You are here: Home > Participate > Join a Discussion > Mailman Archives
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: About the Unsolicited Use of Our Legal IP Addresses

  • To: RIPE anti-spam WG < >
  • From: Rodney Tillotson < >
  • Date: Mon, 29 Jul 2002 15:28:20 +0100

At 29/07/2002 12:17 +0300, Muharrem Ay wrote:

> We don't want to be put in the blacklists or shitlists of
> organizations. We would like to get help from you to do this.
> Also, we would be glad if you can tell us what exactly is
> being happening, and what can we be done to get rid.

First, what has happened. Your analysis was right and I've
just written it out in more detail here.

The top Received: line is internal to MSN. Not interesting.

The next line says that the MSN mailer had the message from, somewhere in China. I have to guess that the
person who complained to you did not change that IP address.
In this line, '' is a meaningless forgery. The
bulk mailer connected from the Chinese system with
'HELO' to confuse anyone reading the header.

There is no connection between that line and the other
Received: lines, so you have to assume they are fictional
and included by the bulk mailing program to confuse anyone
reading the header. _None_ of these addresses:,,,

or these domain names:,,,

had any part in the origination or transmission of the message.

The message passed by the bulk mailer in the DATA phase already
included all the false Received: lines.

So who has done anything wrong here?

The managers of, who left it insecure either
as an open mail relay (not to my casual test), an open proxy
server of some kind (it is listening on port 1080), or a system
vulnerable to root compromise.

The person who sent the bulk mail. That could be a manager or
user of but it probably wasn't. The managers
might in principle be able to partly trace the misuse but they
probably won't.

The person operating the advertised Web site. Unfortunately the
URL in the mail is a free Tripod page for which the only
responsibility Tripod will accept is to remove it. Perhaps
nobody has asked them, because it's still there at present.

The person operating the site that the downloaded program
FreeAccess.exe connects to. I haven't dared to try that :-)

I believe you should complain to Tripod (in VE and US), to
Chinanet and perhaps to CN-CERT. There is no guarantee that any
of them will help you but they may close an account and the
bulk mailer may move on to some different forged Received:

Other people may take a more optimistic view?

Rodney Tillotson, JANET-CERT
+44 1235 822 255.

Received: from ([])
 with Microsoft SMTPSVC(5.0.2195.4905);
 Sun, 28 Jul 2002 00:31:59 -0700
Received: from ([])
 by with Microsoft SMTPSVC(5.0.2195.4905);
 Sun, 28 Jul 2002 00:31:52 -0700
Received: from [] by with SMTP;
 Jul, 28 2002 12:19:32 AM +0300
Received: from [] by with QMQP;
 Jul, 27 2002 11:05:48 PM -0200
Received: from ([])
 by with QMQP;
 Jul, 27 2002 10:28:43 PM +0300
Received: from unknown (HELO
 ( by with QMQP;
 Jul, 27 2002 9:14:49 PM -0200
From: Vim hing@localhost <
>> To: You Cc: Subject: School Girl Teens Caught Fuck'n In Showers !!!!! dmlwt Sender: Vim hing@localhost Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Date: Sun, 28 Jul 2002 00:32:48 -0700 X-Mailer: MIME-tools 5.503 (Entity 5.501) X-Priority: 1 Return-Path: hing@localhost Message-ID: <
> X-OriginalArrivalTime: 28 Jul 2002 07:31:59.0606 (UTC) FILETIME=[DBDBF960:01C23608] HOT FREE MORPHEUS XXX MILLIONS OF MOVIES AND PICS TO DOWNLOAD FOR FREE!!! Click Here <>To Download Free Software! P.S DOWNLOAD IT NOW BEFORE IT'S GONE!

  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>