[unisog] I need help.
Mary M. Chaddock
chaddock at acu.edu
Fri Jul 19 14:33:48 GMT 2002
First, let me say that I may have not been clear on my issue. I'm not
trying to prevent these email messages from being delivered. What really
bothers me is that the owners of these systems are _NOT_ relaying email on
purpose. The do not have a clue they are even doing it.
I have not found any legitimate reason why the cacheflow server would
spoof/relay email. This doesn't mean there isn't any. If there is, I'd
really like to know.
I have been sending an email notification to the owner of the IP address
to make them aware that their cacheflow server is relaying email.
Again, I don't want to "block" the incoming email messages. That will
only cause more work for our resources and the problem will still be
there. I'd rather start alerting the system owners. Then possibly apply
pressure to the distributors to begin shipping their product "secured".
Thanks to all of you that sent me information on identifying the ip
Mary M. Chaddock, GSEC, GCUX
Network Security Administrator
Abilene Christian University
|I see it in Received headers where the hostname should be. Note the
|faked HELO name right after the "from", also.
|Received: from hotmail.com (CacheFlowServer@[188.8.131.52])
|Received: from mx1.mail.yahoo.com (CacheFlowServer@[184.108.40.206])
|Received: from mx1.mail.yahoo.com (CacheFlowServer@[220.127.116.11])
|Received: from mx1.mail.yahoo.com (CacheFlowServer@[18.104.22.168])
|Received: from hotmail.com (CacheFlowServer@[22.214.171.124])
|Received: from yahoo.com (CacheFlowServer@[126.96.36.199])
|Received: from hotmail.com (CacheFlowServer@[188.8.131.52])
|What is this? Does any legitimate mail have this? The above is from
|mail identified as junk using other tests. Some was porn sites, some
|was dubious drugs.
|It would be easy to scan for it in mail.
More information about the unisog