on Wed, Aug 11, 2004 at 11:43:43AM -0400, Steven Champeon wrote:
- this spamware follows a fairly predictable but randomized pattern:
Received: from %DOMAIN (%REALMXHOSTNAME [%REAL_IP_OF_MXHOST]) by %HELO_OR_RDNS_OF_SENDING_HOST (Postfix) with ESMTP id %RANDOM for <$target>; %DATE Message-ID: <%OUTLOOK_EXPRESS_MSG_ID@%DOMAIN> From: "%WORD %LETTER. %WORD2" <%WORD3@%DOMAIN> To: $target Subject: %RANDOM_SUBJECT_CHOSEN_FROM_LIST Date: %DATE
A couple of notes:
1) %DATE is the same in both the Date: header and the forged Received: "Postfix" header.
for <munged>; Sun, 08 Aug 2004 20:30:57 -0500 Date: Sun, 08 Aug 2004 20:30:57 -0500
2) single-digit days are represented zero-padded.
Date: Sun, 08 Aug 2004 20:30:57 -0500
I dunno if that's usual or not. IME, the Date: header is often off by a second or two, or has a slightly different format/timezone/etc.