-
February 17th, 2006, 03:28 PM
#1
Junior Member
Does this email header contain a spoofed IP address?
I have a yahoo email account and I keep on getting scam emails asking me to go to a scam paypal website and enter my information. When I check the headers of this email I see this as the originating server and ip address...
from mail.com (86-120-2-152.rdsnet.ro [86.120.2.152] (may be forged)). The server name looks like it's from Romania and a WHOIS search of the ip address shows it someone from Romanina.
My question is, is this a spoofed IP address? Is that what "may be forged" means? Thank you.
-
February 17th, 2006, 04:08 PM
#2
Well "spoofed" is just the IT term for "forged" in other walks of life, so I suppose the answer to your question is "yes".
The interesting bit is who/what is suggesting the forgery, and how are they determining this?
Also, how to wind these guys up?.................I don't know where you are but I would be inclined to visit the site and give them some bogus, but erroneous info.
Here I would create a paypal account with nothing in it and watch the scam scum try to collect. If they get paid I would not give a crap because fringe operations like paypal are not "licenced credit brokers"..........................Heffner (Playboy) had his UK operation closed because he did not keep an eye on our laws in those areas so even big fish can be fried?
-
February 17th, 2006, 04:14 PM
#3
First off all.. SMTP is TCP based. It is very, very difficult (if not impossible) to spoof a fully blown TCP connection across the Internet.. TCP spoofing can be done but it's highly unlikely..
The "may be forged" refers to the reverse lookup done by the mailserver..
http://www.sendmail.org/faq/section3.html#3.38
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 17th, 2006, 04:26 PM
#4
-
February 17th, 2006, 04:49 PM
#5
Checking forward/reverse lookups are nice but... I've noticed a lot of email servers where this doesn't work.. I've also run into several anti-spam solutions that checks to see if the sender is the same as the MX record for that domain. That doesn't work either.. And I'm not even going to mention the performance penalty (2-3 dns lookups per email.. Getting 10 emails a day is doable. Getting 10 every second is a whole other story)..
The reasons are simple.. At my last job we had these same problems..
The mail was split up into incoming and outgoing.. Both had different IP addresses.. So the MX record points to the incoming mailserver.. Checking our outgoing server's IP address didn't match with the MX record (the outgoing server wasn't accesseble from the outside).. So "they" thought we were spammers
The other problem was network based load-balancing.. Different hostnames (injected by the mailserver) coming/going to the same IP address (because of the load-balancers).. This meant forward/reverse lookups didn't work either..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 17th, 2006, 05:15 PM
#6
Junior Member
Thanks for your replies. Upon further review I think that the IP is probably not spoofed. I just received a scam ebay email that directs me to a scam ebay site. Below is a truncated version of the website address. I will post the entire address if it's permissable (I don't want to be accused of promoting traffic to a scam site).
http://195.22.226.174/.ws/login/security/index.htm
IP 195.22.226.174 is traced to Chisinau (a country between the Ukraine and Romania), probably the same guys. Also the header information in the ebay email give me this IP address...
85.204.159.121
A whois search of this address also says that it is from Romania. I don't think they are spoofing me. Again, probably the same guys and not a spoof. They found my ebay name and the email associated with my ebay account (and thus my paypal email address).
-
February 17th, 2006, 05:42 PM
#7
Also, how to wind these guys up?.................I don't know where you are but I would be inclined to visit the site and give them some bogus, but erroneous info.
Hey Johnno,
Are you sure this would be a good idea? Could this confirm for them that they have a "live" email address and set you up for getting a lot more spam? Also, there is no telling what else they may have waiting in store for visitors.
For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
(Romans 6:23, WEB)
-
February 17th, 2006, 05:49 PM
#8
Junior Member
Originally posted here by preacherman481
Hey Johnno,
Are you sure this would be a good idea? Could this confirm for them that they have a "live" email address and set you up for getting a lot more spam? Also, there is no telling what else they may have waiting in store for visitors.
Correct me if I'm wrong, but I think that they could only do this if I clicked on the link in my email or replied to them. If I simply copy the link from the email it shouldn't be an issue.
-
February 17th, 2006, 05:53 PM
#9
Good point. But still, it's possible they might try some other tricks on people visiting their "site" besides stealing personal information.
For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
(Romans 6:23, WEB)
-
February 17th, 2006, 06:07 PM
#10
Junior Member
Originally posted here by preacherman481
Good point. But still, it's possible they might try some other tricks on people visiting their "site" besides stealing personal information.
Ah, I see what you mean... viruses or tracking cookies, right? My OS is patched, my browser is firefox (with very stringent security settings), I have a updated virus scanner and a firewall so I should be okay (I hope).
I just received two more fake paypal emails and another fake ebay email. Man, what gives?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|