Hello Senior Mail Admins,
(Hi Suresh ;))
This is for the hawk-eyed mail admins.
I am confused by a certain notification I received about one of the
hosts I am responsible for being "abused" by spammers.
The reasons for my disbelief are:
(1) the fact the host in question is literally 'closed' for the
outside world. Only two hosts from my network can communicate
directly with this host on port 25.
(2) The host IP has a registered PTR RR and so I also don't see
how the name can come up as "unknown".
I am wondering how the spammer, if any, managed this. Are there
new tricks out there by spammers that can subvert even hosts that
cannot be accessed from the Internet, like 62.8.70.75??
Thanking you in advance for your time.
Below are the full details of the notification I received:
<CUT>
------ Forwarded Message
From: <Abuse@???>
Date: Sun, 24 Oct 2004 13:30:57 +0200
To: <abuse@???>
Cc: abuse <wolabusesent@???>
Subject: Spam from your Network
Hi. The spammer below is either using your resources to send out
unsolicited commercial e-mail ("spam") or collect responses from such
spam campaigns, or is deceptively trying to make it look like he is while
using one of our clients E-mail address's. In either case, a legitimate
company like yours probably would not approve. The information below
should be all you need.
This notification is addressed, amongst others, to the abuse contacts
of any mail servers through which the spam appears to have passed on its
way here, any webservers advertised in the spam and, where appropriate,
the ARIN (or equivalent) listed owners of the netblocks in which the
offending mail and web servers reside. Where the spammer has included a
reply-to address that domain will be included too, EVEN IF THE MAIL DID
NOT ORIGINATE THERE. Reputable companies will bar spammers from both
sending and receiving e-mail through their networks.
Regards,
Tiscali Abuse Team
tiscali.
INTERNET WITH A PASSION
A Division of Tiscali (Pty) Ltd.
42 Wierda Road West, Wierda Valley, Sandton
Office : +27 860 00 1177
Fax : +27 11 507 5253
E-Mail : abuse@??? <mailto:abuse@tiscali.co.za>
http://www.tiscali.co.za <http://www.tiscali.co.za>
Return-Path: <postbox@???>
Received: from smtp-7.worldonline.co.za ([192.168.128.77]) by
istore-3.worldonline.co.za (Netscape Messaging Server 4.15) with
ESMTP id I5ZWJ500.JQI for <pfcolin@???>; Fri, 22 Oct
2004 18:59:29 +0200
Received: from mxvwall-02.tiscali.co.za ([127.0.0.1]) by
smtp-7.worldonline.co.za (Netscape Messaging Server 4.15) with
ESMTP id I5ZWJ401.E14 for <pfcolin@???>; Fri, 22 Oct
2004 18:59:28 +0200
Received: from 62.8.70.75 (unknown [62.8.70.75])
by mxvwall-02.tiscali.co.za (Postfix) with SMTP id 6F488201CC4
for <pfcolin@???>; Fri, 22 Oct 2004 18:59:20 +0200 (SAST)
Message-ID: <000f01c4b918$fc17ce88$c8bf1b7f@fsbnyft>
Reply-To: "=?windows-1251?B?Y2xldmVyIGxhZHkg?=" <pestova@???>
From: "=?windows-1251?B?Y2xldmVyIGxhZHkg?=" <postbox@???>
To: <pfcolin@???>
Subject: =?windows-1251?B?Zm9yIHlvdQ==?=
Date: Fri, 22 Oct 2004 22:57:47 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
</CUT>
cheers
- wash
+----------------------------------+-----------------------------------------+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) |
<wash at wananchi dot com> . 1ere Etage, Loita Hse, Loita St., |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"
--from a /. post