Received: from aol.com (inter722.internet.com.mx [220.127.116.11])
by valinor.eldar.org (8.8.8/8.8.5) with SMTP id GAA29712
for <email@example.com>; Sun, 21 Mar 1999 06:42:08 -0500 (EST)
Above shows a dialup owned by internet.com.mx connecting to your
host valinor.eldar.org. Dialup calls itself aol.com in the smtp
greeting ("HELO aol.com") but your sendmail has properly identified
the real hostname and IP inside () marks. This is forgery, but note
that mismatch sometimes is not a sign of problems but just means the
host has alternate or vanity names.
The From address is faked to the victim. The idea is to get your
majordomo system to participate in filling the victim's mailbox.
It will send at least one message back to the From address. If you
allow subscribe_policy "auto" it will send list mail until the
Perpetrator has an old list of lists (it's months out of date for our
majordomo lists anyway). Faked mail is usually a lot of "help"
commands, and then "subscribe" to every list the perp thinks you
have. We are seeing about 200 messages per victim.
The real source of mail is dialups (seen so far) owned by
telmex.net.mx (March 12-19), data.net.mx (March 19), and
internet.com.mx (March 19-20).
Administrator of telmex.net.mx sent me mail late Friday saying they
found the account used and cancelled it. This matches no more
attempts from them. I'm adopting a wait and see as to whether the
person can just open another account. We're rejecting mail from
their dialup IPs. Their dialup users shouldn't be connecting straight
to us anyway.
I didn't have time yet to draw up a report to data.net.mx but we are
rejecting their dialups as well. We got and rejected an attempt from
there over the weekend.
I just saw internet.com.mx this morning. Their hostnames are not
available through nslookup so I can't make a list of their dialups.
Obviously 207.249.191. looks like something to start with.
Joseph Brennan Postmaster Academic Information Systems
Columbia University in the City of New York