Dan Duncan dand at pcisys.net
Wed Mar 17 16:29:09 CST 2004

On Wed, 17 Mar 2004, Bill Bradford wrote:
> > So who on the list usually posts from tor.radiant.net?
> Nobody - all that matters is the "from: " address and the "to:".

Sure, but the From: is forged so that doesn't help us.

Wouldn't the infected person's outbound email usually still resemble this:
> 44F473A1A6: client=66-163-16-11.ip.tor.radiant.net[]

It probably wouldn't be the exact IP (dhcp and all) but it would
presumably be the same pool of addresses, right?

Assuming it's a listmember (who else would have that matching
to: and from: in their saved email?) someone who posts from
*.tor.radiant.net is certainly suspect.

Or am I totally missing something?


#  Dan Duncan (kd4igw)  dand at pcisys.net  http://pcisys.net/~dand
# There are very few personal problems that cannot be solved through a
# suitable application of high explosives.

More information about the rescue mailing list