Fraud: 163.21.153.3 mail.jjes.tp.edu.tw

From: Gunnar Lindberg < >
Date: Mon, 18 Feb 2002 14:43:08 +0100 (MET)

I could make use of some advice. Now and then we receive SpamCop
complaints that one of our C-nets is used as spam source. I can tell
with a fairly high degreee of confidence that this is not the case
and since the next mail host in the Received: chain has always been
the same, I eventually tested it, sending to/from myself; you can
see the SMTP dialogue and the returned/relayed mail below. NB:

    >Received: from foo ([192.71.1.254]) by mail.jjes.tp.edu.tw

It seems like mail.jjes.tp.edu.tw[163.21.153.3] 1) is an open Relay
and 2) rewrites Received: so that they always claim [192.71.1.254] is
the spam originator.

I've sent them complaints via the ARIN contact and a few other addr.

Anybody got an idea on what else to do?

	Gunnar Lindberg

SMTP dialogue:
    gbgmisc.gbg.sunet.se[192.36.224.40]% telnet 163.21.153.3 smtp
    220 mail.jjes.tp.edu.tw ESMTP server
	(Netscape Messaging Server - Version 3.6)
	ready Mon, 18 Feb 2002 16:28:37 +0800
    HELO foo
    250 mail.jjes.tp.edu.tw
    MAIL From:lindberg@localhost
    250 Sender lindberg@localhost Ok
    RCPT To:lindberg@localhost
    250 Recipient lindberg@localhost Ok
    DATA
    354 Ok Send data ending with <CRLF>.<CRLF>

Mail returned:
    >From lindberg@localhost  Mon Feb 18 09:32:50 2002
    >Return-Path: lindberg@localhost
    >From: lindberg@localhost
    >Received: from mail.jjes.tp.edu.tw ([163.21.153.3])
    >	by gbgmisc.gbg.sunet.se (8.8.8/8.8.8) with ESMTP id JAA21244
    >	for lindberg@localhost;
    >	Mon, 18 Feb 2002 09:32:19 +0100 (MET)
    >Received: from foo ([192.71.1.254]) by mail.jjes.tp.edu.tw
    >          (Netscape Messaging Server 3.6)  with SMTP id 1968
    >          for lindberg@localhost;
    >          Mon, 18 Feb 2002 16:29:22 +0800
    >To: lindberg@localhost
    >Subject: 163.21.153.3 mail.jjes.tp.edu.tw
    >Date: Mon, 18 Feb 2002 16:29:22 +0800
    >Message-ID: <20020218082837750.AAA1364.1968@localhost

Syslog:
    Feb 18 09:32:47 gbgmisc.gbg.sunet.se sendmail[21244]: JAA21244:
	from=lindberg@localhost,
	size=894, class=0, pri=30894, nrcpts=1,
	msgid=<20020218082837750.AAA1364.1968@localhost, proto=ESMTP,
	relay=[163.21.153.3]

Post To The List:

Follow-Ups:
- Re: Fraud: 163.21.153.3 mail.jjes.tp.edu.tw
  - From: Jan-Pieter Cornet
- Re: Fraud: 163.21.153.3 mail.jjes.tp.edu.tw
  - From: Paul Wouters

<<< Chronological >>>

Author Subject

<<< Threads >>>