[Gllug] virus laden spam email

Anthony Newman anthony.newman at uk.clara.net
Thu Nov 24 12:11:30 UTC 2005


t.clarke wrote:

> The origintaing email appeared at first sight to have received headers
> with the most oldest header at the top and the latest header at the bottom
> (since the 1st one is timed 6.37 and the last at 6.51)  - which I believe
> is the wrong way round!
> 
> However another look reveals that the last three headers are in 'normal'
> order; so I guess the time on the 80.89.238.87 machine is out of wack.

Quite possibly.

> 
> I am still mystified as to how, if this an actual bounce resulting from
> a forged email purporting to come from us, the bounce comes from 80.10.140.96
> when the final machine in the chain appears to be 80.89.238.87   !
> 
> 
> I am obviously missing something ?


Yes. 80.10.140.96 is the primary MX host for the recipient domain for 
which the recipients failed, and would be the final machine in the chain 
for valid mail delivery.

Different MTAs tend to behave differently for messages with multiple 
recipients; some will reject the message outright and none of the 
recipients will see the message even if some were valid addresses; 
others will accept the message and only bounce for failed recipients, 
which is what we see here.

In the former case, the penultimate machine in the relay chain will 
generate the bounce - this is how it should happen. In the latter, the 
final receiving MX will bounce the mail, having apparently not written a 
Received header because the mail was not accepted for those recipients. 
The full list of recipients is not known, because they were BCCs.


Ant
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list