Chris Stassen (chris@Stassen.COM)
Sat, 18 Jul 1998 10:50:52 -0400

Jan De Koning wrote:
> Please, do not accept any letters from They can apparently =
> not control their members.

"WHYNOT.NET" is a common forgery in "Received:" lines. The domain
does not exist. (The "Received:" lines above that forged one
indicate the spam's actual source.) The "Received:" lines starting
from the bottom-most one mentioning ASA's server are read top-down:

] Received: from ( [])
] by (8.8.7/8.8.7) with ESMTP id OAA14122
] for <>; Tue, 14 Jul 1998 14:52:31 -0400 (EDT)

ASA got it from MAIL-RELAY.UBC.CA.

] Received: from ( [])
] by [] (8.8.8/8.8.8) with ESMTP id LAA06005;
] Tue, 14 Jul 1998 11:48:00 -0700 (PDT)


] Received: from UBC_ENGLISH/SpoolDir by (Mercury 1.31);
] 14 Jul 98 11:45:13 +1100
] Received: from SpoolDir by UBC_ENGLISH (Mercury 1.31);
] 13 Jul 98 20:42:11 +1100

Two internal mailer hand-offs within ENGLISH.UBC.CA.

] Received: from sat1 by (Mercury 1.31);
] 13 Jul 98 20:41:43 +1100

"sat1" is neither a fully qualified domain name, nor is it an IP
address, nor does it look like an internal hand-off. ENGLISH.UBC.CA
isn't configured to tell us where it got the mail from, and that is
why the spammer used it to relay the E-mail (to hide his actual ISP
so he won't get kicked off). Every "Received:" line below this point
cannot be trusted and is almost certainly forged.

Complain to "" or ""
( is the University of British Columbia), and tell them to
fix their mailer so that (1) it reports IP addresses of connections
(so we could tell where the spammer was operating from), and (2) it
doesn't relay (so that the spammer couldn't have reflected the spam
off of it anyway).

] Received: from ([])
] by (8.8.5/8.7.3) with SMTP id XAA02934 for
]; Mon, 13 July 1998 19:47:35 -0700 (EDT)

Forged. Cues: "" is advertised as the inverse-lookup
of, but that domain does not exist (and that IP
address doesn't have reverse DNS). EDT is not seven hours behind
(-0700) GMT.

Also seen within the spam:
] <A HREF="">

Also complain to USA.NET ( and tell them to terminate
the account that the spammer is using to collect replies.

-- Chris (