox-main (1) jivbqv at yahoo.com 350
20040126 101353 127.0.0.1       SMTP (0C040E76) finished
d:\IMail\spool\Q3cc103a90034e735.SMD status=1

<--end-->


It's got me stumped too.  I probably get 10-12 of the corporate wide each
day.
--Shawn

----- Original Message ----- 
From: "Betsy Horn" <Bhorn at hfblaw.com>
To: <list at dshield.org>
Sent: Wednesday, January 28, 2004 9:40 AM
Subject: Re: [Dshield] Unidentifiable e-mail


>
> >>Read, mark and learn *every word* of rfc[2]821 before believing in
> any
> >>religion ("that philosophical, that others would graft into you").
> >>"Every man's a liar, until he's proved that he is not" (ISO 17799).
>
>
> Are you referring to the August 1982 version of RFC 821, or is there
> something newer?
>
> Thanks,
>
> Betsy
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list