[unisog] I need help.

Mary M. Chaddock chaddock at acu.edu
Fri Jul 19 14:33:48 GMT 2002


First, let me say that I may have not been clear on my issue.  I'm not 
trying to prevent these email messages from being delivered.  What really 
bothers me is that the owners of these systems are _NOT_ relaying email on 
purpose.  The do not have a clue they are even doing it.

I have not found any legitimate reason why the cacheflow server would 
spoof/relay email.  This doesn't mean there isn't any.  If there is, I'd 
really like to know.

Joseph,
I have been sending an email notification to the owner of the IP address 
to make them aware that their cacheflow server is relaying email.

Again, I don't want to "block" the incoming email messages.  That will 
only cause more work for our resources and the problem will still be 
there.  I'd rather start alerting the system owners. Then possibly apply 
pressure to the distributors to begin shipping their product "secured".

Thanks to all of you that sent me information on identifying the ip 
owners.  

Respectfully,
-Mary.


Mary M. Chaddock, GSEC, GCUX
Network Security Administrator
Abilene Christian University
Abilene, Tx.


|
|I see it in Received headers where the hostname should be.  Note the
|faked HELO name right after the "from", also.
|
|Received: from hotmail.com (CacheFlowServer@[61.127.197.4])
|Received: from mx1.mail.yahoo.com (CacheFlowServer@[210.181.4.174])
|Received: from mx1.mail.yahoo.com (CacheFlowServer@[211.35.78.36])
|Received: from mx1.mail.yahoo.com (CacheFlowServer@[211.234.92.5])
|Received: from hotmail.com (CacheFlowServer@[200.30.47.70])
|Received: from yahoo.com (CacheFlowServer@[210.217.42.101])
|Received: from hotmail.com (CacheFlowServer@[63.73.1.180])
|
|What is this?  Does any legitimate mail have this?  The above is from
|mail identified as junk using other tests.  Some was porn sites, some
|was dubious drugs.  
|
|It would be easy to scan for it in mail.
|



More information about the unisog mailing list