Re: Fraud: 163.21.153.3 mail.jjes.tp.edu.tw
- Date: Mon, 18 Feb 2002 15:12:57 +0100
On Mon, Feb 18, 2002 at 02:43:08PM +0100, Gunnar Lindberg wrote:
> I could make use of some advice. Now and then we receive SpamCop
[...]
> >Received: from foo ([192.71.1.254]) by mail.jjes.tp.edu.tw
>
> It seems like mail.jjes.tp.edu.tw[163.21.153.3] 1) is an open Relay
> and 2) rewrites Received: so that they always claim [192.71.1.254] is
> the spam originator.
This might be explained using incompetence, rather than malice. The box
you're connecting to might be doing NAT and port forwarding in a clumsy
way, and using a non-private IP address block internally: your 192.71.1/24.
(of course, I'm just guessing they are using a /24...).
If this is the case, then the mail server always sees the connection coming
from the gateway's internal IP address, which just happens to be your IP
space.
If this is the case, you could try making a connection from 192.71.1.254,
or possibly from any other host in that /24. If the connection cannot be
made, it supports my theory.
It might help if you know whether it is incompetence or malice. In the
first case, it might help to send helpful suggestions (such as RFC1918).
Good luck!
--
#!perl -pl # This kenny-filter is virus-free as long as you don't copy it
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):('m',p,f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet