Re: spam alert - tealaden.com

From: "Dominic T." <dominictiberio@xxxxxxxxx>
Date: 3 Aug 2006 14:00:04 -0700

Scott Dorsey wrote:

Okay... run this by me again?

I have a spam e-mail. I can look at the headers, and I see that it has
made three hops... one from the spammer's machine, one from his ISP's
mail server, one to the mail server at Panix.

(If the thing was sent through an anonymizing relay, of course, all bets
are off and only the Received: line from the Panix server is accurate.
But this is not the case here).

So you are saying you have access to the logs of the remote ISP's mail
server? Huh?

This is NOT something the regular Joe can do. I mentioned before I have
access to tools, resources, and people (friends) who are all security
related professionals. Again please check out http://www.cert.org/ to
get some Idea of what level I'm speaking about. We are talking about
federally funded computer security centers that help map and process
threats, attacks, viruses, spam, and much more for national and
international use. In short, yes, I can gain access to the actual logs.

Are you referring to CC'ed addresses actually in the header, or are you
actually grabbing the logs from the user's ISP? Or are you only reading
the logs on your own mail relay?

Starting with the logs which are attainable, one can then see the
actual block of emails sent, and also the malformed ones that did not
send but are sitting in queue. Since the malformed ones will never
reach a real destination there are ways to capture these when they are
attempted to be resent. The entire malformed email is then readable.
when email after email contains code instead of an actual email address
you can read the code that was grabbed by the program generating the
emails and determine a lot about them.

Again, does that answer your question?

- Dominic

.

References:
- spam alert - tealaden.com
  - From: Alex
- Re: spam alert - tealaden.com
  - From: Dominic T.
- Re: spam alert - tealaden.com
  - From: Stefan Goetzinger
- Re: spam alert - tealaden.com
  - From: Dominic T.
- Re: spam alert - tealaden.com
  - From: Scott Dorsey

Prev by Date: Re: It's hot here (was: Re: a word about Dan Congs (ping Karel))
Next by Date: Re: Pu'erh Aging Candidates [was:Young pu'er / Xi-Zhi Hao Nan Nuo]
Previous by thread: Re: spam alert - tealaden.com
Next by thread: Re: spam alert - tealaden.com
Index(es):
- Date
- Thread

Relevant Pages

kmail- cannot start process pop3
... In checking the logs, I found ... that yum had installed exim and that messed everything up. ... I read my mail on the same computer that the mail server runs on. ... When I start kmail, it posts an error dialog: ...
(Fedora)
Did i get hacked?
... It also acts as a dns / mail server to the outside world. ... I also have a cron job at 0:30 to move the apache logs to a tmp file restart ...
(FreeBSD-Security)
Random crash and/or reboots
... Mail server: 4.8-RELEASE-p3 ... There are no indications of anything in the logs, ... bright bold) "lockmgr locking against myself" -- or close to that. ... Then, on this list, I saw the thread about other having mysterious reboots ...
(freebsd-questions)
Re: Best Outgoing Mail, Via DNS or ISP SMTP?
... so I get a nice big fat comfort zone. ... Except for the lack of comfort inherent in forcing a mail server to act like a POP client :-) ... A smarthost would just have sat on the test email, ... own mail server would have done that, but I had access to its logs. ...
(microsoft.public.windows.server.sbs)
Re: Harbor Freight coupon
... Erik writes: ... I run my own mail server. ... your spam e-mail address, not your for real home address. ...
(rec.crafts.metalworking)