Right, I'm no expert on this, but I'll give it a shot... Chae wrote: > This header is from a spam mail that arrived in my email this afternoon, > opened it up to check the header and noticed it had come through one of our > Cobalt Raq3's and had a customers domain as a receipient.
This makes sense. It would come into your Raq if it was intended for a recipient that your Raq was handling mail for. That's how your customers receive mail! It's not relaying mail for other domains, but it will accept mail for its own users, else how else will they receive it! > The servers been checked for old versions of formmail and other similiar > scripts - so how can the spammer manage to still filter stuff through this > server?? It hasn't! Just to go through the headers: > Return-Path: <[EMAIL PROTECTED]> This is a fake hotmail address, they don't do addresses with just numbers. > Delivered-To: [EMAIL PROTECTED] (my private address ommitted) > X-Envelope-To: [EMAIL PROTECTED] It looks like the Raq has used its forwarding list to send this mail onto you as you are the administrator. > Received: (qmail 90355 invoked by alias); 9 Nov 2001 04:32:52 -0000 > Received: from unknown (HELO ns.our-raq3.com) (xxx.xxx.xxx.xxx) > by debbie.paradise.net.nz with SMTP; 9 Nov 2001 04:32:52 -0000 > Received: from femail19.sdc1.sfba.home.com (femail19.sdc1.sfba.home.com > [24.0.95.128]) > by ns.our-raq3.com (8.9.3/8.9.3) with ESMTP id VAA03451 > for <[EMAIL PROTECTED]>; Thu, 8 Nov 2001 21:32:46 -0700 It looks like it was sent from the spammer (femail19.sdc1.sfba.home.com) (which could be an open relay on someone's DSL connection or something like that) to your customer's machine (ns.our-raq3.com) which has then *forwarded* (not relayed) it to you as you are the administrator. > From: [EMAIL PROTECTED] Fake email address. > Received: from [24.5.52.138] by femail19.sdc1.sfba.home.com > (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP > id > <20011109043240.YJWP25027.femail19.sdc1.sfba.home.com@[24.5.52.138]>; > Thu, 8 Nov 2001 20:32:40 -0800 These lines are most likely fake. All the genuine Received: lines will be contiguous. > Date: Thu, 08 Nov 01 19:49:57 EST > To: [EMAIL PROTECTED] > Subject: AD: Tired Of Foul Language? > Message-ID: <> The To: line is irrelevant, the envelope (above) sets who this copy of the mail is intended for. Was the message ID really blank? > Now after checking the customers hosting space and GUI ... > they have no relaying - the only thing they do have is two > aliases the catch-all activated and a forward to his ISP mail account which > happens to be an AOL address. As the email was sent to the [EMAIL PROTECTED], I guess it would not have been caught by the forward to his AOL account, but instead to the catch-all address, which I presume is a forward to your private address. Has the Raq accepted an email for this domain, then forwarded it to you as you are postmaster / catch-all? Is your Raq in fact working exactly as it should? Any corrections gratefully received, this is only a guess :o) Cheers Stephen _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
