[Mimedefang] Negative addresses??

Kelson kelson at speed.net
Fri Dec 2 20:17:22 EST 2005

Ashley M. Kirchner wrote:
>    Can someone explain this to me?  It's from a spam message (in fact, a 
> lot of them are coming through MD+SA these days) and they all show the 
> same thing, negative numbers:
> Received: from -1216216520 ([])
>    by serpico.pcraft.com (8.13.0/8.13.0) with SMTP id jB30Mott008917
>    for <ashley.kirchner at highpeaks.org>; Fri, 2 Dec 2005 17:22:54 -0700

Here it looks like the negative number is actually the HELO string, 
which can be set to pretty much anything.

> Received: from goprat.com (-1216301840 [-1213314064])
>    by ghfixtures.com (Qmailv1) with ESMTP id 8568A5A816
>    for <ashley.kirchner at highpeaks.org>; Fri, 02 Dec 2005 17:22:58 -0800

Assuming serpico.pcraft.com is your server, this line is probably 
forged, so again anything could go into the spots.

If I were to guess, someone has spamwarethat's generating random numbers 
for fake IP addresses, but has an error in formatting, so they're 
getting displayed as negative integers instead of dotted quads.

Kelson Vibber
SpeedGate Communications <www.speed.net>

More information about the MIMEDefang mailing list