I believe these are likely being sent to the entire available @msu.edu list. Most likely harvested with a script from the people search function. In the header the wording of the X-AntiAbuse block and the fact that it uses Exim leads me to beleive it was sent via a webmail client or web form from a cPanel web server. A whois on the domain dreamdorks.com reveals ... Administrative Contact: Gottlieb, Ryan [log in to unmask] Dream Dorks INC. 5511 Hampshire West Bloomfield, Michigan 48322 United States 2487605183 Fax -- I'm not sure if he is loosely affiliated with MSU, but he doesn't come up from a people search. Although he is in West Bloomfield so chances are somewhat good that he is. On 5/1/05 7:41 PM, "Ray Hernandez" <[log in to unmask]> wrote: > I'm not sure there would be much value with trying to investigate this. > I don't really rate these any higher than the other 400K spams that we > get on a daily basis. We have people on MSU dial-up accounts that send > spams through our server and not much is done to put a stop to that, as > far as I know anyway. My personal feeling is that unless it becomes a > huge problem, it should just be ignored like any other nuisance. > --Ray > > Chris Wolf wrote: >> The server is the same as the Izzo message. The headers on the Izzo message >> showed it to originate from a Comcast customer in Walled Lake, whose >> computer name was EVAN. I would guess this is from the same computer, but >> the sender seems to have figured out how to remove the other info since >> then; this one shows "nobody" as the originator. Seems as though someone at >> MSU ought to be following up on this. >> > > -- Bryan Murphy GuardianLogic, Inc. | http://guardianlogic.com Delivering Security.