[unisog] AOL and forwarding

Christopher A Bongaarts cab at tc.umn.edu
Sat Oct 15 04:32:45 GMT 2005


This is helpful in many cases, but note that most MTAs don't include a 
"for" clause in the Received: header if there are multiple recipients
specified in the SMTP transaction.  Spam is often blasted to many
recipients, so the trail isn't there, but "legit" mail that is
accidentally or foolishly complained about will likely have it.

An alternative is to use the Message-ID to nose around in your MTA's
logs and narrow down the possible list of forwarders.

In the immortal words of Scott Fendley:
> This may be configurable on your mail server.  Below is example 
> headers of a spam that was sent to one of my users.  This user 
> forwards their email from their uark.edu address to their AOL 
> account.  I may not know the AOL email address in use, but I can look 
> it up out of our ldap based on seeing  "myuser at uark.edu" in the 
> headers as it passed from our mail exchangers to the actual mail 
> server.  For thes regular complaining users, I have set up auto 
> filters to ignore email from AOL about them and that leaves me with 
> listserv mailing list false positives, and the legit stuff 
> originating from our campus.
> 
> Received: from  rly-yi01.mx.aol.com (rly-yi01.mail.aol.com 
> [172.18.180.129]) by air-yi02.mail.aol.com (v107.13) with ESMTP id 
> MAILINYI24-7a8434fa8a524e; Fri, 14 Oct 2005 08:46:49 -0400
> Received: from  mailhost.uark.edu (mailhost.uark.edu [130.184.5.66]) 
> by rly-yi01.mx.aol.com (v107.13) with ESMTP id 
> MAILRELAYINYI14-7a8434fa8a524e; Fri, 14 Oct 2005 08:46:29 -0400
> Received: from mx1.uark.edu (mx1.uark.edu [130.184.5.58])
>   by mailhost.uark.edu (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep  8
>   2003)) with ESMTP id <0IOC00IQ9OTGJD at mailhost.uark.edu> for gqwack2 at aol.com
>   (ORCPT myuser at uark.edu); Fri, 14 Oct 2005 07:46:29 -0500 (CDT)
> Received: from mailman3-q0.in.tmpw.net
>   (mailman3-nat.in.tmpw.net [208.30.129.71])     by mx1.uark.edu 
> (8.13.4/8.13.4)
>   with SMTP id j9ECkO3i004199    for <myuser at uark.edu>; Fri,
>   14 Oct 2005 07:46:24 -0500
> 
> 
> At 01:08 PM 10/7/2005, Joseph Brennan wrote:
> 
> 
> >--On Friday, October 7, 2005 14:02 -0400 Daniel Feenberg
> ><feenberg at nber.org> wrote:
> >
> > >> We get the SComp reports, and almost all of the complaints are about
> > >> mail from outside the university, forwarded by our users to their aol
> > >> address.
> > >>
> > >> ...
> > >
> > > What do you do with the SComp reports? Do you stop forwarding for that
> > > individual? I would have thought that was the first thing to try. Isn't
> > > forwarding rather less important than direct email?
> >
> >
> >We can't tell which user it is.  AOL removes that information.
> >
> >Joseph Brennan
> >Columbia University Information Technology
> >
> >
> >_______________________________________________
> >unisog mailing list
> >unisog at lists.sans.org
> >http://www.dshield.org/mailman/listinfo/unisog
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
%%  Christopher A. Bongaarts  %%  cab at tc.umn.edu       %%
%%  Internet Services         %%  http://umn.edu/~cab  %%
%%  University of Minnesota   %%  +1 (612) 625-1809    %%


More information about the unisog mailing list