 |
 |
This spoofing campaign appears to be marching through the mail.msu.edu directory. I was taught that one reports problems to the help desk. The help desk suggested that I block my own @msu.edu sender address. I suggest that the help desk and the mail staff examine the pattern of spoofing addresses out of mail.msu.edu and see if they can't add a filter to stop this. Since MSU uses a person's [log in to unmask] address for official communication, it obviously makes no sense to suggest filtering your own MSU NetID. Hundreds of thousands of spam messages are filtered by robotic means every day. When someone reports a new pattern of spam not caught by robots, it'd be good to refine the algorithm, not suggest that one block oneself. /rich On Sat, Sep 17, 2011 at 9:14 PM, Leo Sell <[log in to unmask]> wrote: > Better to forward such as these to [log in to unmask] I sent yours on. > > Frankly, as you know, true spoofing is pretty hard to block. > > > > On 9/17/11 6:54 PM, Richard Wiggins wrote: >> >> Over the last few days I've gotten a lot of spam spoofing my address >> of [log in to unmask] as both sender and receiver. When I wrote >> [log in to unmask] they advised me to block the sender. While I could do >> that, for the naive eye, the sender is a faux me, and for the more >> sophisticated eye, the sender varies. >> >> Here is the latest spam mail, including headers, showing that various >> @msu.edu mailboxes are targets. Maybe ATS could investigate and block >> this. >> >> /rich >> >> >> Delivered-To: [log in to unmask] >> Received: by 10.220.150.66 with SMTP id x2cs100855vcv; >> Sat, 17 Sep 2011 02:54:07 -0700 (PDT) >> Received: by 10.101.199.1 with SMTP id b1mr322199anq.113.1316253246653; >> Sat, 17 Sep 2011 02:54:06 -0700 (PDT) >> Return-Path:<[log in to unmask]> >> Received: from mx50.mail.msu.edu (mx50.mail.msu.edu [35.9.75.200]) >> by mx.google.com with ESMTPS id >> q20si7319259ann.202.2011.09.17.02.54.05 >> (version=TLSv1/SSLv3 cipher=OTHER); >> Sat, 17 Sep 2011 02:54:05 -0700 (PDT) >> Received-SPF: neutral (google.com: 35.9.75.200 is neither permitted >> nor denied by best guess record for domain of [log in to unmask]) >> client-ip=35.9.75.200; >> Authentication-Results: mx.google.com; spf=neutral (google.com: >> 35.9.75.200 is neither permitted nor denied by best guess record for >> domain of [log in to unmask]) [log in to unmask]; dkim=pass >> [log in to unmask] >> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; >> d=msu.edu; s=mail; >> >> h=Subject:Content-Transfer-Encoding:Message-ID:Content-Type:MIME-Version:Date:Subject:To:From; >> bh=PPHK/Wp7KaXpYd/lArfkx4/wCaK+c9q7uYlkDGfsAls=; >> >> b=PyByD4v7moLaK3up8gthlqFqDTy/KILfGbhldZR7oNVTRkpL6yR0L3O0MfUYDo8eqVBdehOIqhzSjbFYDpasXiikp9jzHmEbYCFOEQUFXrGWbE4AyOtqxxKyfKUql1C6RRYXr4bGG8JaODfrGYvmYTTDkQZGtH55DJMu7mZ+QdA=; >> Received: from [31.162.119.179] >> by mx50.mail.msu.edu with esmtp (Exim 4.75 #3) >> id 1R4rb1-0003Ql-J8; Sat, 17 Sep 2011 05:54:04 -0400 >> Received: from 31.162.119.179(helo=fkdafof.affywvodwzspl.su) >> by with esmtpa (Exim 4.69) >> (envelope-from ) >> id 1MMYGQ-2440yd-8T >> for [log in to unmask]; Sat, 17 Sep 2011 14:54:02 +0500 >> From:<[log in to unmask]>, >> <[log in to unmask]>, >> <[log in to unmask]> >> To:<[log in to unmask]>, >> <[log in to unmask]>, >> <[log in to unmask]> >> Subject: FW: Update your PC >> Date: Sat, 17 Sep 2011 14:54:02 +0500 >> MIME-Version: 1.0 >> Content-Type: text/html >> charset="iso-8859-1" >> X-Priority: 3 >> X-Mailer: dztg-77 >> Message-ID:<[log in to unmask]> >> Content-Transfer-Encoding: quoted-printable >> X-Virus: None found by Clam AV >> X-Spam-Level: ****** >> X-Spam-Report: All incoming messages to mail.msu.edu are analyzed for >> typical spam >> characteristics. See http://techbase.msu.edu/article.asp?id=11475 for >> additional report information. >> >> Content preview: Best online (pirated) software: 92.63.81.93,Good Luck >> [...] >> >> >> Content analysis details: (6.3 points, 5.0 required) >> >> pts rule name description >> ---- ---------------------- >> -------------------------------------------------- >> 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL >> [31.162.119.179 listed in zen.spamhaus.org] >> 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT >> [31.162.119.179 listed in >> bb.barracudacentral.org] >> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay >> lines >> 0.0 HTML_MESSAGE BODY: HTML included in message >> 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts >> X-Spam-Score: 6.3 >> Subject: *****SPAM***** FW: Update your PC >> >> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> >> <HTML><HEAD> >> >