On Wed, 06 Jun 2001 10:20:10 EDT, "Margaret J. Brandt" <[log in to unmask]>  said:

> Received: from trovant.ttk.ru by society.massmed.org (8.8.8/1.1.22.3/29Feb00-0941AM)
>  id BAA0000020734; Wed, 6 Jun 2001 01:57:26 -0400 (EDT)
> Message-Id: <[log in to unmask]>
> Received: (qmail 31409 invoked from network); 6 Jun 2001 06:07:40 -0000
> Received: from mail.net-nachtexpress.at (HELO Jimmy.net) (195.170.78.154)
>   by trovant.ttk.ru with SMTP; 6 Jun 2001 06:07:40 -0000

Well.. looks like you got used as an open relay. Based on the version code in the
Received: line, you're running some Sendmail 8.8.8 - which is *NOT* recommended.
It is currently regarded as dangerous to be running *any* Sendmail earlier than 8.9.3,
and the current version is 8.11.4.

Based on the headers, the following explanation presents itself:

Some spammer at <location unknown> launched spam from mail.net-nachtexpress.at (the clue
here is that it sent a 'helo jimmy.net' - which is a  different host - so either the
Austrian site is *horribly* confused, or was lying on the HELO - it should have used its
own hostname on the HELO).

Said spam got sent to the Russian site, which was insecure and forwarded the mail to
your site.  Your Sendmail then blindly accepted the spam and delivered it (even being
so nice as to "fix" the broken SMTP 'mail from' by converting a raw 'FFrroomjoohhnY'
by adding the @society.massmed.org - modern Sendmails would have rejected this as
illegal rather than fixing it up).

--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech