spoofed record?

Networking/Security Forums -> Anonymity // Privacy // Spam

Author: Ex0dusLocation: Down Under PostPosted: Fri Nov 18, 2005 3:18 am    Post subject: spoofed record?
    ----
not sure if this is the correct area to post. but it is from a spam email so i will give it a try.

first of all, here is the header of it.

Return-Path: <MerlinBirddescriptor@hav.cubana.avianet.cu>
X-Envelope-To: webmaster@printforce.com.au
X-Spam-Status: No, hits=3.2 required=5.0
tests=BAYES_50: 1.567,RCVD_ILLEGAL_IP: 1.588
X-Spam-Level: ***
Received: from dsl.static8597204112.ttnet.net.tr ([85.97.204.112])
by mail.printforce.com.au;
Fri, 18 Nov 2005 03:43:44 +0800
Received: from symphony-08.iinet.net.au ([227.142.170.208]:1906 "HELO
mail.ies.edu") by ies.edu with SMTP
id <S522132AbRLJEtW>; Thu, 17 Nov 2005 21:43:34 +0200
Date: Thu, 17 Nov 2005 16:43:34 -0300
Message-Id: <5.1.71.2081924.0083fc70@ies.edu>
From: "Quinton Cohen" <MerlinBirddescriptor@hav.cubana.avianet.cu>
To: <mail@printforce.com.au>
Subject: You can get it only here baseball
List-ID: <mail@printforce.com.au>

when i did a whois on the last ip it came up with "ERROR: IP Range Reserved by IANA.org".

i did a whois on senderbase of the first and found it did have some records of spam. so the email i suspect came from that.

but im just confused as to why the last ip came up with that message. is it a spoofed record. whats the deal with it being reserved?

Author: zeedoLocation: Scotland PostPosted: Fri Nov 18, 2005 2:47 pm    Post subject:
    ----
The IP in question is a multi-cast IP and therefore should not be used here, this is almost certainly a spoofed header, which your spam filter has spotted.

Author: Ex0dusLocation: Down Under PostPosted: Tue Nov 22, 2005 3:08 am    Post subject:
    ----
ok. thanks for that.

another question i have is, does the ip always have to be located in the middle if the brackets such as ([*****])

such as this header

Return-Path: <webmaster@jgpholdings.com.au>
X-Envelope-To: webmaster@printforce.com.au
X-Spam-Status: No, hits=0.8 required=5.0
tests=BAYES_00: -1.665,FORGED_RCVD_HELO: 0.266,NO_REAL_NAME: 0.336,
PRIORITY_NO_NAME: 1.836,RCVD_BY_IP: 0.051
X-Spam-Level:
Received: from venus3.veridas.net ([202.52.32.26])
by mail.printforce.com.au
for webmaster@printforce.com.au;
Tue, 22 Nov 2005 07:21:18 +0800
Received: (qmail 7476 invoked from network); 22 Nov 2005 05:43:31 +1000
Received: from dsl-202-52-51-018.nsw.veridas.net (HELO igate1.rwwsor.com.au) (202.52.51.1Cool
by 202.52.32.207 with SMTP; 22 Nov 2005 05:43:31 +1000
Received: from [192.168.0.235] (helo=iagihmud.au)
by igate1.rwwsor.com.au with smtp (Exim 4.52)
id 1EeHZR-0000qV-Kq; Tue, 22 Nov 2005 06:43:21 +1100
From: webmaster@jgpholdings.com.au
To: GetupQuick@printforce.com.au
Date: Mon, 21 Nov 2005 19:41:07 UTC
Subject: Your Password
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <a3ee9.d2bbcf732546a@jgpholdings.com.au>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="==2be6da.f8e35b9f1021"
Content-Transfer-Encoding: 7bit



would the first recieved (202.52.32.26) be the true origin of the email?



Networking/Security Forums -> Anonymity // Privacy // Spam


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group