[unisog] AOL and forwarding

Scott Fendley scottf at uark.edu
Fri Oct 14 17:59:01 GMT 2005


This may be configurable on your mail server.  Below is example 
headers of a spam that was sent to one of my users.  This user 
forwards their email from their uark.edu address to their AOL 
account.  I may not know the AOL email address in use, but I can look 
it up out of our ldap based on seeing  "myuser at uark.edu" in the 
headers as it passed from our mail exchangers to the actual mail 
server.  For thes regular complaining users, I have set up auto 
filters to ignore email from AOL about them and that leaves me with 
listserv mailing list false positives, and the legit stuff 
originating from our campus.

Received: from  rly-yi01.mx.aol.com (rly-yi01.mail.aol.com 
[172.18.180.129]) by air-yi02.mail.aol.com (v107.13) with ESMTP id 
MAILINYI24-7a8434fa8a524e; Fri, 14 Oct 2005 08:46:49 -0400
Received: from  mailhost.uark.edu (mailhost.uark.edu [130.184.5.66]) 
by rly-yi01.mx.aol.com (v107.13) with ESMTP id 
MAILRELAYINYI14-7a8434fa8a524e; Fri, 14 Oct 2005 08:46:29 -0400
Received: from mx1.uark.edu (mx1.uark.edu [130.184.5.58])
  by mailhost.uark.edu (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep  8
  2003)) with ESMTP id <0IOC00IQ9OTGJD at mailhost.uark.edu> for gqwack2 at aol.com
  (ORCPT myuser at uark.edu); Fri, 14 Oct 2005 07:46:29 -0500 (CDT)
Received: from mailman3-q0.in.tmpw.net
  (mailman3-nat.in.tmpw.net [208.30.129.71])     by mx1.uark.edu 
(8.13.4/8.13.4)
  with SMTP id j9ECkO3i004199    for <myuser at uark.edu>; Fri,
  14 Oct 2005 07:46:24 -0500


At 01:08 PM 10/7/2005, Joseph Brennan wrote:


>--On Friday, October 7, 2005 14:02 -0400 Daniel Feenberg
><feenberg at nber.org> wrote:
>
> >> We get the SComp reports, and almost all of the complaints are about
> >> mail from outside the university, forwarded by our users to their aol
> >> address.
> >>
> >> ...
> >
> > What do you do with the SComp reports? Do you stop forwarding for that
> > individual? I would have thought that was the first thing to try. Isn't
> > forwarding rather less important than direct email?
>
>
>We can't tell which user it is.  AOL removes that information.
>
>Joseph Brennan
>Columbia University Information Technology
>
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list