[Dshield] [DShield] Need Help - Or Advise
dshieldlists at versateam.com
Fri Aug 19 00:57:57 GMT 2005
The very first received line that you can trust is most likely the the
Spam is by its nature untrustworthy. They are lying about everything
else, they might as well lie about the headers -- or at least you can't
trust them even if they are being truthful. Very often they will add
other headers, just to confuse things, or because they are copying an
existing e-mail. So don't trust anything that you didn't put in the
email yourself, or that one of your machines put there.
On the other hand, e-mail that arrived at your e-mail server (which we
assume you can trust) likely came from either the spammer himself, or
from a relay that the spammer is using. In other words, THE MACHINE THAT
GAVE IT TO YOUR MAIL SERVER is responsible for the spam, unless it comes
via some other relay that you can trust.
Keep in mind that that machine is fairly likely to be a zombie or part
of a botnet, so whoever the human is at that machine may not have any
idea that her machine is sending that message or relaying it. But it is
still the machine responsible for sending the spam to you.
Mike Wydra wrote:
>First - THANK-YOU to whoever it was that posted the warning about the "Osama Bin Laden Captured" hoax. Someone sent me the damn thing today and no - I didn't open the attachment. I also received another one called "The Post Office," which also has an attachment, and looks fishy.
>I don't have a spare machine set up that I could run these things on (and see what they are) but if someone else wants the honors, I can forward. What I need help/advise on is this: I think I know how to determine the originating IP from the headers. In these two cases, it appears that both e-mails came out of Europe (Both went through the Netherlands). Am I correct that the VERY first "received" line is the senders IP addy? Thanks for any answers. I know you guys are busy with the current patch crisis.
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list