Author Topic: Sober: sent from hotmail? (Read 2962 times)

click · « **on:** November 26, 2005, 03:39:06 AM »

I've been battling this latest storm of sober for a few days now. Looking at received headers and reporting to ISPs. Most have been the usual dsl accounts, however this morning i found one with the first received header from hotmail servers:

Code: [Select]

Received: from mc3-f38.hotmail.com ([64.4.50.174]) by omc2-s24.bay6.hotmail.com with Microsoft SMTPSVC(6.0.3790.211);
	 Fri, 25 Nov 2005 09:41:39 -0800

AFAIK this cannot be spoofed, and i would have thought hotmail would have better protection.

Can anyone shed any light on this?

DavidR · « **Reply #1 on:** November 26, 2005, 03:21:38 PM »

Hotmail is meant to have its own anti-virus solution, which may or may not be able to detect this new variant.

Header details can also be faked so I never take these details or the from address at face value. However, this entries IP address also indicates HotMail so I don't know if they would go to the effort of getting the IP address right.

This entry in isolation doesn't mean much though, there could be many different steps in this, finally being sent on by Hotmail.

click · « **Reply #2 on:** November 29, 2005, 04:53:13 AM »

From my understanding of SMTP, this couldn't have been faked.
The first (bottom) recieved header is created by the first SMTP server to accept the email and the hostname/ip comes from the TCP connection itself.

I was just suprised that hotmail had let it slip through. Pretty bad form.

Author Topic: Sober: sent from hotmail? (Read 2962 times)

click

Sober: sent from hotmail?

DavidR

Re: Sober: sent from hotmail?

click

Re: Sober: sent from hotmail?