Re: [MLUG - DISCUSSION] IMPORTANT oavoiioi (fwd)

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: MLUG Off-Topic Discussion <EMAIL:PROTECTED>
Subject: Re: [MLUG - DISCUSSION] IMPORTANT oavoiioi (fwd)
From: Mikhail Kovalenko <EMAIL:PROTECTED>
Date: Wed, 19 Nov 2003 13:12:04 -0600
In-reply-to: <EMAIL:PROTECTED>
References: <EMAIL:PROTECTED>
Reply-to: MLUG Off-Topic Discussion <EMAIL:PROTECTED>
Sender: EMAIL:PROTECTED
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624

Jonathan King wrote:

> OK, so this looks like Yet Another Fraud, but it wasn't clear to me 
> what was happening from the headers, since I'm not really a 
> "headers" kind of guy.  So can anybody enlighten me?  (Note: I've 
> killed the stupid attachment referred to.)
> 
> jking
> 
> ---------- Forwarded message ----------
> Received: from col-msxproto2.col.missouri.edu ([128.206.3.152]) by
>     COL-EMAIL2.col.missouri.edu with Microsoft SMTPSVC(5.0.2195.6673);
> 	 Wed, 19 Nov 2003 11:27:44 -0600
> Received: from webshield.tlu.edu ([209.184.108.111]) by
>     col-msxproto2.col.missouri.edu with Microsoft SMTPSVC(5.0.2195.6673);
> 	 Wed, 19 Nov 2003 11:27:44 -0600
> Received: from unknown(10.20.80.17) by webshield.tlu.edu via csmap 
> 	 id e20a3cf0_1ab5_11d8_9b8f_00304823f315_23241;
> 	Wed, 19 Nov 2003 17:29:41 +0000 (UTC)
> From: "PayPal.com" <EMAIL:PROTECTED>
> To: KingJW <EMAIL:PROTECTED>
> Reply-To: EMAIL:PROTECTED
> X-Priority: 1 (High)
> Subject: IMPORTANT                                           oavoiioi
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----------6CBCF92200D31ED"
> Return-Path: EMAIL:PROTECTED
> Message-ID: <EMAIL:PROTECTED>
> X-OriginalArrivalTime: 19 Nov 2003 17:27:44.0288 (UTC)
>     FILETIME=[7137DA00:01C3AEC2]
> Date: 19 Nov 2003 11:27:44 -0600
> 
[... skip the message ...]
> 
> This message was content scanned for viruses by the TLU McAfee Webshield.
> 

 From what I can tell, the headers look legit, meaning that 
webshield.tlu.edu relayed a message for you from a machine identified as 
10.20.80.17. Whether this machine is really on Texas Lutheran 
University's private network or not is anyone's guess. If the latter, 
then webshield.tlu.edu is an open relay. The last line of the message 
would suggest that it came from the inside because an open relay is 
unlikely to scan e-mail in transit that is originated from and destined 
for the outside. Of course, it all could be faked. You can always write 
to their network admin and ask them to look into it for you.

The following looks suspicios because it doesn't match the e-mail but 
doesn't really mean anything because the university probably has their 
own internal DNS server:

$ host 209.184.108.111    <-- supposedly webshield.tlu.edu
111.108.184.209.in-addr.arpa domain name pointer 
209-184-108-111.txlutheran.edu.

$ host webshield.tlu.edu
Host webshield.tlu.edu not found: 3(NXDOMAIN)

--
MK

_______________________________________________
discussion mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/discussion

References:
- [MLUG - DISCUSSION] IMPORTANT oavoiioi (fwd)
  - From: Jonathan King <EMAIL:PROTECTED>

Prev by Date: Re: [MLUG - DISCUSSION] IMPORTANToavoiioi (fwd)
Next by Date: RE: [MLUG - DISCUSSION] IMPORTANToavoiioi (fwd)
Previous by thread: Re: [MLUG - DISCUSSION] IMPORTANT oavoiioi (fwd)
Next by thread: [MLUG - DISCUSSION] Internet trace
Index(es):
- Date
- Thread