Re: [anti-spam-wg@localhost] Spam form unassigned IP address???

• From: furio ercolessi < >
• Date: Wed, 17 Sep 2003 13:22:08 +0200

On Wed, Sep 17, 2003 at 02:13:52PM +0300, Esa Laitinen wrote:
> On Wed, Sep 17, 2003 at 11:05:40AM +0400, Igor Knyazev wrote:

> > >Return-path: info@localhost
> > >Received: from [202.56.239.41] (helo=CIDEX01)
> > >        by server10.pronicsolutions.com with smtp (Exim 4.20)
> > >        id 19zVjE-0000yv-U1; Wed, 17 Sep 2003 02:23:54 -0400
> > >Received: from 4dqqx.9xtxu.net [34.148.84.48] by CIDEX01 for chairman@localhost; Wed, 17 Sep 2003 10:17:24

> Somebody is forging your e-mail address, and using open relays to do it.
> 
> 202.56.239.41 is owned by a company in India, see 
> http://www.geektools.com/whois.php?query=202.56.239.41 . It seems to be 
> an open relay.
> 
> http://www.geektools.com/whois.php?query=34.148.84.48 points to 
> Halliburton. Do they have zombie address ranges?

34/8 is notoriously hijacked (in fact, it is probably the largest
network hijacked ever), but in this case 202.56.239.41 is an open
proxy, not an open relay [ http://dsbl.org/listing?ip=202.56.239.41 ],
so there is no reason to believe that the second Received: line
is real.

Also note that 34.148.84.48 is not routed on the Internet at this
point in time:
route-views.oregon-ix.net>sh ip bgp 34.148.84.48
% Network not in table

furio ercolessi
Spin

• Post To The List:

• References:
  • [anti-spam-wg@localhost] Spam form unassigned IP address???
    • From: Igor Knyazev
  • Re: [anti-spam-wg@localhost] Spam form unassigned IP address???
    • From: Esa Laitinen