George <[log in to unmask]> wrote:
> Ryan Mills <[log in to unmask]> wrote:
> > Below is a sample of the mail I've been getting. I'm not sure the
> > header is all that helpful. But I'm not an expert at deciphering
> > headers anyway. Can anyone here help?
more headers were located here.
> > from trader.net ([134.53.198.24]) by nike.heidelberg.edu
> > from nowhere.net by trader.net id au65487; Dec97
> Hm...trader.net with 134.53 IP?
This email was poorly relayed. To begin with the real nowhere.net does
NOT relay through trader.net, they go straight to Miami. This Received:
header is forged in my opinion.
Next, 134.53.198.24 was "claiming" to be trader.net when they spam relayed
through nike.heidelberg.edu. I've verified that the route from
nike.heidelberg.edu to us is atleast feasible (I just relayed through
them and it followed the same route). But of course you'd have to ask
each of those system admins to actually check their logs to confirm this
email.
I've also verified that nike.heidelberg.edu WILL record the actual senders
IP address when it allows them to relay through them.
I would recommend having MCIS look into this. I wonder if they keep logs
of who has what IP at any given time...
later, ralph