Follow-up:
I have not sent that email to enough(a)utoronto.ca as I've noticed that
Jeff Bonham, the original RECIPIENT of the said email is a user @
utoronto.ca. Now, I'm a bit nonplussed. I thought that X-AntiAbuse:
Original Domain indicated the SENDER domain?
'''Can anyone shed some light on this?'''
Many thanks,
-- ropers [[en:User:Ropers]]
On 10 Oct 2004, at 02:47, Frank v Waveren wrote:
On Thu, Oct 07, 2004 at 09:16:37PM +0200, Jens
Ropers wrote:
The X-AntiAbuse email header fields are an
indicator that they might
be
spammers.
Not at all, lots of ISPs mailservers add them to all mail to make sure
abuse reports end up in the right place.
--
Frank v Waveren Fingerprint:
9106 FD0D
fvw(a)[var.cx|stack.nl]
Err... have you looked at the CONTENT of the said fields?
You're right in that an email with such headers *might* still be legit.
Typically, ISPs add such headers not to all emails that get sent via
them, but only where the user does "suspicious" things, such as
sending from one domain but "writing on the envelope" that the email
originated from somewhere else.
This is something that people may do for legitimate reasons (e.g. when
I send mails via an MTA (email server) I sometimes run on my iBook, I
sometimes "write on the envelope" that they are from
ropersonline.com.
Now, I own
ropersonline.com. I receive the respective replies sent to
ropersonline.com. So I'm not really impersonating someone else. No
harm done. But imagine I were to send an email to somebody and without
your consent were to "write on the envelope" that it came from you.
That's abuse (which I'm sure you wouldn't like) and that's precisely
what spammers do. Which is why some ISPs have introduced the use of
headers such as "X-Authentication-Warning" or "X-AntiAbuse" (etc).
In the case at hand, there were three headers of interest:
X-AntiAbuse: Primary Hostname -
canada3.dnshotel.com <-- indicates the
individual box the mail was sent from (dnshotel prolly is a dyndns, so
I'd wager our man uses cable/DSL)
X-AntiAbuse: Original Domain - mail.utm.utoronto.ca <-- indicates the
domain the mail was sent from. Interestingly, this is not on the same
domain as the above. Suspicious...
X-AntiAbuse: Sender Address Domain -
vancouveruniversity.edu <-- this
is the "envelope" email address (domain part) -- where the email
"pretends" to come from. The way email currently works, basically
anybody with halfway adaequate knowledge and/or software can put any
address in there--which is one of the reasons you and me and just
about every netizen have been getting so much spam lately.
Now our man prolly owns the
vancouveruniversity.edu domain, so his
"fake" envelope address is comparable to what I occasionally do (see
above).
However, he also seems to use utoronto.ca network resources. Now
utoronto.ca is the University of Toronto -- a bona fide university.
I've just found they don't like abuse:
http://www.enough.utoronto.ca/.
It's a fair guess that they will like a diploma mill running their
business using utoronto.ca network resources even less. Interesting.
Didn't see that before. I'll forward the email in question to
enough(a)utoronto.ca. I wouldn't be surprised if
vancouveruniversity.edu
was run by a utoronto.ca student on a get-rich-quick spree...
-- ropers [[en:User:Ropers]]
www.ropersonline.com