• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

spoofed record?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Anonymity // Privacy // Spam

View previous topic :: View next topic  
Author Message
Ex0dus
Just Arrived
Just Arrived


Joined: 18 Nov 2005
Posts: 0
Location: Down Under

Offline

PostPosted: Fri Nov 18, 2005 3:18 am    Post subject: spoofed record? Reply with quote

not sure if this is the correct area to post. but it is from a spam email so i will give it a try.

first of all, here is the header of it.

Return-Path: <MerlinBirddescriptor@hav.cubana.avianet.cu>
X-Envelope-To: webmaster@printforce.com.au
X-Spam-Status: No, hits=3.2 required=5.0
tests=BAYES_50: 1.567,RCVD_ILLEGAL_IP: 1.588
X-Spam-Level: ***
Received: from dsl.static8597204112.ttnet.net.tr ([85.97.204.112])
by mail.printforce.com.au;
Fri, 18 Nov 2005 03:43:44 +0800
Received: from symphony-08.iinet.net.au ([227.142.170.208]:1906 "HELO
mail.ies.edu") by ies.edu with SMTP
id <S522132AbRLJEtW>; Thu, 17 Nov 2005 21:43:34 +0200
Date: Thu, 17 Nov 2005 16:43:34 -0300
Message-Id: <5.1.71.2081924.0083fc70@ies.edu>
From: "Quinton Cohen" <MerlinBirddescriptor@hav.cubana.avianet.cu>
To: <mail@printforce.com.au>
Subject: You can get it only here baseball
List-ID: <mail@printforce.com.au>

when i did a whois on the last ip it came up with "ERROR: IP Range Reserved by IANA.org".

i did a whois on senderbase of the first and found it did have some records of spam. so the email i suspect came from that.

but im just confused as to why the last ip came up with that message. is it a spoofed record. whats the deal with it being reserved?
Back to top
View user's profile Send private message
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Fri Nov 18, 2005 2:47 pm    Post subject: Reply with quote

The IP in question is a multi-cast IP and therefore should not be used here, this is almost certainly a spoofed header, which your spam filter has spotted.
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Ex0dus
Just Arrived
Just Arrived


Joined: 18 Nov 2005
Posts: 0
Location: Down Under

Offline

PostPosted: Tue Nov 22, 2005 3:08 am    Post subject: Reply with quote

ok. thanks for that.

another question i have is, does the ip always have to be located in the middle if the brackets such as ([*****])

such as this header

Return-Path: <webmaster@jgpholdings.com.au>
X-Envelope-To: webmaster@printforce.com.au
X-Spam-Status: No, hits=0.8 required=5.0
tests=BAYES_00: -1.665,FORGED_RCVD_HELO: 0.266,NO_REAL_NAME: 0.336,
PRIORITY_NO_NAME: 1.836,RCVD_BY_IP: 0.051
X-Spam-Level:
Received: from venus3.veridas.net ([202.52.32.26])
by mail.printforce.com.au
for webmaster@printforce.com.au;
Tue, 22 Nov 2005 07:21:18 +0800
Received: (qmail 7476 invoked from network); 22 Nov 2005 05:43:31 +1000
Received: from dsl-202-52-51-018.nsw.veridas.net (HELO igate1.rwwsor.com.au) (202.52.51.1Cool
by 202.52.32.207 with SMTP; 22 Nov 2005 05:43:31 +1000
Received: from [192.168.0.235] (helo=iagihmud.au)
by igate1.rwwsor.com.au with smtp (Exim 4.52)
id 1EeHZR-0000qV-Kq; Tue, 22 Nov 2005 06:43:21 +1100
From: webmaster@jgpholdings.com.au
To: GetupQuick@printforce.com.au
Date: Mon, 21 Nov 2005 19:41:07 UTC
Subject: Your Password
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <a3ee9.d2bbcf732546a@jgpholdings.com.au>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="==2be6da.f8e35b9f1021"
Content-Transfer-Encoding: 7bit



would the first recieved (202.52.32.26) be the true origin of the email?
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Anonymity // Privacy // Spam All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register