Jump to content
Sign in to follow this  
trisha506

Question about Outlook Express Header

Recommended Posts

A very computer savvy loser has been setting me up for spam. I am positive I know who it is but I am helpless to stop the sloth. Here is my question. Please look at the first line in the header of a recent spammail I received.

Received: from [68.6.19.3] (really [210.183.24.106])

Can someone please explain that to me in English? I use Outlook Express for my email. What is the tie-in between the two IPS? Which one is the real one? Why does it give an IP address and then use the word "really" to introduce the 2nd? I really need to understand this because the majority of my spam comes from the first IP address, with a different IP after the word "really."

I hope you can understand what I am asking.

Thanks

Trisha

Curiously, does anyone know if child pornography is illegal over the internet? If so, could someone tell me where to report child porn spam I have been receiving?

Share this post


Link to post
Share on other sites

Honestly, I can't recall seeing the word "really" in there before, but such things are possible ... To answer the rest of your query, one would rather see the actual headers as a whole .. would you have a Tracking URL of the spam submittal? This would make it a one-click deal to pop it open an take a look at what's actually going on.

For the porn question, please look within the FAQ-in-progress and look for Marjolein's site in the "other" places section.

Share this post


Link to post
Share on other sites

Here's the entire header from one of them.

Return-Path: <nmqzlp[at]millionaire.com>

Received: from [68.1.17.3] (really [218.18.131.78]) by lakermmtai07.cox.net

(InterMail vM.6.01.03.02.01 201-2131-111-104-103-20040709)

with SMTP

id <20040806113155.OSBL21291.lakermmtai07.cox.net[at][68.1.17.3]>;

Fri, 6 Aug 2004 07:31:55 -0400

Message-ID: <70162142943709.510gcx55923bn[at]hotmail.com>

Received: from 233.79.151.130 by law6-en80.law8.hotmail.com with DAV;

Fri, 06 Aug 2004 18:22:11 +0600

Reply-To: "Sylvia Leslie" <nmqzlp[at]millionaire.com>

From: "Sylvia Leslie" <nmqzlp[at]millionaire.com>

To: <trisha408[at]cox.net>

Subject: experience pussy like never before

Date: Fri, 06 Aug 2004 06:17:11 -0600

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--20725500484669186"

Thanks for any help you can give me on this.

Edited by trisha506

Share this post


Link to post
Share on other sites

I would edit out the following from your post for security reasons "trisha408"

By posting your email address it makes you vulnerable to even more spam.

As to why the differences in the to address, there could be several reason.

The first that comes to mind is that you may have multiple address created for you that all forward to the same account by your ISP. You can test that you sending a message to the "wrong address" with the subject of "test"

In the body you may want to add a note as to why you are sending the test. and see what happens.

For the rest of your questions you will have to wait for someone with more knowledge that I.

Share this post


Link to post
Share on other sites

The expanation is simple...the software that spammers use "batch" the addresses at any one domain like this:

To: adam[at]domain.com

BCC: adrian[at]domain.com, alex[at]domian.com, alexandria[at]domain.com,angela[at]domain.com, etc.

So although all five (and more) of those addresses receive the message, they all see the address "adam" in the "To" and because of the way a BCC is handled, they don't see their address anywhere in the headers.

dt

Share this post


Link to post
Share on other sites
Received: from [68.6.19.3] (really [210.183.24.106])

Mail servers are very polite. They always say hello when they meet each other.

I've never seen the "really" tag before, but a normal received line would usually start like this:

Received: from EHLO_NAME (REAL_FQDN [iP_ADDRESS])

The EHLO_NAME is the name the server used when it said hello to your mail server.

The REAL_FQDN is the result of a lookup on the IP_ADDRESS and is the real name of the remote server.

The IP_ADDRESS is the IP address of the remote server.

So, for your example. Ignoring the "really" part. The remote server connected to your mail server claiming that it was 68.6.19.3, but your server knew that the connection came from 210.183.24.106.

210.183.24.106 was the source of the spam. It is a compromised box in Korea.

Edited by GraemeL

Share this post


Link to post
Share on other sites

Some mail servers use the word "really" in this manner...specifically Cox in this case. I've got a message in my current Inbox from a Cox user with this:

Received: from [192.168.1.100] (really [68.3.107.xx]) by fed1rmmtao02.cox.net

(I munged the true IP of the sender with "xx")

Here's one from a non-Cox source (found in another archived folder):

SMTP "HELO" (SMTP) greeting from bsp

But _really_ from :: ppp-9.mas.winternet.com [204.246.76.x]

The use is pretty rare however, in that those are the only two messages with "really" in the headers found among about 2,000 messages, from a wide variety of sources.

dt

Edited by DavidT

Share this post


Link to post
Share on other sites

Guys -

Thank you so much for your help! I feel much better after reading it. I was thinking that the first IP address was the one that counted, and since it is always a Cox address, I was thinking it was the sloth I was talking about who was sending all this spam. Just so you know that I didn't malign the sloth without reason, I caught him red-handed spamming me in the past because some of the companies are now smart enough to tell you the IP address used to sign you up for their email!

Thanks again.

Trisha

:)

Share this post


Link to post
Share on other sites
Mail servers are very polite. They always say hello when they meet each other.

I've never seen the "really" tag before

It means that the mail server detected that there is a problem with the headers not having a correct rDNS as is apparently required by the RFCs.

The RFCs are the guidelines that the internet goes by.

In theory if the name given by the hello should match the name given by the mail server, and reports on usenet show that for at least 80% of the spam being sent it does not match.

Unfortunately a number of real mail servers do not have their rDNS configured correctly or are not announcing themselves in the internally seen handshake with their rDNS name, so it can not be used by ISPs to reject spam.

And also unfortunately as a result of several large ISPs attempt to implement strict rDNS checks, the few real mail servers that a large number of people want to receive mail from with bad rDNS configurations did not get fixed, but a number of spammers did fix their spamware to send the correct rDNS. The spammers learned faster than the professionals that are supposed to be running the real mail servers.

Effectively he rDNS name for an I.P. address is the true name for a mail server, any other name for that mail server is an alias. This rDNS name only needs to be used in the internal headers when a mail server sends a message for a strict rDNS check to be used.

If a mail server is using a scoring system to control spam, failing that rDNS check probably should count for 80% of the scoring needed to cause a message to be rejected as spam.

Some mail servers reject on rDNS failures, and this appears to be an optional setting on a lot of mail server software.

If you can set up a method to indicate the pass or fail of the rDNS check of your real messages, it would be rare for most people to get a real message with an incorrect rDNS.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×